AllixD Firewall Script - Revision history https://www.slackwiki.com/index.php?title=AllixD_Firewall_Script&action=history Revision history for this page on the wiki en MediaWiki 1.40.0 Wed, 08 Apr 2026 14:27:25 GMT Erik: Copy from old https://www.slackwiki.com/index.php?title=AllixD_Firewall_Script&diff=87&oldid=prev https://www.slackwiki.com/index.php?title=AllixD_Firewall_Script&diff=87&oldid=prev <p>Copy from old</p> <p><b>New page</b></p><div>I use this. It does not allow any incoming data, so it's no good for NFS servers.<br /> <br /> #!/bin/sh<br /> <br /> IPT=&quot;/usr/sbin/iptables&quot;<br /> <br /> # Let's make sure forwarding is DISABLED:<br /> echo &quot;0&quot; &gt; /proc/sys/net/ipv4/ip_forward<br /> <br /> # Let's enable SYN cookies (to protect against SYN floods):<br /> echo &quot;1&quot; &gt; /proc/sys/net/ipv4/tcp_syncookies<br /> <br /> # Let's disable TCP timestamps to reduce the TCP stack workload:<br /> echo &quot;0&quot; &gt; /proc/sys/net/ipv4/tcp_timestamps<br /> <br /> # Let's enable reverse path filtering for anti-spoofing:<br /> echo &quot;1&quot; &gt; /proc/sys/net/ipv4/conf/all/rp_filter<br /> <br /> # Let's ignore PINGs which have been BROADCAST:<br /> echo &quot;1&quot; &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts<br /> <br /> # Let's disable source routed packets as they are ridiculous:<br /> echo &quot;0&quot; &gt; /proc/sys/net/ipv4/conf/all/accept_source_route<br /> <br /> # Let's allow redirects from trusted gateways only:<br /> echo &quot;1&quot; &gt; /proc/sys/net/ipv4/conf/all/secure_redirects<br /> <br /> # Let's log any UFOs which are spotted:<br /> echo &quot;1&quot; &gt; /proc/sys/net/ipv4/conf/all/log_martians<br /> <br /> # Let's flush-out all the chains in our tables:<br /> $IPT -F<br /> $IPT -F -t nat<br /> $IPT -F -t mangle<br /> <br /> # Let's delete every non-builtin chains in our tables:<br /> $IPT -X<br /> $IPT -X -t nat<br /> $IPT -X -t mangle<br /> <br /> # Let's set our INPUT policy to DROP:<br /> $IPT -P INPUT DROP<br /> <br /> # Let's set our OUTPUT policy to ACCEPT, because we can<br /> # appreciate this kinda flexibility on a Home PC:<br /> $IPT -P OUTPUT ACCEPT<br /> <br /> # Let's accept incoming packets which belong to connections<br /> # that have ALREADY been initiated:<br /> $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT<br /> <br /> # Let's allow all packets initiating new connections LOCALLY:<br /> $IPT -A INPUT -i lo -m state --state NEW -j ACCEPT<br /> <br /> # Let's log every packet that reaches this rule, right before<br /> # it hits our INPUT policy and gets a DROP:<br /> $IPT -A INPUT -j LOG --log-prefix &quot;INPUT DROP: &quot;<br /> <br /> # Let's load the module allowing Connection Tracking for FTP:<br /> /sbin/modprobe ip_conntrack_ftp<br /> <br /> # Let's load the module allowing Connection Tracking for IRC:<br /> /sbin/modprobe ip_conntrack_irc<br /> <br /> # No rc.firewall script is complete without the ubiquitous echo:<br /> echo &quot;So let it be written. So let it be done.&quot;<br /> <br /> [[Category:Security]]</div> Tue, 02 Jun 2009 03:28:07 GMT Erik https://www.slackwiki.com/Talk:AllixD_Firewall_Script