search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
updated on Wed Jan 18 08:00:29 UTC 2012
[aur-mirror.git] / sova / iptables2
blob798a41ac28f07bb154965ad89486e32493d11b91
1 #!/bin/bash
2 #
3 # SOVA iptables2 settings.
4 #
5 # WARNING! Remember to put '$true' in any function you intend to leave empty
6 # (e.g. you don't need to use the 'custom_variables' function)
7 # to make sure the script doesn't break.
8
9 binaries_paths()
10 {
11 ### get full paths
12 # the 'exit 0' binary
13 true="`which true`"
14
15 iptables="`which iptables`"
16 ip6tables="`which ip6tables`"
17 }
18
19 custom_variables()
20 {
21 # define whatever you need here
22
23 ext_int=(eth0)
24 }
25
26 start_iptables()
27 {
28 ### init part
29 # clear tables
30 $iptables --flush
31 $iptables -t nat --flush
32 $iptables -t mangle --flush
33
34 #$ip6tables --flush
35 #$ip6tables -t mangle --flush
36
37 $iptables --delete-chain
38 $iptables -t mangle --delete-chain
39
40 ## install default policies
41 # for IPv4
42 $iptables --policy INPUT ACCEPT
43 $iptables --policy OUTPUT ACCEPT
44 $iptables --policy FORWARD DROP
45
46 $iptables -t nat --policy PREROUTING ACCEPT
47 $iptables -t nat --policy POSTROUTING ACCEPT
48
49 # for IPv6
50 #$ip6tables --policy INPUT DROP
51 #$ip6tables --policy OUTPUT DROP
52 #$ip6tables --policy FORWARD DROP
53
54 ### firewall part
55 # allow traffic to/from the loopback interface (IPv4 and IPv6)
56 $iptables -A INPUT -i lo -j ACCEPT
57 $iptables -A OUTPUT -o lo -j ACCEPT
58
59 #$ip6tables -A INPUT -i lo -j ACCEPT
60 #$ip6tables -A OUTPUT -o lo -j ACCEPT
61
62 # drop invalid packets immediately
63 $iptables -A INPUT -m state --state INVALID -j DROP
64 $iptables -A FORWARD -m state --state INVALID -j DROP
65 $iptables -A OUTPUT -m state --state INVALID -j DROP
66
67 # ping-flood defense (this machine)
68 $iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
69 $iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
70 $iptables -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT
71 $iptables -A INPUT -p icmp -j DROP
72
73 # reject packets from RFC1918 class networks (i.e., spoofed)
74 for ctr1 in $ext_int
75 do
76 $iptables -A INPUT -i $ctr1 -s 10.0.0.0/8 -j DROP
77 $iptables -A INPUT -i $ctr1 -s 169.254.0.0/16 -j DROP
78 $iptables -A INPUT -i $ctr1 -s 172.16.0.0/12 -j DROP
79 $iptables -A INPUT -i $ctr1 -s 127.0.0.0/8 -j DROP
80 $iptables -A INPUT -i $ctr1 -s 224.0.0.0/4 -j DROP
81 $iptables -A INPUT -i $ctr1 -d 224.0.0.0/4 -j DROP
82 $iptables -A INPUT -i $ctr1 -s 240.0.0.0/5 -j DROP
83 $iptables -A INPUT -i $ctr1 -d 240.0.0.0/5 -j DROP
84 $iptables -A INPUT -i $ctr1 -s 0.0.0.0/8 -j DROP
85 $iptables -A INPUT -i $ctr1 -d 0.0.0.0/8 -j DROP
86 $iptables -A INPUT -i $ctr1 -d 239.255.255.0/24 -j DROP
87 $iptables -A INPUT -i $ctr1 -d 255.255.255.255 -j DROP
88 done
89
90 # drop bogus TCP packets
91 $iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
92 $iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
93
94 # smurf defense
95 $iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit \
96 --limit 2/second --limit-burst 2 -j ACCEPT
97 $iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -j DROP
98
99 # SYN flood defense
100 $iptables -A INPUT -m state --state NEW -p tcp -m tcp \
101 --syn -m recent --name synflood --set
102 $iptables -A INPUT -m state --state NEW -p tcp -m tcp \
103 --syn -m recent --name synflood --update --seconds 1 \
104 --hitcount 60 -j DROP
105 }
106
107 stop_iptables()
108 {
109 ### flush everyting out
110 $iptables --flush
111 $iptables -t nat --flush
112 $iptables -t mangle --flush
113
114 #$ip6tables --flush
115 #$ip6tables -t mangle --flush
116 }
117
118 # EOF
119
AUR mirror