Complete IPTables Firewall Rules
#!/bin/sh -e
# /etc/init.d/firewall-rule.sh : start/stop firewalls
# written by Gabriel L. Briones III
#
FW=`which iptables`
if [ ! "$FW" ]; then
echo
echo "FATAL: Unable to locate iptables, is it installed?"
echo " or you may want to check first your PATH"
echo
echo "unable to continue, exiting ...."
sleep 2
echo
exit 1
fi
INT_IFACE=eth2 # Facing the LAN
DMZ_IFACE=eth1 # Facing the DMZ Network
EXT_IFACE=eth0 # Facing the hardware firewall
LO_IFACE=lo # loop back interface
INT_IP=`ifconfig $INT_IFACE : grep inet : cut -d : -f 2 : cut -d \ -f 1`
DMZ_IP=`ifconfig $DMZ_IFACE : grep inet : cut -d : -f 2 : cut -d \ -f 1`
EXT_IP=`ifconfig $EXT_IFACE : grep inet : cut -d : -f 2 : cut -d \ -f 1`
DMZ_WEB=192.168.0.1
DMZ_EXT_MAIL=192.168.0.3
DMZ_LDAP=192.168.0.1
DMZ_PROXY=192.168.0.4
DMZ_DNS=192.168.0.1
INT_MAIL=131.107.2.6
LAN_IP=131.107.2.0
DMZ_NET=192.168.0.0
case "$1" in
start)
echo -n "Starting Jon's Firewall Rules"
# Set default policy to DROP
$FW -P INPUT DROP
$FW -P OUTPUT DROP
$FW -P FORWARD DROP
# Flush all rules first to make sure that we are starting from scratch
$FW -t nat -F
$FW -t mangle -F
$FW -X
$FW -F
# Explicitly turn off ECN (explicit congestion notification)
echo 0 > /proc/sys/net/ipv4/tcp_ecn
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Allow traffic to loop back interface
$FW -A INPUT -i $LO_IFACE -j ACCEPT
# Spoof protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# SYN Flood protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#The Mangle portion of the ruleset.
#Here is where unwanted packet types get dropped.
#This helps in making port scans against your server
#a bit more time consuming and difficult, but not impossible.
$FW -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
$FW -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
$FW -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$FW -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
################## CUSTOM RULES !!!!!!! ##################
$FW -N firewalled
$FW -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
$FW -A firewalled -j DROP
$FW -N bad_tcpflags
$FW -A bad_tcpflags -m limit --limit 15/minute -j LOG --log-prefix BAD_TCP_FLAGS:
$FW -A bad_tcpflags -j DROP
###########################################################
################## INPUT CHAIN !!!!!!! ####################
# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
$FW -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags ACK,URG URG -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags RST,FIN RST,FIN -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags SYN,ACK NONE -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags SYN,URG SYN,URG -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags ALL NONE -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags ALL ALL -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags ALL SYN -m state --state ESTABLISHED -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags ALL RST -m state --state NEW,RELATED -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags ALL ACK -m state --state NEW,RELATED -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags ALL SYN,PSH -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags