| 1 | # Drop ICMP echo-request messages sent to broadcast or multicast addresses |
| 2 | echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts |
| 3 | |
| 4 | # Drop source routed packets |
| 5 | echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route |
| 6 | |
| 7 | # Enable TCP SYN cookie protection from SYN floods |
| 8 | echo 1 > /proc/sys/net/ipv4/tcp_syncookies |
| 9 | |
| 10 | # Don't accept ICMP redirect messages |
| 11 | echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects |
| 12 | |
| 13 | # Don't send ICMP redirect messages |
| 14 | echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects |
| 15 | |
| 16 | # Enable source address spoofing protection |
| 17 | echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter |
| 18 | |
| 19 | # Log packets with impossible source addresses |
| 20 | echo 1 > /proc/sys/net/ipv4/conf/all/log_martians |
| 21 | |
| 22 | # Flush all chains |
| 23 | /sbin/iptables --flush |
| 24 | |
| 25 | # Allow unlimited traffic on the loopback interface |
| 26 | /sbin/iptables -A INPUT -i lo -j ACCEPT |
| 27 | /sbin/iptables -A OUTPUT -o lo -j ACCEPT |
| 28 | |
| 29 | # Set default policies |
| 30 | /sbin/iptables --policy INPUT DROP |
| 31 | /sbin/iptables --policy OUTPUT DROP |
| 32 | /sbin/iptables --policy FORWARD DROP |
| 33 | |
| 34 | # Previously initiated and accepted exchanges bypass rule checking |
| 35 | # Allow unlimited outbound traffic |
| 36 | /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
| 37 | /sbin/iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT |
| 38 | |
| 39 | # Allow incoming TCP port 22 (ssh) traffic from office |
| 40 | /sbin/iptables -A INPUT -p tcp -s 192.168.1.100 --dport 22 -m state --state NEW -j ACCEPT |
| 41 | |
| 42 | # Drop all other traffic |
| 43 | /sbin/iptables -A INPUT -j DROP |
| 44 | |
| 45 | # Have these rules take effect when iptables is started |
| 46 | /sbin/service iptables save |