Created
November 18, 2018 22:17
-
-
Save laszaroh/b36983117ab06151694ce0ec5ffb32bb to your computer and use it in GitHub Desktop.
Basic iptables configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # url: http://www.rlworkman.net/conf/firewall/rc.firewall.desktop.generic | |
| # Define variables | |
| IPT=$(which iptables) # change if needed | |
| EXT_IF=eth0 # external interface (connected to internet) | |
| FIREWALL_CONF=/etc/iptables.conf | |
| # Enable TCP SYN Cookie Protection | |
| if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then | |
| echo 1 > /proc/sys/net/ipv4/tcp_syncookies | |
| fi | |
| # Disable ICMP Redirect Acceptance | |
| echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects | |
| # Do not send Redirect Messages | |
| echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects | |
| if [ -e $FIREWALL_CONF ]; then | |
| iptables-restore < $FIREWALL_CONF | |
| exit 0 | |
| fi | |
| # Set default policy to DROP | |
| $IPT -P INPUT DROP | |
| $IPT -P OUTPUT DROP | |
| $IPT -P FORWARD DROP | |
| # Flush old rules | |
| $IPT -F | |
| # Allow loopback traffic | |
| $IPT -A INPUT -i lo -j ACCEPT | |
| $IPT -A OUTPUT -o lo -j ACCEPT | |
| # Allow packets of established connections and those related to them | |
| $IPT -A INPUT -i $EXT_IF -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
| # Allow all outgoing packets except invalid ones | |
| $IPT -A OUTPUT -o $EXT_IF -m conntrack --ctstate INVALID -j DROP | |
| $IPT -A OUTPUT -o $EXT_IF -j ACCEPT | |
| # Allow incoming ssh (uncomment the line below if needed) | |
| #$IPT -A INPUT -i $EXT_IF -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment