#!/bin/sh # edit this script, make it executable, and put it in /usr/local/sbin # on debian, put: # up /usr/local/sbin/iptables # down /usr/local/sbin/iptables off # under your external interface. That's all. # extensive comments # configure your internal network interface and network here INTIF="eth1" INTNET="10.0.0.0/16" # external EXTIF="eth0" EXTIP="$(lynx -dump http://iplookup.flashfxp.com |awk '/./ {print $1}')" # if this script is started with anything except 'off' (iptables off, fx), do these things: if [ "$1" != "off" ] then # be precatious # turn on syncookies if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies fi # turn on rp_filter if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter fi # turn on forwarding (internet connection sharing) if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi # default policies # drop inbound packets inless they're covered by another rule iptables -P INPUT DROP # allow outbound packets unless they're covered by another rule iptables -P OUTPUT ACCEPT # forward packets inless they're covered by another rule iptables -P FORWARD DROP # create block & log chain iptables -N BLOCKLOG iptables -A BLOCKLOG -m limit --limit 2/s -j LOG iptables -A BLOCKLOG -j DROP # allow all internal traffic iptables -A INPUT -i $INTIF -j ACCEPT iptables -A INPUT -i lo -j ACCEPT # log and drop internal traffic coming from outside # iptables -A INPUT -s $INTNET -i $EXTIF -j BLOCKLOG # log invalid packets iptables -A INPUT -m state --state INVALID -i $EXTIF -j BLOCKLOG # allow established connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -i $EXTIF -j ACCEPT iptables -A INPUT -m state --state NEW -i "!" $EXTIF -j ACCEPT # drop list # iptables -A INPUT -p udp --dport 137 -i $EXTIF -j DROP # iptables -A INPUT -p udp --dport 138 -i $EXTIF -j DROP # allow certain ICMPs iptables -A INPUT -p icmp --icmp-type destination-unreachable -i $EXTIF -j ACCEPT iptables -A INPUT -p icmp --icmp-type time-exceeded -i $EXTIF -j ACCEPT # add other custom rules here ## ALLOW list # bittorrent - accept all incoming tcp and udp packets on theseports iptables -A INPUT -p tcp --dport 6999:7009 -j ACCEPT iptables -A INPUT -p udp --dport 6999:7009 -j ACCEPT # ftp - accept all incoming tcp packets on the standard ftp ports iptables -A INPUT -p tcp --dport 20:21 -j ACCEPT # ftp pasv - accept all incoming tcp packets on these ports, which my ftpd is configured to use for passive ftp iptables -A INPUT -p tcp --dport 25000:26000 -j ACCEPT # sshd - accept all tcp on this port, which my sshd is configured to use iptables -A INPUT -p tcp --dport 2222 -j ACCEPT # gnump3d - accept all tcp on this port, which my gnump3d is configured to use iptables -A INPUT -p tcp --dport 8888 -j ACCEPT # reject all other incoming packets # iptables -A INPUT -i $EXTIF -j REJECT # forward table # stuff coming from the internal network is forwarded to the external network iptables -A FORWARD -i $INTIF -s $INTNET -j ACCEPT # existing connections are forwarded iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # stuff from the internal network is forwarded to the external network with NAT iptables -t nat -A POSTROUTING -s $INTNET -o $EXTIF -j SNAT --to-source $EXTIP # everything else is blocked and logged iptables -A FORWARD -j BLOCKLOG # if the script is called with 'off', do these things else # turn off everything iptables -F iptables -t nat -F iptables -X BLOCKLOG iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT fi # lots of connections! echo 8192 > /proc/sys/net/ipv4/ip_conntrack_max