[mirrors/Programs.git] / php / hfirewall / tmp.txt

# Drop ICMP echo-request messages sent to broadcast or multicast addresses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Drop source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable TCP SYN cookie protection from SYN floods
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Don't accept ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Don't send ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Enable source address spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Log packets with impossible source addresses
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# Flush all chains
/sbin/iptables --flush

# Allow unlimited traffic on the loopback interface
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT

# Set default policies
/sbin/iptables --policy INPUT DROP
/sbin/iptables --policy OUTPUT DROP
/sbin/iptables --policy FORWARD DROP

# Previously initiated and accepted exchanges bypass rule checking
# Allow unlimited outbound traffic
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Allow incoming TCP port 22 (ssh) traffic from office
/sbin/iptables -A INPUT -p tcp -s 192.168.1.100 --dport 22 -m state --state NEW -j ACCEPT

# Drop all other traffic
/sbin/iptables -A INPUT -j DROP

# Have these rules take effect when iptables is started
/sbin/service iptables save
Commit	Line	Data
79a323cb H	1	# Drop ICMP echo-request messages sent to broadcast or multicast addresses
	2	echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
	3
	4	# Drop source routed packets
	5	echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
	6
	7	# Enable TCP SYN cookie protection from SYN floods
	8	echo 1 > /proc/sys/net/ipv4/tcp_syncookies
	9
	10	# Don't accept ICMP redirect messages
	11	echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
	12
	13	# Don't send ICMP redirect messages
	14	echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
	15
	16	# Enable source address spoofing protection
	17	echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
	18
	19	# Log packets with impossible source addresses
	20	echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
	21
	22	# Flush all chains
	23	/sbin/iptables --flush
	24
	25	# Allow unlimited traffic on the loopback interface
	26	/sbin/iptables -A INPUT -i lo -j ACCEPT
	27	/sbin/iptables -A OUTPUT -o lo -j ACCEPT
	28
	29	# Set default policies
	30	/sbin/iptables --policy INPUT DROP
	31	/sbin/iptables --policy OUTPUT DROP
	32	/sbin/iptables --policy FORWARD DROP
	33
	34	# Previously initiated and accepted exchanges bypass rule checking
	35	# Allow unlimited outbound traffic
	36	/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
	37	/sbin/iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
	38
	39	# Allow incoming TCP port 22 (ssh) traffic from office
	40	/sbin/iptables -A INPUT -p tcp -s 192.168.1.100 --dport 22 -m state --state NEW -j ACCEPT
	41
	42	# Drop all other traffic
	43	/sbin/iptables -A INPUT -j DROP
	44
	45	# Have these rules take effect when iptables is started
	46	/sbin/service iptables save