Simple firewall script I now use in my Slackware powered laptop

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
#!/bin/bash
#
# Iptables - Firewall Script for my Slackware laptop
#
###########
# Usage
###########
#
# Slackware systems
# Copy to /etc/rc.d/rc.firewall
# Execute 'chmod +x /etc/rc.d/rc.firewall'
# Start by executing '/etc/rc.d/rc.firewall'
#

IPTABLES="/usr/sbin/iptables"

$IPTABLES -F
$IPTABLES -X

# Block WINDOWS noise
$IPTABLES -A INPUT -p UDP -s 0/0 --destination-port 137 -j DROP
$IPTABLES -A INPUT -p UDP -s 0/0 --destination-port 138 -j DROP


# DROP and Log new != SYN
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG \
  --log-prefix "[ New TCP ! SYN: ]"
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

###########################
# Log and Block port scans
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j LOG \
  --log-prefix "[ Stealth scan: ]"
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j LOG \
  --log-prefix "[ Stealth scan: ]"
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \
  --log-prefix "[ Stealth scan: ]"
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG \
  --log-prefix "[ Stealth scan: ]"
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \
  --log-prefix "[ Stealth scan: ]"
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG \
  --log-prefix "[ Stealth scan: ]"
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# End Log and block port scans
###############################

# Accept everything from loopback
#$IPTABLES -A INPUT -i lo -j ACCEPT
#$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
$IPTABLES -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

# ICMP
###############

# Log all pings
$IPTABLES -A INPUT -p ICMP --icmp-type 8 -j LOG  \
  --log-prefix "[ Ping detected: ]"

# Allow good ICMP
$IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

# Drop Pings
$IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type 8 -j DROP
# Allow Ping
# $IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT

# Drop fragmented ICMP packets
$IPTABLES -A INPUT --fragment -p ICMP -j LOG \
  --log-prefix "[ ICMP Fragment: ]"
$IPTABLES -A INPUT --fragment -p ICMP -j DROP

# DROP INVALIDs
$IPTABLES -A INPUT -p ALL -m state --state INVALID -j LOG \
  --log-prefix "[ Invalid packet: ]"
$IPTABLES -A INPUT -m state -p icmp --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state -p icmp --state INVALID -j DROP
# END ICMP
##############

# Services
###############

# Allow NTP
# $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 37 -j ACCEPT

# Allow SSH
# $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 22 -j ACCEPT

# Allow DHCP
# $IPTABLES -A INPUT -p UDP -s 0/0 --source-port 67 --destination-port 68 -j ACCEPT

# Allow HTTPD
# $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 80 -j ACCEPT
# $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 443 -j ACCEPT

# Allow Torrents
# $IPTABLES -A INPUT -p UDP -s 0/0 --destination-port PORT1:PORT2 -j ACCEPT
# $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port PORT1:PORT2 -j ACCEPT

# END Services
###############


# Log everything else
$IPTABLES -A INPUT -m limit --limit 5/minute --limit-burst 3 -j LOG \
  --log-prefix "[ INPUT DROPPED ]"
$IPTABLES -A OUTPUT -m limit --limit 5/minute --limit-burst 3 -j LOG \
  --log-prefix "[ OUTPUT DROPPED: ]"
$IPTABLES -A FORWARD -m limit --limit 5/minute --limit-burst 3 -j LOG \
  --log-prefix "[ FORWARD DROPPED ]"

# Global Accept
################

# Allow NEW, RELATED, ESTABLISHED connections
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

# END Global
############

# Drop all other packets
$IPTABLES -A INPUT -j DROP
$IPTABLES -A FORWARD -j DROP
$IPTABLES -A OUTPUT -j DROP

# Backup rules to /etc/iptables.rules
/usr/sbin/iptables-save > /etc/iptables.rules

Tags

E-mal

  • michael(a)balcos.net