#!/bin/sh # Firewall for campus and home use # simple firewall for standalone machine # default deny in, default allow out ######################################################################## # Date : 27 Feb 2002 # copyright : (C) 2002 by Arthur Clune # email : arthur@clune.org # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. ######################################################################## # Generously chopped around by ewan (ecm103@york.ac.uk) 29/3/2002 # Enable broadcast echo protection if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ] ; then echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts fi # no source routing for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f done # TCP SYN cookies protection if [ -f /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies fi # ignore ICMP redirects for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f done # don't send redirects for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f done # reverse path filtering (anti-spoofing) for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done # drop packets with impossible address for f in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $f done # we are not a router for f in /proc/sys/net/ipv4/conf/*/forwarding; do echo 0 > $f done # Actual iptables stuff # allow related connections iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED # accept from lo iptables -A INPUT -i lo -j ACCEPT # we are not a router iptables -A FORWARD -m limit --limit 1/minute --limit-burst 5 -j LOG --log-prefix "[firewall] forwarding: " iptables -P FORWARD DROP # now some paranioa # Kill malformed packets. iptables -A INPUT -m limit --limit 1/minute --limit-burst 5 -m unclean -j LOG --log-prefix "[firewall] unclean packet: " iptables -A INPUT -m unclean -j DROP # block the private/non-routable address blocks # don't do this when using one! iptables -A INPUT -s 10.0.0.0/8 -j DROP iptables -A INPUT -s 172.16.0.0/12 -j DROP #iptables -A INPUT -s 192.168.0.0/16 -j DROP # Drop multicast traffic iptables -A INPUT -s 224.0.0.0/4 -j DROP # Allow incoming ssh iptables -A INPUT -m limit --limit 10/hour --limit-burst 5 -j LOG -p tcp --dport ssh --log-prefix "[firewall] SSH accept: " iptables -A INPUT -j ACCEPT -p tcp --dport ssh # Allow incoming pings from other machines - not needed to ping out. iptables -A INPUT -p icmp --icmp-type ping -j ACCEPT # Set default policies for packets addressed _TO_ or _FROM_ this box. # Allow everything out not denyed above and block anything in not # permitted above iptables -P OUTPUT ACCEPT iptables -A INPUT -m limit --limit 1/minute --limit-burst 5 -j LOG --log-prefix "[firewall] Default drop : " iptables -P INPUT DROP