IPTABLES Script For a Basic SOHO Firewall

#!/bin/bash # Iptables script for a basic SOHO firewall # please verify if the Source Address Verification in / etc/sysctl.conf is enabled: net.ipv4.conf.all.rp_filter = 1 # Define some variables # Location of the binaries IPTABLES="/sbin/iptables" # Loopback Interface LOOPBACK="lo" # External Interface EXTERNAL="eth0" EXTERNAL_IP="192.168.1.2" # Internal Interface INTERNAL="eth1" INTERNAL_IP="192.168.0.100" # Internal PC PC1_IP="192.168.0.1" # Remote client REMOTE_IP="192.168.1.1" # DNS Server DNS_IP="192.168.1.1" # Internal services ports SSH_PORT="222" VNC_PORT="5901" # Flush all rules $IPTABLES -F # Set default policies $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # Allow access to the Loopback host $IPTABLES -A INPUT -i $LOOPBACK -j ACCEPT $IPTABLES -A OUTPUT -o $LOOPBACK -j ACCEPT # Incoming external traffic rules # refine it with netstat, tcpdump, syslog, etc. # Accept ICMP echo-replay incoming traffic for outgoing PINGs $IPTABLES -A INPUT -i $EXTERNAL -p icmp --icmp-type echoreply -j ACCEPT # Accept DNS responses for host resolution $IPTABLES -A INPUT -i $EXTERNAL -p udp -s $DNS_IP --sport domain -j ACCEPT # Accept all established incoming traffic $IPTABLES -A INPUT -i $EXTERNAL -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT # Accept incoming SSH traffic only from well known remote host $IPTABLES -A INPUT -i $EXTERNAL -p tcp -s $REMOTE_IP --dport $SSH_PORT -j ACCEPT # Accept incoming VNC traffic only from well known remote host $IPTABLES -A INPUT -i $EXTERNAL -p tcp -s $REMOTE_IP --dport $VNC_PORT -j ACCEPT # Log all dropped incoming traffic $IPTABLES -A INPUT -i $EXTERNAL -j LOG --log-prefix="BAD_ INPUT:" # Outgoing external traffic rules # refine it with netstat, tcpdump, syslog, etc. # Block ICMP Port Unreachable $IPTABLES -A OUTPUT -o $EXTERNAL -p icmp -j DROP # Accept DNS responses for host resolution $IPTABLES -A OUTPUT -o $EXTERNAL -p udp -d $DNS_IP --dport domain -j ACCEPT # Block ICMP Port Unreachable #$IPTABLES -A OUTPUT -o $EXTERNAL -p udp -j DROP # Accept all outgoing traffic $IPTABLES -A OUTPUT -o $EXTERNAL -p tcp -j ACCEPT # Log all dropped outgoing traffic $IPTABLES -A OUTPUT -o $EXTERNAL -j LOG --log-prefix="BAD_ OUTPUT:" # Internal traffic rules # Accept all internal input traffic $IPTABLES -A INPUT -i $INTERNAL -j ACCEPT # Accept all internal output traffic $IPTABLES -A OUTPUT -o $INTERNAL -j ACCEPT # Forwarding packets rules # Forward incoming VNC traffic to PC1 $IPTABLES -A FORWARD -i $EXTERNAL -o $INTERNAL -p tcp -s $REMOTE_IP -d $PC1_IP --dport $VNC_PORT -j ACCEPT # Log all dropped incoming forward traffic $IPTABLES -A FORWARD -i $EXTERNAL -o $INTERNAL -j LOG --logprefix=" BAD_INPUT_FORWARD:" # Forward outgoing VNC traffic from PC1 $IPTABLES -A FORWARD -i $INTERNAL -o $EXTERNAL -p tcp -d $REMOTE_IP -s $PC1_IP --sport $VNC_PORT -j ACCEPT # Log all dropped outgoing forward traffic $IPTABLES -A FORWARD -i $INTERNAL -o $EXTERNAL -j LOG --logprefix=" BAD_OUTPUT_FORWARD:"

This entry was posted on Wednesday, May 26th, 2010 at 9:03 AM and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.

Aggressive Virus Defense

IPTABLES Script For a Basic SOHO Firewall

Related

About Me

Contents

Pages

Travel

Meta