IPTABLES Script For a Basic SOHO Firewall

#!/bin/bash
# Iptables script for a basic SOHO firewall
# please verify if the Source Address Verification in /
etc/sysctl.conf is enabled:
net.ipv4.conf.all.rp_filter = 1
# Define some variables
# Location of the binaries
IPTABLES="/sbin/iptables"
# Loopback Interface
LOOPBACK="lo"
# External Interface
EXTERNAL="eth0"
EXTERNAL_IP="192.168.1.2"
# Internal Interface
INTERNAL="eth1"
INTERNAL_IP="192.168.0.100"
# Internal PC
PC1_IP="192.168.0.1"
# Remote client
REMOTE_IP="192.168.1.1"
# DNS Server
DNS_IP="192.168.1.1"
# Internal services ports
SSH_PORT="222"
VNC_PORT="5901"
# Flush all rules
$IPTABLES -F
# Set default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
# Allow access to the Loopback host
$IPTABLES -A INPUT -i $LOOPBACK -j ACCEPT
$IPTABLES -A OUTPUT -o $LOOPBACK -j ACCEPT
# Incoming external traffic rules
# refine it with netstat, tcpdump, syslog, etc.
# Accept ICMP echo-replay incoming traffic for outgoing PINGs
$IPTABLES -A INPUT -i $EXTERNAL -p icmp --icmp-type echoreply
-j ACCEPT
# Accept DNS responses for host resolution
$IPTABLES -A INPUT -i $EXTERNAL -p udp -s $DNS_IP --sport
domain -j ACCEPT
# Accept all established incoming traffic
$IPTABLES -A INPUT -i $EXTERNAL -p tcp -m state --state
RELATED,ESTABLISHED -j ACCEPT
# Accept incoming SSH traffic only from well known remote host
$IPTABLES -A INPUT -i $EXTERNAL -p tcp -s $REMOTE_IP --dport
$SSH_PORT -j ACCEPT
# Accept incoming VNC traffic only from well known remote host
$IPTABLES -A INPUT -i $EXTERNAL -p tcp -s $REMOTE_IP --dport
$VNC_PORT -j ACCEPT
# Log all dropped incoming traffic
$IPTABLES -A INPUT -i $EXTERNAL -j LOG --log-prefix="BAD_
INPUT:"
# Outgoing external traffic rules
# refine it with netstat, tcpdump, syslog, etc.
# Block ICMP Port Unreachable
$IPTABLES -A OUTPUT -o $EXTERNAL -p icmp -j DROP
# Accept DNS responses for host resolution
$IPTABLES -A OUTPUT -o $EXTERNAL -p udp -d $DNS_IP --dport
domain -j ACCEPT
# Block ICMP Port Unreachable
#$IPTABLES -A OUTPUT -o $EXTERNAL -p udp -j DROP
# Accept all outgoing traffic
$IPTABLES -A OUTPUT -o $EXTERNAL -p tcp -j ACCEPT
# Log all dropped outgoing traffic
$IPTABLES -A OUTPUT -o $EXTERNAL -j LOG --log-prefix="BAD_
OUTPUT:"
# Internal traffic rules
# Accept all internal input traffic
$IPTABLES -A INPUT -i $INTERNAL -j ACCEPT
# Accept all internal output traffic
$IPTABLES -A OUTPUT -o $INTERNAL -j ACCEPT
# Forwarding packets rules
# Forward incoming VNC traffic to PC1
$IPTABLES -A FORWARD -i $EXTERNAL -o $INTERNAL -p tcp -s
$REMOTE_IP -d $PC1_IP --dport $VNC_PORT
-j ACCEPT
# Log all dropped incoming forward traffic
$IPTABLES -A FORWARD -i $EXTERNAL -o $INTERNAL -j LOG --logprefix="
BAD_INPUT_FORWARD:"
# Forward outgoing VNC traffic from PC1
$IPTABLES -A FORWARD -i $INTERNAL -o $EXTERNAL -p tcp -d
$REMOTE_IP -s $PC1_IP --sport $VNC_PORT
-j ACCEPT
# Log all dropped outgoing forward traffic
$IPTABLES -A FORWARD -i $INTERNAL -o $EXTERNAL -j LOG --logprefix="
BAD_OUTPUT_FORWARD:"

Advertisements

Comments are closed.