#/bin/sh IP="66.141.68.217" INT="eth0" DNS="151.164.23.201" IPT="/usr/sbin/iptables" $IPT -flush $IPT -t nat -flush $IPT -t mangle -flush $IPT -X #Default chain policies - DROP ALL IN & OUT $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT $IPT -P INPUT DROP $IPT -P OUPUT DROP $IPT -P FORWARD DROP $IPT -t nat -P PREROUTING DROP $IPT -t nat -P OUTPUT DROP $IPT -t nat -P POSTROUTING DROP $IPT -t mangle -P PREROUTING DROP $IPT -t mangle -P OUTPUT DROP $IPT -A INPUT --source $IP -i $INT -j DROP $IPT -A INPUT --source 127.0.0.1 -i $INT -j DROP # Logging SSH and other SYN|ACKs $IPT -N SYNACK $IPT -A SYNACK -j LOG $IPT -A SYNACK -j ACCEPT $IPT -A OUTPUT -p tcp --sport 22 --tcp-flags ALL SYN,ACK -j LOG \ --log-level debug --log-prefix 'SSH LOGIN: ' $IPT -A INPUT --tcp-flags ALL SYN,ACK -j LOG --log-level debug \ --log-prefix '3-SYN-ACK: ' $IPT -A INPUT -m udp -p udp --dport ! 53 -j LOG --log-level debug \ --log-prefix "UDP passed: " # Check states and match $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,URG,RST,ACK SYN -m state --state NEW -j DROP ##Allow UID 99 for HTTPD & UID 1003 for IRCD $IPT -A INPUT -p tcp --dport 80 --sport 1024:65535 -m state --state NEW -j ACCEPT $IPT -A INPUT -p tcp --dport 443 --sport 1024:65535 -m state --state NEW -j ACCEPT $IPT -A OUTPUT -m owner --uid-owner 99 -d $DNS -p tcp \ --dport 53 --sport 1024:65535 -m state \ --state NEW.ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -m owner --uid-owner 1003 -d $DNS -p tcp \ --dport 53 --sport 1024:65535 -m state \ --state NEW.ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -m owner --uid-owner 99 -d $DNS -p udp \ --dport 53 --sport 1024:65535 -m state \ --state NEW.ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -m owner --uid-owner 1003 -d $DNS -p udp \ --dport 53 --sport 1024:65535 -m state \ --state NEW.ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -m owner --uid-owner 1003 -d 0.0.0.0/8 -p tcp \ --dport 113 -m state \ --state NEW.ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -m owner --uid-owner 1003 -d 0.0.0.0/8 -p udp \ --dport 113 -m state \ --state NEW.ESTABLISHED,RELATED -j ACCEPT ## Allow incoming/outgoing SMTP and UID root to do DNS $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -p tcp --dport 25 --sport 1024:65535 -m state \ --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -m owner --uid-owner 0 $DNS -p udp \ --dport 53 --sport 1024:65535 \ -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -m owner --uid-owner 0 $DNS -p tcp \ --dport 53 --sport 1024:65535 \ -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -m owner --uid-owner 0 -p tcp --sport 25 \ -m state --state ESTABLISHED,RELATED -j ACCEPT ## Allow incoming Dovecot PoP server connections $IPT -A INPUT -p tcp --dport 110 --sport 1024:65535 -m state \ --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -p tcp --dport 995 --sport 1024:65535 -m state \ --state NEW,ESTABLISHED,RELATED -j ACCEPT ## Allow root and fwaggle to request DNS $IPT -A OUTPUT -m owner --uid-owner 0 -p tcp --dport 53 \ -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -m owner --uid-owner 0 -p tcp --dport 1024:65535 \ -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -m owner --uid-owner 0 -p udp --dport 53 \ -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -m owner --uid-owner 0 -p udp --dport 1024:65535 \ -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT ## Allow and rate-limit SSH and drop more than 2 connections/min $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT $IPT -A INPUT -p tcp -s whiskyone.hopto.org --dport 22 -m state --state NEW -j ACCEPT $IPT -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH $IPT -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent \ --update --seconds 60 --hitcount 2 --rttl --name SSH -j DROP ## Allow ICMP echo requests $IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT ##Deny using /etc/hosts.deny for host in `cat /etc/hosts.block`; do $IPT -I INPUT -s $host -j DROP $IPT -I OUTPUT -d $host -j DROP done