|
1 #! /bin/sh
2
3 trusthost='10.0.0.0/24'
4 myhost='10.0.0.1'
5 any='0.0.0.0/0'
6
7 #Enable SYN Cookie
8 echo '1' > /proc/sys/net/ipv4/tcp_syncookies
9 #Disable Broadcat Ping
10 echo '1' > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
11
12 ##############
13 #Flush & Reset
14 ##############
15 iptables -F
16 iptables -X
17 ##############
18 #Deafult Rule
19 ##############
20 iptables -P INPUT DROP
21 iptables -P OUTPUT DROP
22 iptables -P FORWARD DROP
23 #########
24 #loopback
25 #########
26 iptables -A INPUT -i lo -j ACCEPT
27 iptables -A OUTPUT -o lo -j ACCEPT
28 #######################
29 #ICMP trusthost->myhost
30 #######################
31 #long term
32 iptables -A INPUT -p icmp --icmp-type echo-request -s $trusthost -d $myhost -m limit --limit 1/m --limit-burst 10 -j ACCEPT
33 #short term
34 #iptables -A INPUT -p icmp --icmp-type echo-request -s $trusthost -d $myhost -m limit --limit 1/s --limit-burst 5 -j ACCEPT
35 iptables -A OUTPUT -p icmp --icmp-type echo-reply -s $myhost -d $trusthost -j ACCEPT
36
37 #######################
38 #ICMP myhost->trusthost
39 #######################
40 iptables -A OUTPUT -p icmp --icmp-type echo-request -s $myhost -d $trusthost -j ACCEPT
41 iptables -A INPUT -p icmp --icmp-type echo-reply -s $trusthost -d $myhost -j ACCEPT
42 #######################
43 #ssh trusthost-> myhost
44 #######################
45 iptables -A INPUT -p tcp -s $trusthost -d $myhost --dport 22 -j ACCEPT
46 iptables -A OUTPUT -p tcp -s $myhost --sport 22 -d $trusthost -j ACCEPT
47 #########
48 #logging
49 #########
50 iptables -N LOGGING
51 iptables -A LOGGING -j LOG --log-level warning --log-prefix "DROP:" -m limit
52 iptables -A LOGGING -j DROP
53 iptables -A INPUT -j LOGGING
54 iptables -A OUTPUT -j LOGGING |
|