Featured image of post Simple firewall script I now use in my Slackware powered laptop

Simple firewall script I now use in my Slackware powered laptop

This is the /etc/rc.d/rc.firewall script I use now for my Slackware powered laptop.

In the past, I’ve been using the Projectfiles rc.firewall script for my Slackware firewalling needs. However, I thought I could make use of a more simple script. I then checked the internet if there is one I could use. I then found the script (https://github.com/BrentonEarl/Iptables-Script/blob/master/rc.firewall.laptop) you’ll see in this post.

#!/bin/bash
#
# Iptables - Firewall Script for my Slackware laptop
#
###########
# Usage
###########
#
# Slackware systems
# Copy to /etc/rc.d/rc.firewall
# Execute 'chmod +x /etc/rc.d/rc.firewall'
# Start by executing '/etc/rc.d/rc.firewall'
#

IPTABLES="/usr/sbin/iptables"

$IPTABLES -F
$IPTABLES -X

# Block WINDOWS noise
$IPTABLES -A INPUT -p UDP -s 0/0 --destination-port 137 -j DROP
$IPTABLES -A INPUT -p UDP -s 0/0 --destination-port 138 -j DROP


# DROP and Log new != SYN
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG \
  --log-prefix "[ New TCP ! SYN: ]"
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

###########################
# Log and Block port scans
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j LOG \
  --log-prefix "[ Stealth scan: ]"
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j LOG \
  --log-prefix "[ Stealth scan: ]"
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \
  --log-prefix "[ Stealth scan: ]"
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG \
  --log-prefix "[ Stealth scan: ]"
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \
  --log-prefix "[ Stealth scan: ]"
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG \
  --log-prefix "[ Stealth scan: ]"
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# End Log and block port scans
###############################

# Accept everything from loopback
#$IPTABLES -A INPUT -i lo -j ACCEPT
#$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
$IPTABLES -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

# ICMP
###############

# Log all pings
$IPTABLES -A INPUT -p ICMP --icmp-type 8 -j LOG  \
  --log-prefix "[ Ping detected: ]"

# Allow good ICMP
$IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

# Drop Pings
$IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type 8 -j DROP
# Allow Ping
# $IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT

# Drop fragmented ICMP packets
$IPTABLES -A INPUT --fragment -p ICMP -j LOG \
  --log-prefix "[ ICMP Fragment: ]"
$IPTABLES -A INPUT --fragment -p ICMP -j DROP

# DROP INVALIDs
$IPTABLES -A INPUT -p ALL -m state --state INVALID -j LOG \
  --log-prefix "[ Invalid packet: ]"
$IPTABLES -A INPUT -m state -p icmp --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state -p icmp --state INVALID -j DROP
# END ICMP
##############

# Services
###############

# Allow NTP
# $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 37 -j ACCEPT

# Allow SSH
# $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 22 -j ACCEPT

# Allow DHCP
# $IPTABLES -A INPUT -p UDP -s 0/0 --source-port 67 --destination-port 68 -j ACCEPT

# Allow HTTPD
# $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 80 -j ACCEPT
# $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 443 -j ACCEPT

# Allow Torrents
# $IPTABLES -A INPUT -p UDP -s 0/0 --destination-port PORT1:PORT2 -j ACCEPT
# $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port PORT1:PORT2 -j ACCEPT

# END Services
###############


# Log everything else
$IPTABLES -A INPUT -m limit --limit 5/minute --limit-burst 3 -j LOG \
  --log-prefix "[ INPUT DROPPED ]"
$IPTABLES -A OUTPUT -m limit --limit 5/minute --limit-burst 3 -j LOG \
  --log-prefix "[ OUTPUT DROPPED: ]"
$IPTABLES -A FORWARD -m limit --limit 5/minute --limit-burst 3 -j LOG \
  --log-prefix "[ FORWARD DROPPED ]"

# Global Accept
################

# Allow NEW, RELATED, ESTABLISHED connections
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

# END Global
############

# Drop all other packets
$IPTABLES -A INPUT -j DROP
$IPTABLES -A FORWARD -j DROP
$IPTABLES -A OUTPUT -j DROP

# Backup rules to /etc/iptables.rules
/usr/sbin/iptables-save > /etc/iptables.rules
comments powered by Disqus
Built with Hugo
Theme Stack designed by Jimmy