#!/bin/sh
#create a firewall for this machine
IPTABLES=/usr/sbin/iptables
EXTIP=123.123.123.123$IPTABLES -F
/sbin/modprobe ipt_state
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp# Disable response to broadcasts.
# You don’t want yourself becoming a Smurf amplifier.
/bin/echo “1″ > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts# Don’t accept source routed packets. Attackers can use source routing to generate
# traffic pretending to be from inside your network, but which is routed back along
# the path from which it came, namely outside, so attackers can compromise your
# network. Source routing is rarely used for legitimate purposes.
/bin/echo “0″ > /proc/sys/net/ipv4/conf/all/accept_source_route# Disable ICMP redirect acceptance. ICMP redirects can be used to alter your routing
# tables, possibly to a bad end.
/bin/echo “0″ > /proc/sys/net/ipv4/conf/all/accept_redirects# Enable bad error message protection.
/bin/echo “1″ > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses# Turn on reverse path filtering. This helps make sure that packets use
# legitimate source addresses, by automatically rejecting incoming packets
# if the routing table entry for their source address doesn’t match the network
# interface they’re arriving on. This has security advantages because it prevents
# so-called IP spoofing, however it can pose problems if you use asymmetric routing
# (packets from you to a host take a different path than packets from that host to you)
# or if you operate a non-routing host which has several IP addresses on different
# interfaces. (Note - If you turn on IP forwarding, you will also get this).
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
/bin/echo “1″ > ${interface}
done# Log spoofed packets, source routed packets, redirect packets.
/bin/echo “1″ > /proc/sys/net/ipv4/conf/all/log_martians# Make sure that IP forwarding is turned off. We only want this for a multi-homed host.
/bin/echo “0″ > /proc/sys/net/ipv4/ip_forward#defualts
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP#internal range is not blocked
$IPTABLES -A INPUT -i eth0 -j ACCEPT#ping
$IPTABLES -A INPUT -p icmp -j ACCEPT
#dns
$IPTABLES -A INPUT -i eth1 -d $EXTIP -s 217.33.150.220 -p tcp –sport 53 -j ACCEPT
$IPTABLES -A INPUT -i eth1 -d $EXTIP -s 217.33.150.220 -p udp –sport 53 -j ACCEPT
$IPTABLES -A INPUT -i eth1 -d $EXTIP -s 217.33.150.221 -p tcp –sport 53 -j ACCEPT
$IPTABLES -A INPUT -i eth1 -d $EXTIP -s 217.33.150.221 -p udp –sport 53 -j ACCEPT#allow ftp from anywhere
$IPTABLES -A INPUT -i eth1 -d $EXTIP -p tcp –dport 21 -j ACCEPT
$IPTABLES -A INPUT -i eth1 -d $EXTIP -p tcp –dport 20 -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i eth1 -d $EXTIP -p tcp –sport 1024: –dport 1024: -m state –state ESTABLISHED,RELATED -j ACCEPT#drop everything else on this interface
$IPTABLES -A INPUT -i eth1 -d $EXTIP -j LOG$IPTABLES -L -n -v
Source from: http://www.thedumbterminal.co.uk/config/