https://www.slackwiki.com/index.php?action=history&feed=atom&title=AllixD_Firewall_ScriptAllixD Firewall Script - Revision history2026-04-08T14:27:34ZRevision history for this page on the wikiMediaWiki 1.40.0https://www.slackwiki.com/index.php?title=AllixD_Firewall_Script&diff=87&oldid=prevErik: Copy from old2009-06-02T03:28:07Z<p>Copy from old</p>
<p><b>New page</b></p><div>I use this. It does not allow any incoming data, so it's no good for NFS servers.<br />
<br />
#!/bin/sh<br />
<br />
IPT="/usr/sbin/iptables"<br />
<br />
# Let's make sure forwarding is DISABLED:<br />
echo "0" > /proc/sys/net/ipv4/ip_forward<br />
<br />
# Let's enable SYN cookies (to protect against SYN floods):<br />
echo "1" > /proc/sys/net/ipv4/tcp_syncookies<br />
<br />
# Let's disable TCP timestamps to reduce the TCP stack workload:<br />
echo "0" > /proc/sys/net/ipv4/tcp_timestamps<br />
<br />
# Let's enable reverse path filtering for anti-spoofing:<br />
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter<br />
<br />
# Let's ignore PINGs which have been BROADCAST:<br />
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts<br />
<br />
# Let's disable source routed packets as they are ridiculous:<br />
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route<br />
<br />
# Let's allow redirects from trusted gateways only:<br />
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects<br />
<br />
# Let's log any UFOs which are spotted:<br />
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians<br />
<br />
# Let's flush-out all the chains in our tables:<br />
$IPT -F<br />
$IPT -F -t nat<br />
$IPT -F -t mangle<br />
<br />
# Let's delete every non-builtin chains in our tables:<br />
$IPT -X<br />
$IPT -X -t nat<br />
$IPT -X -t mangle<br />
<br />
# Let's set our INPUT policy to DROP:<br />
$IPT -P INPUT DROP<br />
<br />
# Let's set our OUTPUT policy to ACCEPT, because we can<br />
# appreciate this kinda flexibility on a Home PC:<br />
$IPT -P OUTPUT ACCEPT<br />
<br />
# Let's accept incoming packets which belong to connections<br />
# that have ALREADY been initiated:<br />
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT<br />
<br />
# Let's allow all packets initiating new connections LOCALLY:<br />
$IPT -A INPUT -i lo -m state --state NEW -j ACCEPT<br />
<br />
# Let's log every packet that reaches this rule, right before<br />
# it hits our INPUT policy and gets a DROP:<br />
$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "<br />
<br />
# Let's load the module allowing Connection Tracking for FTP:<br />
/sbin/modprobe ip_conntrack_ftp<br />
<br />
# Let's load the module allowing Connection Tracking for IRC:<br />
/sbin/modprobe ip_conntrack_irc<br />
<br />
# No rc.firewall script is complete without the ubiquitous echo:<br />
echo "So let it be written. So let it be done."<br />
<br />
[[Category:Security]]</div>Erik