bulix.org / pastebin

Private paste #68850: Firewall Script (Part 3)

#!/bin/sh

IPT=/sbin/iptables

$IPT -F

#policies

$IPT -P OUTPUT ACCEPT
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT



$IPT -N SERVICES

#drop spoofed packets

$IPT -A INPUT --in-interface ! lo --source 127.0.0.0/8 -j DROP

#limit ping requests

$IPT -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT

#drop bogus packets

iptables -A INPUT   -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT  -m state --state INVALID -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP

#allowed inputs

$IPT -A INPUT --in-interface lo -j ACCEPT
$IPT -A INPUT -j SERVICES

#allow responses

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


#allow services

$IPT -A SERVICES -p tcp --dport 22 -j ACCEPT
$IPT -A SERVICES -p tcp --dport 8080 -j ACCEPT

$IPT -A SERVICES -m iprange --src-range 192.168.1.1-192.168.1.254 -p tcp --dport 631 -j ACCEPT

$IPT -A SERVICES -m iprange --src-range 192.168.1.1-192.168.1.254 -p udp --dport 631 -j ACCEPT


$IPT -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080

$IPT -A FORWARD -p tcp --dport 8080 -j ACCEPT

New paste

About this pastebin

Welcome to the bulix.org / pastebin. Please don't use this pastebin for illegal purposes, defamation or kitten-squashing.

This pastebin is written using PHP and MySQL and relies on Alex Gorbatchev's syntax hhighlighter (JavaScript based). To avoid spam, you will be required to complete a small mathematical challenge when adding a new paste.

New! Try the pastebin command-line tool: paste.py (requires Python and python-beautifulsoup).

30 more recent public pastes

#	Title	Type	Date
1	Untitled C paste by 77.104.192.100	C	02 Sep 2010, 16:52
2	Untitled Visual Basic paste by 187.7.138.176	Visual Basic	02 Sep 2010, 16:36
3	Untitled Ruby paste by 217.9.0.179	Ruby	02 Sep 2010, 15:42
4	whywhywhy	C	02 Sep 2010, 15:15
5	Untitled Javascript paste by 134.184.43.109	Javascript	02 Sep 2010, 14:41
6	Untitled Bash paste by 158.42.126.237	Bash	02 Sep 2010, 14:32
7	Untitled C paste by 184.75.34.234	C	02 Sep 2010, 14:24
8	Untitled Perl paste by 155.253.6.151	Perl	02 Sep 2010, 14:22
9	Untitled Ruby paste by 58.215.81.151	Ruby	02 Sep 2010, 14:14
10	Untitled SQL paste by 98.190.244.179	SQL	02 Sep 2010, 13:55
11	Untitled C paste by 85.18.126.106	C	02 Sep 2010, 13:40
12	Untitled C++ paste by 187.111.15.230	C++	02 Sep 2010, 11:00
13	Untitled SQL paste by 85.254.213.163	SQL	02 Sep 2010, 10:58
14	Untitled Ruby paste by 89.232.63.173	Ruby	02 Sep 2010, 10:47
15	Untitled Visual Basic paste by 74.50.59.175	Visual Basic	02 Sep 2010, 09:40
16	Untitled Perl paste by 202.14.181.11	Perl	02 Sep 2010, 09:04
17	Untitled PHP paste by 61.181.246.205	PHP	02 Sep 2010, 08:52
18	Untitled Bash paste by 174.138.160.29	Bash	02 Sep 2010, 08:43
19	AdultFriendFinder Report	ASCII	02 Sep 2010, 06:56
20	Untitled PHP paste by 183.91.87.16	PHP	02 Sep 2010, 03:56
21	Untitled Javascript paste by 81.227.80.35	Javascript	02 Sep 2010, 03:21
22	Untitled Lua paste by 218.201.21.182	Lua	02 Sep 2010, 01:58
23	Untitled C# paste by 79.98.27.109	C#	02 Sep 2010, 01:41
24	Untitled SQL paste by 200.184.84.133	SQL	02 Sep 2010, 00:41
25	Untitled C# paste by 173.61.246.36	C#	01 Sep 2010, 23:24
26	Untitled Visual Basic paste by 121.135.192.120	Visual Basic	01 Sep 2010, 23:07
27	Untitled C# paste by 190.30.88.228	C#	01 Sep 2010, 21:05
28	Untitled Css paste by 85.9.50.182	Css	01 Sep 2010, 19:53
29	Untitled C paste by 65.46.53.202	C	01 Sep 2010, 19:41
30	Untitled Ruby paste by 201.192.75.42	Ruby	01 Sep 2010, 18:44