# Debian 3.0r2 iptables config - supports NIS + Kerberos (DAS) # Version 1 # Date 2004-04-26 echo "Starting IPTABLES firewall... " # Load connection tracking modules: (these are already loaded in my kernel, # you may need to uncomment these lines and load them as modules. #modprobe ip_conntrack #modprobe ip_conntrack_ftp # Flush all chains, delete user-defined chains, and zero all counters iptables -F iptables -X iptables -Z #----------------------------------------------------------------------------- # Default action if packets match no rules in chain iptables -P INPUT DROP # ---------------------------------------------------------------------------- # Increase security on host IP stack # Enable TCP SYN Cookie Protection echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Enable broadcast echo Protection echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Enable bad error message Protection echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Make sure that IP forwarding is turned off. We only want this for a multi-homed host. echo 0 > /proc/sys/net/ipv4/ip_forward # Enable IP spoofing protection # turn on Source Address Verification for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done # Disable ICMP Redirect Acceptance for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f done for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f done # Disable Source Routed Packets for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f done # Log Spoofed Packets, Source Routed Packets, Redirect Packets for f in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $f done # ---------------------------------------------------------------------------- # LOOPBACK # Unlimited traffic on the loopback interface. iptables -A INPUT -i lo -j ACCEPT #----------------------------------------------------------------------------- # Define IP addresses for source address restriction # Your IP address IPADDR="10.10.22.68" # DAS-M IP address DAS_M="10.10.22.42/32" # DAS-S IP address DAS_S="10.10.22.40/32" # Your physical interface IFACE="eth0" # Network allowed to connect to LDAP or NTP services DASNET="10.10.22.0/24" # LAB/Software Dev Network LABNET="10.10.0.0/16" # Our DNS servers are: NS1="10.10.20.250/32" NS2="10.10.19.250/32" NS3="4.2.2.3/32" # Other Definitions BROADCAST="10.10.22.255" ALLBROAD="255.255.255.255" MULTICAST="224.0.0.0/4" LOOPBACK="127.0.0.0/8" P_PORTS="0:1023" UP_PORTS="1024:65535" #------------------------------------------------------------ # The actual firewall config: # Make sure that NEW tcp connections are SYN packets iptables -A INPUT -i $IFACE -p tcp ! --syn -m state --state NEW -j DROP # Allow hosts on the LAB network to PING the us. Outbound PING is allowed via # connection tracking, and traceroute works as well. iptables -A INPUT -s $LABNET -d $IPADDR -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -s any/0 -d $IPADDR -p icmp --icmp-type destination-unreachable -j ACCEPT iptables -A INPUT -s any/0 -d $IPADDR -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow inbound TCP port for SSH connection iptables -A INPUT -s $DASNET -d $IPADDR -p tcp --dport 22 -j ACCEPT # Connection Tracking - Allow TCP and UDP connections initiated by server iptables -A INPUT -s any/0 -d $IPADDR -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -s any/0 -d $IPADDR -p udp -m state --state ESTABLISHED -j ACCEPT #----------------------------------------------------------------------------- # LOGGING and REJECTING/DROPPING all remaining packets # Drop any TCP or UDP broadcasts without logging. I don't want to see lots of # entries in the log for Microsoft client broadcasts, or DHCP traffic! iptables -A INPUT -d $BROADCAST -p tcp -j DROP iptables -A INPUT -d $ALLBROAD -p tcp -j DROP iptables -A INPUT -d $BROADCAST -p udp -j DROP iptables -A INPUT -d $ALLBROAD -p udp -j DROP # Drop any TCP port 135 scans from M$ hosts infected with worms. These are SO common, they # fill up the logs with garbage!!! iptables -A INPUT -d $IPADDR -p tcp --dport 135 -j DROP # Drop Multicast traffic. Otherwise, all router IGMP stuff will be logged. I don't # want to see this. iptables -A INPUT -d $MULTICAST -j DROP # Any UDP not already allowed is logged, then dropped iptables -A INPUT -p udp -j LOG --log-level info --log-prefix "FW UDP: " iptables -A INPUT -p udp -j DROP # Any TCP not already allowed is logged, then rejected iptables -A INPUT -p tcp -j LOG --log-level info --log-prefix "FW TCP: " iptables -A INPUT -p tcp -j REJECT # Any ICMP not already allowed is logged, then dropped iptables -A INPUT -p icmp -j LOG --log-level info --log-prefix "FW ICMP: " iptables -A INPUT -p icmp -j DROP # All other protocols and packets will be logged, then dropped iptables -A INPUT -j LOG --log-level info --log-prefix "FW Prot-X: " iptables -A INPUT -j DROP #----------------------------------------------------------------------------- echo "done" exit 0