mirror of
https://gitlab.archlinux.org/tpowa/archboot.git
synced 2024-09-19 19:40:37 +02:00
71 lines
2.2 KiB
Bash
71 lines
2.2 KiB
Bash
#!/bin/sh
|
|
#
|
|
# firewall-masq This script sets up firewall rules for a machine
|
|
# acting as a masquerading gateway
|
|
#
|
|
# Copyright (C) 2000 Roaring Penguin Software Inc. This software may
|
|
# be distributed under the terms of the GNU General Public License, version
|
|
# 2 or any later version.
|
|
# LIC: GPL
|
|
|
|
# Interface to Internet
|
|
EXTIF=ppp+
|
|
|
|
# NAT-Tables are different, so we can use ACCEPT everywhere (?)
|
|
iptables -t nat -P PREROUTING ACCEPT
|
|
iptables -t nat -P OUTPUT ACCEPT
|
|
iptables -t nat -P POSTROUTING ACCEPT
|
|
|
|
# Flush the NAT-Table
|
|
iptables -t nat -F
|
|
|
|
iptables -t filter -P INPUT DROP
|
|
iptables -t filter -F
|
|
|
|
# Allow incoming SSH
|
|
#iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 22 -j ACCEPT
|
|
|
|
# Log & Deny the rest of the privileged ports
|
|
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 0:1023 -j LOG
|
|
iptables -t filter -A INPUT -i $EXTIF -p udp --dport 0:1023 -j LOG
|
|
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 0:1023 -j DROP
|
|
iptables -t filter -A INPUT -i $EXTIF -p udp --dport 0:1023 -j DROP
|
|
|
|
# Log & Deny NFS
|
|
iptables -t filter -A INPUT -i $EXTIF -p udp --dport 2049 -j LOG
|
|
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 2049 -j LOG
|
|
iptables -t filter -A INPUT -i $EXTIF -p udp --dport 2049 -j DROP
|
|
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 2049 -j DROP
|
|
|
|
# Log & Deny X11
|
|
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 6000:6063 -j LOG
|
|
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 6000:6063 -j DROP
|
|
|
|
# Log & Deny XFS
|
|
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 7100 -j LOG
|
|
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 7100 -j DROP
|
|
|
|
# Deny TCP connection attempts
|
|
iptables -t filter -A INPUT -i $EXTIF -p tcp --syn -j LOG
|
|
iptables -t filter -A INPUT -i $EXTIF -p tcp --syn -j DROP
|
|
|
|
# Deny ICMP echo-requests
|
|
iptables -t filter -A INPUT -i $EXTIF -p icmp --icmp-type echo-request -j DROP
|
|
|
|
# Do masquerading
|
|
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
|
|
|
|
# Enable forwarding
|
|
echo 1 > /proc/sys/net/ipv4/ip_forward
|
|
|
|
# no IP spoofing
|
|
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] ; then
|
|
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
|
|
echo 1 > $i
|
|
done
|
|
fi
|
|
|
|
# Disable Source Routed Packets
|
|
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
|
|
echo 0 > $i
|
|
done
|