====== simplefirewall ======
[[http://wiki.splitbrain.org/simplefirewall|Quelle]]
Hint before enabling it add this to your ''/etc/crontab'':
*/5 * * * * root /etc/init.d/simplefirewall stop >> /var/log/firewall.stop
And check ''/var/log/firewall.stop'' to make sure it runs. This will open your firewall again after 5 minutes to avoid locking yourself out. When everything works as expected comment it out.
#!/bin/bash
# Very simple firewall for a single interface
IF="eth0" #Interface
HIPORT="1024:65535" #Highports (don't change)
IPTABLES=`which iptables` || IPTABLES="/usr/sbin/iptables"
case $1 in
close)
$IPTABLES -F
$IPTABLES -X
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
echo "Firewall closed, all connections blocked"
exit 0
;;
stop)
$IPTABLES -F
$IPTABLES -X
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
echo "Firewall closed, all connections allowed"
exit 0
;;
start)
# First of all, flush all rules
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
# set default policy and create additional chains
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -N dropchain
# enable additional kernel security
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/conf/$IF/rp_filter
echo "0" > /proc/sys/net/ipv4/conf/$IF/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/$IF/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/$IF/bootp_relay
echo "1" > /proc/sys/net/ipv4/conf/$IF/log_martians
# local processes:
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
# icmp stuff:
$IPTABLES -A INPUT -i $IF -p icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -i $IF -p icmp --icmp-type echo-reply -j ACCEPT
$IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type echo-reply -j ACCEPT
$IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type source-quench -j ACCEPT
$IPTABLES -A INPUT -i $IF -p icmp --icmp-type time-exceeded -j ACCEPT
$IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type time-exceeded -j ACCEPT
$IPTABLES -A INPUT -i $IF -p icmp --icmp-type parameter-problem -j ACCEPT
$IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type parameter-problem -j ACCEPT
$IPTABLES -A INPUT -i $IF -p icmp --icmp-type fragmentation-needed -j ACCEPT
$IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type fragmentation-needed -j ACCEPT
########### start of custom rules ############
# let HTTP in
$IPTABLES -A INPUT -m state --state NEW -i $IF -p tcp --sport $HIPORT --dport http -j ACCEPT
# let SSH in
$IPTABLES -A INPUT -m state --state NEW -i $IF -p tcp --sport $HIPORT --dport ssh -j ACCEPT
# let FTP in (needs loaded ip_conntrack_ftp module)
$IPTABLES -A INPUT -m state --state NEW -i $IF -p tcp --sport $HIPORT --dport ftp -j ACCEPT
# let everything out
$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -o $IF -p tcp -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED -o $IF -p udp -j ACCEPT
# let all answers in
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -i $IF -p tcp -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED -i $IF -p udp -j ACCEPT
########### end of custom rules ############
# droppe & log everything else
$IPTABLES -A INPUT -j dropchain
$IPTABLES -A OUTPUT -j dropchain
# dropchain: every packet will be dropped, and, if defined logged...
$IPTABLES -A dropchain -p icmp -j DROP #don't log outgoing icmp
$IPTABLES -A dropchain -p tcp -m state --state INVALID -j LOG --log-level info --log-prefix "FW log INVALID: "
$IPTABLES -A dropchain -j LOG --log-level info --log-prefix "FW log: " #log everything
$IPTABLES -A dropchain -j DROP
#done
echo "Firewall up and running..."
exit 0
;;
*)
echo "usage: start | stop | close"
exit 1
;;
esac
exit 1;