Configuration with no services supported Configuration with no services supported script is for a single host firewall configuration with no services supported.
Download

Configuration with no services supported Ranking & Summary

Configuration with no services supported Tags

services configuration iptables firewall no services supported services configuration supported

Configuration with no services supported Description

Configuration with no services supported script is for a single host firewall configuration with no services supported. Configuration with no services supported script is for a single host firewall configuration with no services supported by the firewall machine itself.Sample:# USER CONFIGURABLE SECTION# The name and location of the ipchains utility.IPTABLES=iptables# The path to the ipchains executable.PATH="/usr/local/sbin"# Our internal network address space and its supporting network device.OURNET="10.5.0.0/24"OURBCAST="10.5.0.255"OURDEV="eth0"# The outside address and the network device that supports it.ANYADDR="0/0"ANYDEV="ppp0"# The TCP services we wish to allow to pass - "" empty means all ports# note: comma separatedTCPIN="ssh,ftp,ftp-data"TCPOUT="smtp,www,ssh,telnet,ftp,ftp-data,irc,http"# The UDP services we wish to allow to pass - "" empty means all ports# note: comma separatedUDPIN="domain"UDPOUT="domain"# The ICMP services we wish to allow to pass - "" empty means all types# ref: /usr/include/netinet/ip_icmp.h for type numbers# note: comma separatedICMPIN="0,3,11"ICMPOUT="8,3,11"# Logging; uncomment the following line to enable logging of datagrams# that are blocked by the firewall.# LOGGING=1# END USER CONFIGURABLE SECTION##################################### Flush the Input table rulesecho -n Flushing forward... && {$IPTABLES -F FORWARD} && echo done# We want to deny incoming access by default.# echo -n Denying incoming access... && {# $IPTABLES -P FORWARD drop# } && echo done# Drop all datagrams destined for this host received from outside.echo -n Dropping incoming datagrams... && {$IPTABLES -A INPUT -i $ANYDEV -j DROP} && echo done# SPOOFING# We should not accept any datagrams with a source address matching ours# from the outside, so we deny them.echo -n Preventing spoofing... && {$IPTABLES -A FORWARD -s $OURNET -i $ANYDEV -j DROP} && echo done# SMURF# Disallow ICMP to our broadcast address to prevent "Smurf" style attack.echo -n Preventing SMURFs... && {$IPTABLES -A FORWARD -p icmp -i $ANYDEV -d $OURNET -j DROP} && echo done# We should accept fragments, in iptables we must do this explicitly.echo -n Accepting fragments... && {$IPTABLES -A FORWARD -f -j ACCEPT} && echo done# TCP# We will accept all TCP datagrams belonging to an existing connection# (i.e. having the ACK bit set) for the TCP ports we're allowing through.# This should catch more than 95 % of all valid TCP packets.echo -n Accepting valid incoming tcp datagrams on existing connections... && {$IPTABLES -A FORWARD -m multiport -p tcp -d $OURNET --dports $TCPIN ! --tcp-flags SYN,ACK ACK -j ACCEPT} && echo doneecho -n Accepting valid outgoing tcp datagrams on existing connections... && {$IPTABLES -A FORWARD -m multiport -p tcp -s $OURNET --sports $TCPIN ! --tcp-flags SYN,ACK ACK -j ACCEPT} && echo done# TCP - INCOMING CONNECTIONS# We will accept connection requests from the outside only on the# allowed TCP ports.echo -n Accepting incoming tcp connections on allowed ports... && {$IPTABLES -A FORWARD -m multiport -p tcp -i $ANYDEV -d $OURNET --dports $TCPIN --syn -j ACCEPT} && echo done# TCP - OUTGOING CONNECTIONS# We will accept all outgoing tcp connection requests on the allowed TCP ports.echo -n Accepting outgoing traffic on allowed tcp ports... && {$IPTABLES -A FORWARD -m multiport -p tcp -i $OURDEV -d $ANYADDR --dports $TCPOUT --syn -j ACCEPT} && echo done# UDP - INCOMING# allow UDP datagrams in on the allowed ports and back.echo -n Allowing UDP datagrams in on the allowed ports and back... && {$IPTABLES -A FORWARD -m multiport -p udp -i $ANYDEV -d $OURNET --dports $UDPIN -j ACCEPT$IPTABLES -A FORWARD -m multiport -p udp -i $ANYDEV -s $OURNET --sports $UDPIN -j ACCEPT} && echo done# UDP - OUTGOING# We will allow UDP datagrams out to the allowed ports and back.echo -n Allowing UDP datagrams out on the allowed ports and back... && {$IPTABLES -A FORWARD -m multiport -p udp -i $OURDEV -d $ANYADDR --dports $UDPOUT -j ACCEPT$IPTABLES -A FORWARD -m multiport -p udp -i $OURDEV -s $ANYADDR --sports $UDPOUT -j ACCEPT} && echo done# ICMP - INCOMING# We will allow ICMP datagrams in of the allowed types.# echo -n Allowing ICMP datagrams in of the allowed types... && {# $IPTABLES -A FORWARD -p icmp -i $ANYDEV -d $OURNET --icmp-type $ICMPIN -j ACCEPT# } && echo done# ICMP - OUTGOING# We will allow ICMP datagrams out of the allowed types.# echo -n Allowing ICMP datagrams out of the allowed types... && {# $IPTABLES -A FORWARD -p icmp -i $OURDEV -d $ANYADDR --icmp-type $ICMPOUT -j ACCEPT# } && echo done# DEFAULT and LOGGING# All remaining datagrams fall through to the default# rule and are dropped. They will be logged if you've# configured the LOGGING variable above.## DoS# enabling Syn-flood protectionecho -n Enabling Syn-flood protection... && {iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT} && echo done# Enabling Furtive port scanner protectionecho -n Enabling Furtive port scanner protection... && {iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT} && echo done# Enabling ping of death protectionecho -n Enabling ping of death protection... && {iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT} && echo doneif then # Log barred TCP $IPTABLES -A FORWARD -m tcp -p tcp -j LOG # Log barred UDP $IPTABLES -A FORWARD -m udp -p udp -j LOG # Log barred ICMP $IPTABLES -A FORWARD -m udp -p icmp -j LOGfi## end.

Configuration with no services supported Related Software