How to install this firewall
edit /etc/rc.local file and add the full path to this script in it
Eg: /home/user/myscripts/firewall.sh
#Sample Firewall for Linux boxes
#fix for passive ftp connection tracking
/sbin/modprobe ip_conntrack_ftp
# Drop ICMP echo request messages sent to multicast or broadcast addresses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Drop source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# Enable TCP SYS cookie (DoS) protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Don’t accept ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# Don’t send ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# Enable source address spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# Flush all chains
/sbin/iptables –flush
# Allow all loopback traffic
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
# Set default policies to drop all traffic
/sbin/iptables –policy INPUT DROP
#/sbin/iptables –policy OUTPUT DROP
/sbin/iptables –policy FORWARD DROP
# Allow previously initiated and accepted exchanges to bypass rule checking
# Allow all outbound traffic
/sbin/iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
# Allow incoming port 22 (ssh) traffic
/sbin/iptables -A INPUT -p tcp –dport 22 -m state –state NEW -j ACCEPT
# Allow incoming port 80 and 443 (http/s) traffic
/sbin/iptables -A INPUT -p tcp –dport 80 -m state –state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 443 -m state –state NEW -j ACCEPT
# Allow incoming port 53 (udp/tcp) dns traffic
/sbin/iptables -A INPUT -p udp –dport 53 -m state –state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 53 -m state –state NEW -j ACCEPT
/sbin/iptables -A INPUT -p udp –dport 69 -m state –state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 69 -m state –state NEW -j ACCEPT
# Allow incoming port 25 (tcp) SMTP traffic
/sbin/iptables -A INPUT -p tcp –dport 25 -m state –state NEW -j ACCEPT
# Allow incoming port 110 (tcp) POP3 traffic
/sbin/iptables -A INPUT -p tcp –dport 110 -m state –state NEW -j ACCEPT
# Allow imap (port 143)
/sbin/iptables -A INPUT -p tcp –dport 143 -m state –state NEW -j ACCEPT
# Allow incoming port 123 (udp) NTP traffic
/sbin/iptables -A INPUT -p udp –dport 123 -m state –state NEW -j ACCEPT
# Allow incoming ports 20 and 21 (tcp) FTP traffic
/sbin/iptables -A INPUT -p tcp –dport 20 -m state –state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 21 -m state –state NEW -j ACCEPT
# Allow incoming port 3306 (udp/tcp) MySQL traffic
/sbin/iptables -A INPUT -p tcp –dport 3306 -m state –state NEW -j ACCEPT
/sbin/iptables -A INPUT -p udp –dport 3306 -m state –state NEW -j ACCEPT
# Drop all other inbound traffic
/sbin/iptables -A INPUT -j DROP
#opening port for ventrilo viop server
/sbin/iptables -I INPUT 19 -p tcp –dport 3784 -m state –state NEW -j ACCEPT
#opening SSH conncetion to specified IP
/sbin/iptables -A INPUT -s 123.233.43.174 -p tcp –dport ssh -j ACCEPT
#Removng all access to other IP
/sbin/iptables -A INPUT -s 0.0.0.0 -p tcp –dport ssh -j REJECT
/sbin/iptables -A INPUT -j DROP
You can insert the rule by
/sbin/iptables -I INPUT 12 -s 539.43.443.154 -p tcp –dport ssh -j ACCEPT
Here ,
a rule is inserted in line no 12 in INPUT chain on the Filter table
Leave a Reply