SECURITY Howto setup a firewall
From Gentoo Linux Wiki
[edit] rules
- !/bin/bash
/sbin/iptables -P INPUT DROP /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 0:1023 -j LOG --log-prefix "iptables: LOW PORT TCP CON: " /sbin/iptables -A INPUT -p udp -m state --state NEW -m udp --dport 0:1023 -j LOG --log-prefix "iptables: LOW PORT UDP CON: " /sbin/iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 1024:65535 -j LOG --log-prefix "iptables: HIGH PORT UDP CON: " /sbin/iptables -A INPUT -p udp -m state --state NEW -m udp --dport 1024:65535 -j LOG --log-prefix "iptables: HIGH PORT UDP CON:" /sbin/iptables -A INPUT -p icmp -m limit --limit 5/minute -j LOG --log-prefix "iptables: ECHO: "
/sbin/iptables -A INPUT -p tcp -i eth0 -j REJECT --reject-with tcp-reset /sbin/iptables -A INPUT -p udp -i eth0 -j REJECT --reject-with icmp-port-unreachable
/sbin/iptables -P FORWARD DROP
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level alert --log-prefix "iptables: NMAP-XMAS:"
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "iptables: XMAS:"
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "iptables: XMAS-PSH:"
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "iptables: NULL_SCAN:"
/sbin/iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "iptables: SYN/RST:"
/sbin/iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "iptables: SYN/FIN:"
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL SYN -m limit --limit 5/minute -j LOG --log-level alert --log-prefix "iptables: SYN stealh:"
[edit] end
quite nice rules for beginning
(yeah, but WTH they do?)
