Activities

March 2008
M T W T F S S
    May »
 12
3456789
10111213141516
17181920212223
24252627282930
31  

Sample Firewall for a Linux server

How to install this firewall

edit /etc/rc.local file and add the full path to this script in it

Eg: /home/user/myscripts/firewall.sh

#Sample Firewall for Linux boxes

#fix for passive ftp connection tracking
/sbin/modprobe ip_conntrack_ftp

# Drop ICMP echo request messages sent to multicast or broadcast addresses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Drop source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable TCP SYS cookie (DoS) protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Don’t accept ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Don’t send ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Enable source address spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# Flush all chains
/sbin/iptables –flush

# Allow all loopback traffic
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT

# Set default policies to drop all traffic
/sbin/iptables –policy INPUT DROP
#/sbin/iptables –policy OUTPUT DROP
/sbin/iptables –policy FORWARD DROP

# Allow previously initiated and accepted exchanges to bypass rule checking
# Allow all outbound traffic
/sbin/iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

# Allow incoming port 22 (ssh) traffic
/sbin/iptables -A INPUT -p tcp –dport 22 -m state –state NEW -j ACCEPT

# Allow incoming port 80 and 443 (http/s) traffic
/sbin/iptables -A INPUT -p tcp –dport 80 -m state –state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 443 -m state –state NEW -j ACCEPT
# Allow incoming port 53 (udp/tcp) dns traffic
/sbin/iptables -A INPUT -p udp –dport 53 -m state –state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 53 -m state –state NEW -j ACCEPT

/sbin/iptables -A INPUT -p udp –dport 69 -m state –state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 69 -m state –state NEW -j ACCEPT

# Allow incoming port 25 (tcp) SMTP traffic
/sbin/iptables -A INPUT -p tcp –dport 25 -m state –state NEW -j ACCEPT

# Allow incoming port 110 (tcp) POP3 traffic
/sbin/iptables -A INPUT -p tcp –dport 110 -m state –state NEW -j ACCEPT

# Allow imap (port 143)
/sbin/iptables -A INPUT -p tcp –dport 143 -m state –state NEW -j ACCEPT

# Allow incoming port 123 (udp) NTP traffic
/sbin/iptables -A INPUT -p udp –dport 123 -m state –state NEW -j ACCEPT

# Allow incoming ports 20 and 21 (tcp) FTP traffic
/sbin/iptables -A INPUT -p tcp –dport 20 -m state –state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 21 -m state –state NEW -j ACCEPT

# Allow incoming port 3306 (udp/tcp) MySQL traffic
/sbin/iptables -A INPUT -p tcp –dport 3306 -m state –state NEW -j ACCEPT
/sbin/iptables -A INPUT -p udp –dport 3306 -m state –state NEW -j ACCEPT
# Drop all other inbound traffic
/sbin/iptables -A INPUT -j DROP

#opening port for ventrilo viop server
/sbin/iptables -I INPUT 19 -p tcp –dport 3784 -m state –state NEW -j ACCEPT

#opening SSH conncetion to specified IP
/sbin/iptables -A INPUT -s 123.233.43.174 -p tcp –dport ssh -j ACCEPT
#Removng all access to other IP
/sbin/iptables -A INPUT -s 0.0.0.0 -p tcp –dport ssh -j REJECT
/sbin/iptables -A INPUT -j DROP

You can insert the rule by

/sbin/iptables -I INPUT 12 -s 539.43.443.154 -p tcp –dport ssh -j ACCEPT

Here ,

a rule is inserted in line no 12 in INPUT chain on the Filter table

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>