simplefirewall
Hint before enabling it add this to your /etc/crontab
:
*/5 * * * * root /etc/init.d/simplefirewall stop >> /var/log/firewall.stop
And check /var/log/firewall.stop
to make sure it runs. This will open your firewall again after 5 minutes to avoid locking yourself out. When everything works as expected comment it out.
#!/bin/bash # Very simple firewall for a single interface IF="eth0" #Interface HIPORT="1024:65535" #Highports (don't change) IPTABLES=`which iptables` || IPTABLES="/usr/sbin/iptables" case $1 in close) $IPTABLES -F $IPTABLES -X $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type 8 -j ACCEPT $IPTABLES -A INPUT -i lo -j ACCEPT echo "Firewall closed, all connections blocked" exit 0 ;; stop) $IPTABLES -F $IPTABLES -X $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT echo "Firewall closed, all connections allowed" exit 0 ;; start) # First of all, flush all rules $IPTABLES -F $IPTABLES -F -t nat $IPTABLES -X $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD # set default policy and create additional chains $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -N dropchain # enable additional kernel security echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo "1" > /proc/sys/net/ipv4/tcp_syncookies echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo "1" > /proc/sys/net/ipv4/conf/$IF/rp_filter echo "0" > /proc/sys/net/ipv4/conf/$IF/accept_redirects echo "0" > /proc/sys/net/ipv4/conf/$IF/accept_source_route echo "0" > /proc/sys/net/ipv4/conf/$IF/bootp_relay echo "1" > /proc/sys/net/ipv4/conf/$IF/log_martians # local processes: $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT # icmp stuff: $IPTABLES -A INPUT -i $IF -p icmp --icmp-type echo-request -j ACCEPT $IPTABLES -A INPUT -i $IF -p icmp --icmp-type echo-reply -j ACCEPT $IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type echo-request -j ACCEPT $IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type echo-reply -j ACCEPT $IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type source-quench -j ACCEPT $IPTABLES -A INPUT -i $IF -p icmp --icmp-type time-exceeded -j ACCEPT $IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type time-exceeded -j ACCEPT $IPTABLES -A INPUT -i $IF -p icmp --icmp-type parameter-problem -j ACCEPT $IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type parameter-problem -j ACCEPT $IPTABLES -A INPUT -i $IF -p icmp --icmp-type fragmentation-needed -j ACCEPT $IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type fragmentation-needed -j ACCEPT ########### start of custom rules ############ # let HTTP in $IPTABLES -A INPUT -m state --state NEW -i $IF -p tcp --sport $HIPORT --dport http -j ACCEPT # let SSH in $IPTABLES -A INPUT -m state --state NEW -i $IF -p tcp --sport $HIPORT --dport ssh -j ACCEPT # let FTP in (needs loaded ip_conntrack_ftp module) $IPTABLES -A INPUT -m state --state NEW -i $IF -p tcp --sport $HIPORT --dport ftp -j ACCEPT # let everything out $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -o $IF -p tcp -j ACCEPT $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED -o $IF -p udp -j ACCEPT # let all answers in $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -i $IF -p tcp -j ACCEPT $IPTABLES -A INPUT -m state --state ESTABLISHED -i $IF -p udp -j ACCEPT ########### end of custom rules ############ # droppe & log everything else $IPTABLES -A INPUT -j dropchain $IPTABLES -A OUTPUT -j dropchain # dropchain: every packet will be dropped, and, if defined logged... $IPTABLES -A dropchain -p icmp -j DROP #don't log outgoing icmp $IPTABLES -A dropchain -p tcp -m state --state INVALID -j LOG --log-level info --log-prefix "FW log INVALID: " $IPTABLES -A dropchain -j LOG --log-level info --log-prefix "FW log: " #log everything $IPTABLES -A dropchain -j DROP #done echo "Firewall up and running..." exit 0 ;; *) echo "usage: start | stop | close" exit 1 ;; esac exit 1;