Commit | Line | Data |
---|---|---|
79a323cb H |
1 | # Drop ICMP echo-request messages sent to broadcast or multicast addresses |
2 | echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts | |
3 | ||
4 | # Drop source routed packets | |
5 | echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route | |
6 | ||
7 | # Enable TCP SYN cookie protection from SYN floods | |
8 | echo 1 > /proc/sys/net/ipv4/tcp_syncookies | |
9 | ||
10 | # Don't accept ICMP redirect messages | |
11 | echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects | |
12 | ||
13 | # Don't send ICMP redirect messages | |
14 | echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects | |
15 | ||
16 | # Enable source address spoofing protection | |
17 | echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter | |
18 | ||
19 | # Log packets with impossible source addresses | |
20 | echo 1 > /proc/sys/net/ipv4/conf/all/log_martians | |
21 | ||
22 | # Flush all chains | |
23 | /sbin/iptables --flush | |
24 | ||
25 | # Allow unlimited traffic on the loopback interface | |
26 | /sbin/iptables -A INPUT -i lo -j ACCEPT | |
27 | /sbin/iptables -A OUTPUT -o lo -j ACCEPT | |
28 | ||
29 | # Set default policies | |
30 | /sbin/iptables --policy INPUT DROP | |
31 | /sbin/iptables --policy OUTPUT DROP | |
32 | /sbin/iptables --policy FORWARD DROP | |
33 | ||
34 | # Previously initiated and accepted exchanges bypass rule checking | |
35 | # Allow unlimited outbound traffic | |
36 | /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
37 | /sbin/iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | |
38 | ||
39 | # Allow incoming TCP port 22 (ssh) traffic from office | |
40 | /sbin/iptables -A INPUT -p tcp -s 192.168.1.100 --dport 22 -m state --state NEW -j ACCEPT | |
41 | ||
42 | # Drop all other traffic | |
43 | /sbin/iptables -A INPUT -j DROP | |
44 | ||
45 | # Have these rules take effect when iptables is started | |
46 | /sbin/service iptables save |