My Operafirewall rules of iptables for general purpose...
Monday, July 5, 2010 3:12:43 AM
#!/bin/bash
# Change default policy to DROP!!
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# Accept INPUT from RELATED & ESTABLISHED packets
iptables -A INPUT -i eth+ -m state --state RELATED,ESTABLISHED -j ACCEPT
#iptables -A INPUT -i bond0 -m state --state RELATED,ESTABLISHED -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Accept all INPUT from intra networks
#iptables -A INPUT -i eth+ -s 192.168.0.0/16 -j ACCEPT
#iptables -A INPUT -i bond0 -s 192.168.0.0/16 -j ACCEPT
# Accept specific ports
iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT
# TCP 4662 & UDP 4672 are for emule
#iptables -A INPUT -i ppp0 -p tcp --dport 4662 -j ACCEPT
#iptables -A INPUT -i ppp0 -p udp --dport 4672 -j ACCEPT
# Accept a range of ports
#iptables -A INPUT -i ppp0 -p tcp --dport 80:84 -j ACCEPT
# Block network scanners!!
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP
# Block several ports to prevent IPv6 flaws!
/sbin/ip6tables -F
/sbin/ip6tables -A INPUT -p tcp --dport 21:23 -j DROP
/sbin/ip6tables -A INPUT -p tcp --dport 139 -j DROP
/sbin/ip6tables -A INPUT -p tcp --dport 445 -j DROP
/sbin/ip6tables -A INPUT -p udp --dport 137:138 -j DROP
#NAT
#iptables -t nat -P PREROUTING ACCEPT
#iptables -t nat -P POSTROUTING ACCEPT
#iptables -t nat -P OUTPUT ACCEPT
#echo "1" > /proc/sys/net/ipv4/ip_forward
#iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o eth1 -j MASQUERADE
# Asterisk
# SIP on UDP port 5060. Other SIP servers may need TCP port 5060 as well
iptables -A INPUT -p udp -m udp --dport 5060 -j ACCEPT
# IAX2- the IAX protocol
iptables -A INPUT -p udp -m udp --dport 4569 -j ACCEPT
# IAX - most have switched to IAX v2, or ought to
iptables -A INPUT -p udp -m udp --dport 5036 -j ACCEPT
# RTP - the media stream
iptables -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
# MGCP - if you use media gateway control protocol in your configuration
iptables -A INPUT -p udp -m udp --dport 2727 -j ACCEPT
# References:
# http://www.voip-info.org/tiki-index.php?page=Asterisk+firewall+rules
# Change default policy to DROP!!
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# Accept INPUT from RELATED & ESTABLISHED packets
iptables -A INPUT -i eth+ -m state --state RELATED,ESTABLISHED -j ACCEPT
#iptables -A INPUT -i bond0 -m state --state RELATED,ESTABLISHED -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Accept all INPUT from intra networks
#iptables -A INPUT -i eth+ -s 192.168.0.0/16 -j ACCEPT
#iptables -A INPUT -i bond0 -s 192.168.0.0/16 -j ACCEPT
# Accept specific ports
iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT
# TCP 4662 & UDP 4672 are for emule
#iptables -A INPUT -i ppp0 -p tcp --dport 4662 -j ACCEPT
#iptables -A INPUT -i ppp0 -p udp --dport 4672 -j ACCEPT
# Accept a range of ports
#iptables -A INPUT -i ppp0 -p tcp --dport 80:84 -j ACCEPT
# Block network scanners!!
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP
# Block several ports to prevent IPv6 flaws!
/sbin/ip6tables -F
/sbin/ip6tables -A INPUT -p tcp --dport 21:23 -j DROP
/sbin/ip6tables -A INPUT -p tcp --dport 139 -j DROP
/sbin/ip6tables -A INPUT -p tcp --dport 445 -j DROP
/sbin/ip6tables -A INPUT -p udp --dport 137:138 -j DROP
#NAT
#iptables -t nat -P PREROUTING ACCEPT
#iptables -t nat -P POSTROUTING ACCEPT
#iptables -t nat -P OUTPUT ACCEPT
#echo "1" > /proc/sys/net/ipv4/ip_forward
#iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o eth1 -j MASQUERADE
# Asterisk
# SIP on UDP port 5060. Other SIP servers may need TCP port 5060 as well
iptables -A INPUT -p udp -m udp --dport 5060 -j ACCEPT
# IAX2- the IAX protocol
iptables -A INPUT -p udp -m udp --dport 4569 -j ACCEPT
# IAX - most have switched to IAX v2, or ought to
iptables -A INPUT -p udp -m udp --dport 5036 -j ACCEPT
# RTP - the media stream
iptables -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
# MGCP - if you use media gateway control protocol in your configuration
iptables -A INPUT -p udp -m udp --dport 2727 -j ACCEPT
# References:
# http://www.voip-info.org/tiki-index.php?page=Asterisk+firewall+rules