ALL PSH,ACK -m state --state RELATED -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags ALL RST,ACK -m state --state RELATED -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags ALL SYN,ACK -m state --state NEW,RELATED -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags ALL FIN,ACK -m state --state NEW,RELATED -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags ALL SYN,ACK,PSH -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags ALL FIN,PSH,ACK -m state --state NEW,RELATED -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags ALL ACK,PSH,RST -m state --state NEW,RELATED -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j bad_tcpflags
$FW -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j bad_tcpflags
# Allow ESTABLISHED and RELATED connections
$FW -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow some services only
$FW -A INPUT -p tcp --dport 22 -j ACCEPT
#################################################################
################# FORWARD CHAIN !!!!! ###########################
$FW -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow only access to the internal network on the proxy server
$FW -A FORWARD -i $INT_IFACE -o $DMZ_IFACE -p tcp -d $DMZ_PROXY -s $LAN_IP/24 --dport 8080 -j ACCEPT
# Allow external packet destined to publicly accessed services like SMTP, HTTP and HTTPS
$FW -A FORWARD -p tcp --dport 22 -j ACCEPT
$FW -A FORWARD -i $INT_IFACE -o $EXT_IFACE -s 131.107.2.92/32 -j ACCEPT
$FW -A FORWARD -i $EXT_IFACE -o $DMZ_IFACE -p tcp -d $DMZ_WEB/32 --dport 80 -j ACCEPT
$FW -A FORWARD -i $EXT_IFACE -o $DMZ_IFACE -p tcp -d $DMZ_WEB/32 --dport 443 -j ACCEPT
$FW -A FORWARD -i $EXT_IFACE -o $DMZ_IFACE -p tcp -d $DMZ_EXT_MAIL/32 --dport 25 -j ACCEPT
$FW -A FORWARD -i $EXT_IFACE -o $DMZ_IFACE -p tcp -d $DMZ_EXT_MAIL/32 --dport 80 -j ACCEPT
$FW -A FORWARD -i $EXT_IFACE -o $DMZ_IFACE -p tcp -d $DMZ_EXT_MAIL/32 --dport 443 -j ACCEPT
$FW -A FORWARD -i $EXT_IFACE -o $DMZ_IFACE -p tcp -d $DMZ_EXT_MAIL/32 --dport 993 -j ACCEPT
$FW -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p tcp --dport 80 -s $INT_MAIL/32 -j ACCEPT
$FW -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p tcp --dport 443 -s $INT_MAIL/32 -j ACCEPT
$FW -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p tcp --dport 21 -s $INT_MAIL/32 -j ACCEPT
# Allow Local networks to access servers on DMZ
$FW -A FORWARD -i $INT_IFACE -o $DMZ_IFACE -s $LAN_IP/24 -p tcp -d $DMZ_PROXY --dport 80 -j ACCEPT
$FW -A FORWARD -i $INT_IFACE -o $DMZ_IFACE -s $LAN_IP/24 -p tcp -d $DMZ_PROXY --dport 443 -j ACCEPT
$FW -A FORWARD -i $INT_IFACE -o $DMZ_IFACE -s $LAN_IP/24 -p tcp -d $DMZ_DNS --dport 53 -j ACCEPT
$FW -A FORWARD -i $INT_IFACE -o $DMZ_IFACE -s $LAN_IP/24 -p udp -d $DMZ_DNS --dport 53 -j ACCEPT
$FW -A FORWARD -i $INT_IFACE -o $DMZ_IFACE -s $LAN_IP/24 -p tcp -d $DMZ_EXT_MAIL --dport 25 -j ACCEPT
$FW -A FORWARD -i $INT_IFACE -o $DMZ_IFACE -s $LAN_IP/24 -p tcp -d $DMZ_EXT_MAIL --dport 80 -j ACCEPT
$FW -A FORWARD -i $INT_IFACE -o $DMZ_IFACE -s $LAN_IP/24 -p tcp -d $DMZ_EXT_MAIL --dport 443 -j ACCEPT
$FW -A FORWARD -i $INT_IFACE -o $DMZ_IFACE -s $LAN_IP/24 -p tcp -d $DMZ_EXT_MAIL --dport 143 -j ACCEPT
$FW -A FORWARD -i $INT_IFACE -o $DMZ_IFACE -s $LAN_IP/24 -p tcp -d $DMZ_EXT_MAIL --dport 993 -j ACCEPT
