php/hfirewall/tmp.txt

   1 # Drop ICMP echo-request messages sent to broadcast or multicast addresses
   2 echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
   3
   4 # Drop source routed packets
   5 echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
   6
   7 # Enable TCP SYN cookie protection from SYN floods
   8 echo 1 > /proc/sys/net/ipv4/tcp_syncookies
   9
  10 # Don't accept ICMP redirect messages
  11 echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
  12
  13 # Don't send ICMP redirect messages
  14 echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
  15
  16 # Enable source address spoofing protection
  17 echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
  18
  19 # Log packets with impossible source addresses
  20 echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
  21
  22 # Flush all chains
  23 /sbin/iptables --flush
  24
  25 # Allow unlimited traffic on the loopback interface
  26 /sbin/iptables -A INPUT -i lo -j ACCEPT
  27 /sbin/iptables -A OUTPUT -o lo -j ACCEPT
  28
  29 # Set default policies
  30 /sbin/iptables --policy INPUT DROP
  31 /sbin/iptables --policy OUTPUT DROP
  32 /sbin/iptables --policy FORWARD DROP
  33
  34 # Previously initiated and accepted exchanges bypass rule checking
  35 # Allow unlimited outbound traffic
  36 /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  37 /sbin/iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  38
  39 # Allow incoming TCP port 22 (ssh) traffic from office
  40 /sbin/iptables -A INPUT -p tcp -s 192.168.1.100 --dport 22 -m state --state NEW -j ACCEPT
  41
  42 # Drop all other traffic
  43 /sbin/iptables -A INPUT -j DROP
  44
  45 # Have these rules take effect when iptables is started
  46 /sbin/service iptables save