#!/bin/sh
#;
#; /etc/iptables.sh
#; Recommended packet filter configuration for IPTables and Linux.
#;
#; +----------------------------------------------------+
#; | Author: DePaul University Computer Security Team |
#; | WWW: |
#; | SMTP: |
#; +----------------------------------------------------+
#;
#; Copyright (c) 2003. DePaul University. All Rights Reserved.
#;
#; Platform: Tested on the following platforms:
#; IPTables v1.2.6a on RedHat 8.0 (2.4.18 kernel)
#;
#; Notes: This is a sample configuration file for IPTables under
#; Linux. You must know several details, including your
#; IP address, your local netblock, etc.. This script is
#; NOT a plug-and-play solution - if you use it that way,
#; it MAY render your machine inaccessible from the network.
#;
#; Revised: $Id: iptables.sh,v 1.1.1.1 2003/09/25 19:23:57 epancer Exp $
#;
#;
#;--------------------------------------------------------------------;#
#; Flush all specific rules
iptables --flush INPUT
iptables --flush OUTPUT
iptables --flush FORWARD
#;
#;--------------------------------------------------------------------;#
#; Configure default policies
#; Default Policies are set to DROP
iptables --policy INPUT DROP
iptables --policy FORWARD DROP
iptables --policy OUTPUT DROP
#;
#;--------------------------------------------------------------------;#
#; Define local and loopback interfaces
INTER="eth0" # Local interface
LB="lo" # Loopback interface
#; Define any hosts and networks
HOST="140.192.x.x" # This is your IP Address
LOOPBK="127.0.0.1" # Loopback
DPUNET="140.192.0.0/16" # DePaul Network
TRUST="256.198.52.253" # Hosts you trusted
#;
#;--------------------------------------------------------------------;#
#; Begin IPtable Rules
#; Allow loopback traffic
iptables -A INPUT -s $LOOPBK -i $LB -j ACCEPT
iptables -A OUTPUT -d $LOOPBK -o $LB -j ACCEPT
#; Allow DePaul inbound traffic
iptables -A INPUT -p tcp -s $DPUNET -i $INTER -j ACCEPT
iptables -A INPUT -p udp -s $DPUNET -i $INTER -j ACCEPT
#; Allow any tcp or udp inbound traffic that is part of
#; existing or related connections.
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED \
-i $INTER -j ACCEPT
iptables -A INPUT -p udp -m state --state ESTABLISHED,RELATED \
-i $INTER -j ACCEPT
#; Allow ssh connections to the host
iptables -A INPUT -p tcp -d $HOST --dport 22 -i $INTER -j ACCEPT
#; Allow select icmp traffic from any host
iptables -A INPUT -p icmp --icmp-type echo-reply \
-i $INTER -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable \
-i $INTER -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request \
-i $INTER -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded \
-i $INTER -j ACCEPT
iptables -A INPUT -p icmp --icmp-type parameter-problem \
-i $INTER -j ACCEPT
#; Log all traffic that does not match any earlier
#; rules in the chain applying the heading INPUT DROPS
iptables -A INPUT -j LOG \
--log-prefix "**INPUT DROPS** " --log-level info
#;
#;--------------------------------------------------------------------;#
#; Outbound Rules
#; Allow any tcp or udp inbound traffic that are part of new, existing
#; or related connections.
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED \
-o $INTER -j ACCEPT
iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED,RELATED \
-o $INTER -j ACCEPT
#; Allow outbound icmp traffic
iptables -A OUTPUT -p icmp -o $INTER -j ACCEPT
#; Log all traffic to /var/log/iptables that does not match any earlier
#; rules in the chain applying the heading OUTPUT DROPS
iptables -A OUTPUT -j LOG \
--log-prefix "**OUTPUT DROPS** " --log-level info
#;
#;--------------------------------------------------------------------;#
#; Save iptables
/sbin/service iptables save
#;
# vim: ts=8 sw=8 nowrap
#;