$FW -A FORWARD -i $INT_IFACE -o $DMZ_IFACE -s $LAN_IP/24 -p tcp -d $DMZ_WEB --dport 80 -j ACCEPT
$FW -A FORWARD -i $INT_IFACE -o $DMZ_IFACE -s $LAN_IP/24 -p tcp -d $DMZ_WEB --dport 443 -j ACCEPT
$FW -A FORWARD -i $INT_IFACE -o $DMZ_IFACE -s $LAN_IP/24 -p tcp -d $DMZ_LDAP --dport 389 -j ACCEPT
# Allow machines on DMZ to access the net for security updates and bug fixes
$FW -A FORWARD -i $DMZ_IFACE -o $EXT_IFACE -s $DMZ_EXT_MAIL/32 -j ACCEPT
$FW -A FORWARD -i $DMZ_IFACE -o $EXT_IFACE -s $DMZ_PROXY/32 -j ACCEPT
$FW -A FORWARD -i $DMZ_IFACE -o $EXT_IFACE -s $DMZ_WEB/32 -j ACCEPT
##################################################################
################ OUTPUT CHAIN !!!!! ##############################
$FW -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$FW -A OUTPUT -o $LO_IFACE -j ACCEPT
$FW -A OUTPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
$FW -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
$FW -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
$FW -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
$FW -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
$FW -A OUTPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
###################################################################
for CHAINS in INPUT FORWARD OUTPUT
do
# Allow some icmp packet and DROP the rest
$FW -A $CHAINS -p icmp --icmp-type 0 -j ACCEPT
$FW -A $CHAINS -p icmp --icmp-type 3 -j ACCEPT
$FW -A $CHAINS -p icmp --icmp-type 11 -j ACCEPT
$FW -A $CHAINS -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$FW -A $CHAINS -p icmp -j firewalled
done
# SNAT LAN's IP
$FW -t nat -A POSTROUTING -o $EXT_IFACE -s $DMZ_NET/24 -j SNAT --to $EXT_IP
$FW -t nat -A POSTROUTING -o $EXT_IFACE -s 131.107.2.92/32 -j SNAT --to $EXT_IP
$FW -t nat -A POSTROUTING -o $EXT_IFACE -s $INT_MAIL/32 -j SNAT --to $EXT_IP
# DNAT connections from outside
$FW -t nat -A PREROUTING -i $EXT_IFACE -d 202.164.182.83 -p tcp --dport 80 -j DNAT --to $DMZ_EXT_MAIL
$FW -t nat -A PREROUTING -i $EXT_IFACE -d 202.164.182.83 -p tcp --dport 443 -j DNAT --to $DMZ_EXT_MAIL
$FW -t nat -A PREROUTING -i $EXT_IFACE -d 202.164.182.83 -p tcp --dport 993 -j DNAT --to $DMZ_EXT_MAIL
$FW -t nat -A PREROUTING -i $EXT_IFACE -d $EXT_IP -p tcp --dport 25 -j DNAT --to $DMZ_EXT_MAIL
$FW -t nat -A PREROUTING -i $EXT_IFACE -d $EXT_IP -p tcp --dport 80 -j DNAT --to $DMZ_WEB
$FW -t nat -A PREROUTING -i $EXT_IFACE -d $EXT_IP -p tcp --dport 443 -j DNAT --to $DMZ_WEB
$FW -t nat -A PREROUTING -i $EXT_IFACE -d $EXT_IP -p tcp --dport 993 -j DNAT --to $DMZ_WEB
# Layer 7 filterring
$FW -t mangle -A POSTROUTING -m layer7 --l7proto yahoo -j DROP
$FW -t mangle -A POSTROUTING -m layer7 --l7proto msnmessenger -j DROP
$FW -t mangle -A POSTROUTING -m layer7 --l7proto msn-filetransfer -j DROP
$FW -t mangle -A POSTROUTING -m layer7 --l7proto bittorrent -j DROP
$FW -t mangle -A POSTROUTING -m layer7 --l7proto irc -j DROP
echo "."
;;
stop)
echo -n "Flushing Jon's Firewall Rules"
$FW -P INPUT ACCEPT
$FW -P FORWARD ACCEPT
$FW -P OUTPUT ACCEPT
$FW -t nat -F
$FW -t mangle -F
$FW -F
$FW -X
echo "."
;;
status)
$FW -t nat -L
$FW -t mangle -L
$FW -L
;;
restart)
$0 stop
$0 start
;;
*)
echo 'Usage: /etc/init.d/firewall.rules {start:stop:restart}'
exit 1
esac
exit 0