#!/bin/sh # # /etc/init.d/firewall: start or stop firewalling # # This is a simple configuration suitable for a machine on a # network not serving as a gateway/router. An ethernet network # is shown here -- change MAINIF to "ppp0" or whatever is suitable # for your setup if applicable. Requires iptables on a linux kernel # supporting same (2.4.x, as of this writing). # # This configuration permits incoming connects only to the ssh port. # All incoming packets not related to an existing connect (that is, one # initiated from inside) are logged and rejected. MAINIF=eth0 PATH=/bin:/sbin:/usr/bin:/usr/sbin IPT="iptables" for p in /usr/local/sbin /usr/sbin /sbin /usr/local/bin /usr/bin /bin ; do [ -x "$p/iptables" ] && IPT="$p/iptables" done [ -x "$IPT" ] || exit 0 OUTADDR=`ifconfig $MAINIF|perl -ne '/inet addr:(\S+)/ and print $1'` if [ -z "$OUTADDR" ] ; then echo "Couldn't determine IP address for $MAINIF -- " \ "is the interface active?" exit fi BCAST=`ifconfig eth0|perl -ne '/bcast:(\S+)/i and print $1'` LOCALNET="" start_fw() { # enable the kernel's spoof protection echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter # load the iptables module (this may be autoloadable in some # distributions) modprobe ip_tables # throw out contextually invalid packets $IPT -A INPUT -m state --state INVALID -j REJECT # accept packets on established connects, or those related thereto $IPT -A INPUT -m state --state ESTABLISHED -j ACCEPT $IPT -A INPUT -m state --state RELATED -j ACCEPT # allow incoming ssh connects $IPT -A INPUT -p tcp --dport ssh -j ACCEPT # optional: allow http connects (webservers) # $IPT -A INPUT -p tcp --dport 80 -j ACCEPT # optional: allow incoming smtp connects (mailservers) # $IPT -A INPUT -p tcp --dport smtp -j ACCEPT # optional: allow incoming DNS queries (DNS servers) # $IPT -A INPUT -p udp --dport domain -j ACCEPT # $IPT -A INPUT -p tcp --dport domain -j ACCEPT # optional: allow incoming NTP queries (NTP timeservers) # $IPT -A INPUT -p udp --dport ntp -j ACCEPT # quietly throw away some common broadcast packets to reduce noise $IPT -A INPUT -p tcp --dport 137:139 -j REJECT $IPT -A INPUT -p udp --dport 137:139 -j REJECT $IPT -A INPUT -d $BCAST -j REJECT # log and reject everything else. $IPT -A INPUT -m limit --limit 60/minute --limit-burst=120 \ -j LOG --log-prefix "input firewall " $IPT -A INPUT -j REJECT } stop_fw() { for ch in INPUT ; do $IPT -F $ch $IPT -Z $ch done } case "$1" in start) echo -n "Starting iptables firewalling: " start_fw echo done ;; stop) echo -n "Clearing iptables firewalls: " stop_fw echo done ;; restart|reload|force-reload) $0 stop $0 start ;; *) echo "Usage: $0 {start|stop|restart|reload|force-reload}" exit 1 ;; esac exit 0