In the past, I’ve been using the Projectfiles rc.firewall script for my Slackware firewalling needs. However, I thought I could make use of a more simple script. I then checked the internet if there is one I could use. I then found the script (https://github.com/BrentonEarl/Iptables-Script/blob/master/rc.firewall.laptop) you’ll see in this post.
#!/bin/bash
#
# Iptables - Firewall Script for my Slackware laptop
#
###########
# Usage
###########
#
# Slackware systems
# Copy to /etc/rc.d/rc.firewall
# Execute 'chmod +x /etc/rc.d/rc.firewall'
# Start by executing '/etc/rc.d/rc.firewall'
#
IPTABLES="/usr/sbin/iptables"
$IPTABLES -F
$IPTABLES -X
# Block WINDOWS noise
$IPTABLES -A INPUT -p UDP -s 0/0 --destination-port 137 -j DROP
$IPTABLES -A INPUT -p UDP -s 0/0 --destination-port 138 -j DROP
# DROP and Log new != SYN
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "[ New TCP ! SYN: ]"
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
###########################
# Log and Block port scans
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j LOG \
--log-prefix "[ Stealth scan: ]"
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j LOG \
--log-prefix "[ Stealth scan: ]"
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \
--log-prefix "[ Stealth scan: ]"
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG \
--log-prefix "[ Stealth scan: ]"
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \
--log-prefix "[ Stealth scan: ]"
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG \
--log-prefix "[ Stealth scan: ]"
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# End Log and block port scans
###############################
# Accept everything from loopback
#$IPTABLES -A INPUT -i lo -j ACCEPT
#$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
$IPTABLES -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
# ICMP
###############
# Log all pings
$IPTABLES -A INPUT -p ICMP --icmp-type 8 -j LOG \
--log-prefix "[ Ping detected: ]"
# Allow good ICMP
$IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
# Drop Pings
$IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type 8 -j DROP
# Allow Ping
# $IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
# Drop fragmented ICMP packets
$IPTABLES -A INPUT --fragment -p ICMP -j LOG \
--log-prefix "[ ICMP Fragment: ]"
$IPTABLES -A INPUT --fragment -p ICMP -j DROP
# DROP INVALIDs
$IPTABLES -A INPUT -p ALL -m state --state INVALID -j LOG \
--log-prefix "[ Invalid packet: ]"
$IPTABLES -A INPUT -m state -p icmp --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state -p icmp --state INVALID -j DROP
# END ICMP
##############
# Services
###############
# Allow NTP
# $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 37 -j ACCEPT
# Allow SSH
# $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 22 -j ACCEPT
# Allow DHCP
# $IPTABLES -A INPUT -p UDP -s 0/0 --source-port 67 --destination-port 68 -j ACCEPT
# Allow HTTPD
# $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 80 -j ACCEPT
# $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 443 -j ACCEPT
# Allow Torrents
# $IPTABLES -A INPUT -p UDP -s 0/0 --destination-port PORT1:PORT2 -j ACCEPT
# $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port PORT1:PORT2 -j ACCEPT
# END Services
###############
# Log everything else
$IPTABLES -A INPUT -m limit --limit 5/minute --limit-burst 3 -j LOG \
--log-prefix "[ INPUT DROPPED ]"
$IPTABLES -A OUTPUT -m limit --limit 5/minute --limit-burst 3 -j LOG \
--log-prefix "[ OUTPUT DROPPED: ]"
$IPTABLES -A FORWARD -m limit --limit 5/minute --limit-burst 3 -j LOG \
--log-prefix "[ FORWARD DROPPED ]"
# Global Accept
################
# Allow NEW, RELATED, ESTABLISHED connections
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
# END Global
############
# Drop all other packets
$IPTABLES -A INPUT -j DROP
$IPTABLES -A FORWARD -j DROP
$IPTABLES -A OUTPUT -j DROP
# Backup rules to /etc/iptables.rules
/usr/sbin/iptables-save > /etc/iptables.rules