# # Title: ODIN PROTECTOR # # File: protect.$IPTABLES # Version: 0.2a # Date: Aug 5, 2002 # # Written by Impriser # # Contributors: NONE # # ======================================= # Copyright (C) 2002 the Odin Project # (see 'LICENSE' for license details) # ======================================= # # This script protects a machine from all # incoming traffic by using $IPTABLES. # The only things which are allowed inbound are: # # - 53/udp # - $MANAGER:22/tcp # #!/bin/sh INTIF=eth0 ALLOWEDUDP="53" MANAGER="213.144.137.66/32" IPTABLES="/sbin/iptables" # NO CHANGES NECESSARY BELOW! $IPTABLES -F $IPTABLES -X # no IP forwarding allowed! echo 0 > /proc/sys/net/ipv4/ip_forward # enable SYN Cookie protection echo 1 > /proc/sys/net/ipv4/tcp_syncookies # disable respond to ping echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all # disable respond to broadcasts echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # no source-routed packets! echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects # no ICMP redirect acceptance echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # turn on reverse path filtering for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > ${interface} done # log spoofed packets, source routed packets and redirected packets echo 1 > /proc/sys/net/ipv4/conf/all/log_martians # default deny policy $IPTABLES -P INPUT DROP # block incoming fragments! $IPTABLES -A INPUT -i $INTIF -f -j LOG --log-prefix "FW-DENY: Fragments on $INTIF: " $IPTABLES -A INPUT -i $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -i $INTIF -p udp -m multiport --dport $ALLOWEDUDP -j ACCEPT $IPTABLES -A INPUT -i $INTIF -p tcp -m state --state NEW -s $MANAGER --dport 22 -j ACCEPT $IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -j LOG --log-prefix "FW-DENY IN " $IPTABLES -P FORWARD DROP # outgoing traffic is allowed $IPTABLES -P OUTPUT ACCEPT #$IPTABLES -A OUTPUT -o $INTIF -p tcp -m state --state NEW -j ACCEPT #$IPTABLES -A OUTPUT -o $INTIF -p udp -j ACCEPT #$IPTABLES -A OUTPUT -o $INTIF -p icmp -j ACCEPT #$IPTABLES -A OUTPUT -j LOG --log-prefix "FW-DENY OUT "