Re: Request for comments: iptables script for use on laptops.
Thanks for your discussions, I changed my script, I'm sure it is much
improved - though not anywhere as tight as Uwe's:
#!/bin/sh
# /OPT/sbin/ziptables
# /etc/init.d/local
#
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 0 > /proc/sys/net/ipv4/ip_forward
#
iptables -t mangle -F # flush: mangle,nat,filter
iptables -t nat -F
iptables -t filter -F
iptables -X # delete existing chains
iptables -Z # zero counters
#
# Allow ALL services within local-host(loopback) and among local network
#
iptables -A INPUT -j ACCEPT -s 127.0.0.0/8 # localhost.localdomain
iptables -A OUTPUT -j ACCEPT -d 127.0.0.0/8
iptables -A INPUT -j ACCEPT -s 192.168.0.0/28 # local network:
iptables -A OUTPUT -j ACCEPT -d 192.168.0.0/28
iptables -A FORWARD -j DROP
#
# TCP:20+21=ftp,25=smtp,37=time,80=http,110=pop3,119=usenet,443=https
# UDP:53=dns
#
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -A INPUT -j DROP -p tcp ! --syn -m state --state NEW
iptables -A INPUT -j DROP -f
iptables -A OUTPUT -j ACCEPT -p tcp -m state --state NEW,ESTABLISHED \
-m multiport --ports 25,37,80,110,119,443
iptables -A OUTPUT -j ACCEPT -p udp -m state --state NEW,ESTABLISHED
\ --dport 53
#
# Log drop throughs for diagnostics, -> /var/log/messages
#
# iptables -A INPUT -j LOG -m limit --limit 1/s --limit-burst 8
iptables -A INPUT -j LOG --log-prefix ZZI-
iptables -A OUTPUT -j LOG --log-prefix ZZO-
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
iptables -L
Reply to: