Simple IPTABLES


Here is a simple iptables file for a basic firewall.  It should be a good template to build from if you are new to the ‘tables.’ LOL 🙂

*nat
:PREROUTING ACCEPT [54:3344]
:POSTROUTING ACCEPT [2:58]
:OUTPUT ACCEPT [2:58]
COMMIT
# Completed on Wed Nov 25 14:49:49 2009
# Generated by iptables-save v1.3.5 on Wed Nov 25 14:49:49 2009
*mangle
:PREROUTING ACCEPT [431:33056]
:INPUT ACCEPT [395:31128]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [203:24606]
:POSTROUTING ACCEPT [203:24606]
COMMIT
# Completed on Wed Nov 25 14:49:49 2009
# Generated by iptables-save v1.3.5 on Wed Nov 25 14:49:49 2009
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:ICMP – [0:0]
:INTER – [0:0]
:IP – [0:0]
:RULE_86 – [0:0]
:RULE_87 – [0:0]
:drop-lan – [0:0]
-A INPUT -m state –state INVALID -j DROP
-A INPUT -p tcp -m tcp –tcp-flags SYN,ACK SYN,ACK -m state –state NEW -j REJECT –reject-with tcp-reset
-A INPUT -p tcp -m tcp ! –tcp-flags FIN,SYN,RST,ACK SYN -m state –state NEW -j DROP
-A INPUT -s 127.0.0.0/255.0.0.0 -i eth0 -j DROP
-A INPUT -s 169.254.0.0/255.255.0.0 -i eth0 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i pptp+ -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -j ICMP
-A INPUT -j INTER
-A INPUT -j IP
-A INPUT -j RULE_86
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o pptp+ -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT
-A OUTPUT -o eth0 -p icmp -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp –sport 67:68 –dport 67:68 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp –sport 67:68 –dport 67:68 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp –sport 137 –dport 137 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp –sport 138 –dport 138 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp –dport 1434 -j ACCEPT
-A OUTPUT -s 192.168.11.28 -o eth0 -p tcp -m tcp -m multiport –sports 22,81,80,88,443,1875 -j ACCEPT
-A OUTPUT -s 192.168.11.29 -o eth0 -p tcp -m tcp -m multiport –sports 22,81,80,88,443,1875 -j ACCEPT
-A OUTPUT -s 192.168.11.32 -o eth0 -p tcp -m tcp -m multiport –sports 22,81,80,88,443,1875 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -j RULE_87
# ICMP Rule Definitions
-A ICMP -i eth0 -p icmp -m icmp –icmp-type 0 -j ACCEPT
-A ICMP -i eth0 -p icmp -m icmp –icmp-type 3 -j ACCEPT
-A ICMP -i eth0 -p icmp -m icmp –icmp-type 8 -j ACCEPT
-A ICMP -i eth0 -p icmp -m icmp –icmp-type 11 -j ACCEPT
# Interface Specific Definitions
-A INTER -i eth0 -p udp -m udp –sport 67:68 –dport 67:68 -j ACCEPT
-A INTER -i eth0 -p tcp -m tcp –sport 67:68 –dport 67:68 -j ACCEPT
-A INTER -i eth0 -p udp -m udp –sport 137 –dport 137 -j ACCEPT
-A INTER -i eth0 -p udp -m udp –sport 138 –dport 138 -j ACCEPT
-A INTER -i eth0 -p udp -m udp –dport 1434 -j ACCEPT
-A INTER -i eth0 -p udp -m udp –dport 1024:65535 -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INTER -i eth0 -p tcp -m tcp –dport 1024:65535 -m state –state RELATED,ESTABLISHED -j ACCEPT
# IP Specific Definitions
-A IP -d 192.168.11.28 -p tcp -m tcp -m multiport –dports 22,81,80,88,443,1875 -j ACCEPT
-A IP -d 192.168.11.29 -p tcp -m tcp -m multiport –dports 22,81,80,88,443,1875 -j ACCEPT
-A IP -d 192.168.11.32 -p tcp -m tcp -m multiport –dports 22,81,80,88,443,1875 -j ACCEPT
# Logging Definitions
-A RULE_86 -p tcp -m tcp –tcp-flags RST RST -j DROP
-A RULE_86 -p tcp -m tcp –tcp-flags FIN FIN -j DROP
-A RULE_86 -j LOG –log-prefix “INPUT_DROP_” –log-level 6
-A RULE_86 -j DROP
-A RULE_86 -j DROP
-A RULE_87 -p tcp -m tcp –tcp-flags RST RST -j DROP
-A RULE_87 -p tcp -m tcp –tcp-flags FIN FIN -j DROP
-A RULE_87 -j LOG –log-prefix “OUTPUT_DROP_” –log-level 6
-A RULE_87 -j DROP
-A drop-lan -j DROP
COMMIT
# Completed on Wed Nov 25 14:49:49 2009

Advertisements

, , , , , , , ,

  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: