| |
1 #! /bin/sh
2
3 trusthost='192.168.10.100'
4 myhost='192.168.20.200'
5
6 ##############
7 #Flush & Reset
8 ##############
9 /sbin/iptables -F
10 /sbin/iptables -Z
11 /sbin/iptables -X
12 ##############
13 #Deafult Rule
14 ##############
15 /sbin/iptables -P INPUT DROP
16 /sbin/iptables -P OUTPUT DROP
17 /sbin/iptables -P FORWARD DROP
18 #########
19 #loopback
20 #########
21 /sbin/iptables -A INPUT -i lo -j ACCEPT
22 /sbin/iptables -A OUTPUT -o lo -j ACCEPT
23 #######################
24 #ICMP trusthost->myhost
25 #######################
26 /sbin/iptables -A INPUT -p icmp --icmp-type echo-request -s $trusthost -d $myhost -j ACCEPT
27 /sbin/iptables -A OUTPUT -p icmp --icmp-type echo-reply -s $myhost -d $trusthost -j ACCEPT
28 #######################
29 #ICMP myhost->trusthost
30 #######################\
31 /sbin/iptables -A OUTPUT -p icmp --icmp-type echo-request -s $myhost -d $trusthost -j ACCEPT
32 /sbin/iptables -A INPUT -p icmp --icmp-type echo-reply -s $trusthost -d $myhost -j ACCEPT
33 #######################
34 #ssh trusthost-> myhost
35 #######################
36 /sbin/iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED -s $trusthost -d $myhost --dport 22 -j ACCEPT
37 /sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -s $trusthost -d $myhost --dport 22 -j DROP
38 /sbin/iptables -A OUTPUT -p tcp -s $myhost --sport 22 -d $trusthost -j ACCEPT
39 #########
40 #logging
41 #########
42 /sbin/iptables -N LOGGING
43 /sbin/iptables -A LOGGING -j LOG --log-level warning --log-prefix "DROP:" -m limit
44 /sbin/iptables -A LOGGING -j DROP
45 /sbin/iptables -A INPUT -j LOGGING
46 /sbin/iptables -A OUTPUT -j LOGGING
|
|