The Punisher

#!/bin/bash
#
# iptables.rules - configuration for iptables
#
# This is appropriate for protecting a single workstation.
# 
# The script could be a lot more rigorous, e.g., only allow
# selected outbound ports, rather than allowing all outbound
# traffic, use REJECT rather than DROP, etc.  However, the 
# goal of this script was to provide some protection for ports 
# while minimizing the number of checks made on each packet.
#
# Uncomment the lines that suit your needs.  Hopefully, the
# comments are decent enough that you know what the various
# rules do.
#
# You need to chmod this script to make it executable.
# It should be owned by root, and executable only by root.
#
# I've only used this script on Red Hat 7.1 - use at your
# own risk!
#
# m-woo@uiuc.edu 29 June 2001
# 1st revision 12 Feb 2002 - added modprobe for ip_conntrack_ftp
#
# Modified to work with Slackware Linux 9.0
# Captain Kirk 
#
# Also added some more rigorous rules and optional reset foo
#

## Edit the line below to define your ethernet interface
## It is usually eth0
ETH=eth0

## Edit the line below to indicate where your iptables
## binary exists.  It is usually /sbin/iptables.
IPT=/usr/sbin/iptables

## Check to see if the ip_tables module has been loaded.
## If not, load the module.
## Uncomment to use the module

#/sbin/lsmod 2>/dev/null |grep -q ip_tables
#if [ $? -ne 0 ]; then
#        echo "Adding ip_tables module"
#        /sbin/insmod ip_tables
#	/sbin/modprobe ip_conntrack_ftp
#fi

## First, we set a number of network stack parameters to protect
## against various network-based attacks.

## Try to prevent SYN floods
echo "1" > /proc/sys/net/ipv4/tcp_syncookies

## Disable response to ICMP broadcasts.
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 

## Reject source-routed packets.
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route 

## Disable ICMP redirect acceptance.
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects 

## Enable bad error message protection
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 

## Enable reverse path filtering.
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

## Log spoofed packets, source-routed packets, redirect packets.
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians 

## Disable IP forwarding.
/bin/echo "0" > /proc/sys/net/ipv4/ip_forward 

## Now we start using iptables...

## Flush chains, clear existing chains, zero counters
$IPT -F 
$IPT -X 
$IPT -Z 

## Default policies
$IPT -P INPUT DROP 
$IPT -P OUTPUT DROP 
$IPT -P FORWARD DROP

## Drop all incoming fragments 
$IPT -A INPUT -i $ETH -f -j DROP

## Drop all incoming port 0 traffic
$IPT -A INPUT -i $ETH -p tcp --dport 0 -j DROP
$IPT -A INPUT -i $ETH -p udp --dport 0 -j DROP
$IPT -A INPUT -i $ETH -p tcp --sport 0 -j DROP
$IPT -A INPUT -i $ETH -p udp --sport 0 -j DROP

## Drop outside packets with localhost address - anti-spoofing measure
$IPT -A INPUT -s 127.0.0.0/255.0.0.0 -i $ETH -j DROP

## Pass all locally-originating packets
$IPT -A INPUT -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -i lo -j ACCEPT
$IPT -A OUTPUT -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -o lo -j ACCEPT

## Accept ssh traffic from a specific machine with IP x.x.x.x
## replace x.x.x.x with the desired IP
#$IPT -A INPUT -p tcp --syn -i $ETH -s x.x.x.x --dport 22 -j ACCEPT

## Accept all inbound ssh traffic
#$IPT -A INPUT -p tcp --syn -i $ETH -s 0/0 --dport 22 -j ACCEPT

## Accept all inbound identd
$IPT -A INPUT -p tcp --syn -i $ETH -s 0/0 --dport 113 -j ACCEPT
## or you can reject and send back a TCP RST packet instead
#$IPT -A INPUT -p tcp -i $ETH -s 0/0 --dport 113 -j REJECT --reject-with tcp-reset

## Allow inbound established and related outside communication 
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -i $ETH -j ACCEPT

## Drop outside initiated connections
$IPT -A INPUT -m state --state NEW -i $ETH -j DROP

## Drop outbound port 0 traffic
$IPT -A OUTPUT -o $ETH -p tcp --dport 0 -j DROP
$IPT -A OUTPUT -o $ETH -p udp --dport 0 -j DROP
$IPT -A OUTPUT -o $ETH -p tcp --sport 0 -j DROP
$IPT -A OUTPUT -o $ETH -p udp --sport 0 -j DROP

## Allow all outbound tcp, udp, icmp traffic with state
$IPT -A OUTPUT -o $ETH -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT 
$IPT -A OUTPUT -o $ETH -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o $ETH -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT



.: If you want to converse with me contact punisher at my domain :.

Valid HTML 4.01!
 Valid CSS!

Use Perl!

GeoURL