bulix.org / pastebin

Private paste #68850: Firewall Script (Part 3)

#!/bin/sh

IPT=/sbin/iptables

$IPT -F

#policies

$IPT -P OUTPUT ACCEPT
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT



$IPT -N SERVICES

#drop spoofed packets

$IPT -A INPUT --in-interface ! lo --source 127.0.0.0/8 -j DROP

#limit ping requests

$IPT -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT

#drop bogus packets

iptables -A INPUT   -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT  -m state --state INVALID -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP

#allowed inputs

$IPT -A INPUT --in-interface lo -j ACCEPT
$IPT -A INPUT -j SERVICES

#allow responses

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


#allow services

$IPT -A SERVICES -p tcp --dport 22 -j ACCEPT
$IPT -A SERVICES -p tcp --dport 8080 -j ACCEPT

$IPT -A SERVICES -m iprange --src-range 192.168.1.1-192.168.1.254 -p tcp --dport 631 -j ACCEPT

$IPT -A SERVICES -m iprange --src-range 192.168.1.1-192.168.1.254 -p udp --dport 631 -j ACCEPT


$IPT -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080

$IPT -A FORWARD -p tcp --dport 8080 -j ACCEPT

New paste

About this pastebin

Welcome to the bulix.org / pastebin. Please don't use this pastebin for illegal purposes, defamation or kitten-squashing.

This pastebin is written using PHP and MySQL and relies on Alex Gorbatchev's syntax hhighlighter (JavaScript based). To avoid spam, you will be required to complete a small mathematical challenge when adding a new paste.

New! Try the pastebin command-line tool: paste.py (requires Python and python-beautifulsoup).

30 more recent public pastes

#	Title	Type	Date
1	Untitled ASCII paste by 89.216.89.51	ASCII	15 Mar 2010, 18:22
2	Untitled ASCII paste by 89.216.89.51	ASCII	15 Mar 2010, 18:21
3	Untitled ASCII paste by 89.216.89.51	ASCII	15 Mar 2010, 18:20
4	wrapper.log error msg - Cybertroll	ASCII	15 Mar 2010, 15:11
5	Untitled ASCII paste by 203.87.12.85	ASCII	15 Mar 2010, 07:10
6	Untitled ASCII paste by 82.247.183.72	ASCII	14 Mar 2010, 11:36
7	Untitled ASCII paste by 212.126.160.18	ASCII	10 Mar 2010, 16:41
8	QT buttons	ASCII	10 Mar 2010, 16:01
9	LinqPad Azure Table storage	C#	10 Mar 2010, 08:09
10	Jasssystem	ASCII	10 Mar 2010, 06:59
11	Untitled ASCII paste by 82.247.183.72	ASCII	09 Mar 2010, 21:10
12	Untitled ASCII paste by 82.247.183.72	ASCII	09 Mar 2010, 20:53
13	Untitled ASCII paste by 124.85.38.49	ASCII	09 Mar 2010, 13:02
14	Untitled ASCII paste by 77.57.166.143	ASCII	09 Mar 2010, 00:23
15	number-bullet.scm	ASCII	08 Mar 2010, 10:57
16	numbers.scm	ASCII	08 Mar 2010, 10:57
17	Untitled ASCII paste by 77.57.166.143	ASCII	08 Mar 2010, 03:12
18	Untitled ASCII paste by 82.247.183.72	ASCII	07 Mar 2010, 14:46
19	Untitled ASCII paste by 82.247.183.72	ASCII	07 Mar 2010, 14:45
20	Untitled ASCII paste by 82.247.183.72	ASCII	07 Mar 2010, 14:40
21	Untitled ASCII paste by 82.73.10.131	ASCII	06 Mar 2010, 23:39
22	Untitled ASCII paste by 82.247.183.72	ASCII	05 Mar 2010, 11:58
23	Untitled ASCII paste by 82.247.183.72	ASCII	05 Mar 2010, 11:55
24	Untitled ASCII paste by 82.247.183.72	ASCII	05 Mar 2010, 09:20
25	Untitled ASCII paste by 90.35.20.41	ASCII	04 Mar 2010, 14:22
26	Untitled ASCII paste by 82.247.183.72	ASCII	04 Mar 2010, 11:53
27	Untitled ASCII paste by 82.247.183.72	ASCII	04 Mar 2010, 11:53
28	Untitled ASCII paste by 82.247.183.72	ASCII	03 Mar 2010, 17:01
29	GoUrXoUjFyycZcLdUt	Java	02 Mar 2010, 21:32
30	Untitled ASCII paste by 82.247.183.72	ASCII	02 Mar 2010, 10:36