1 # Drop ICMP echo-request messages sent to broadcast or multicast addresses
2 echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
4 # Drop source routed packets
5 echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
7 # Enable TCP SYN cookie protection from SYN floods
8 echo 1 > /proc/sys/net/ipv4/tcp_syncookies
10 # Don't accept ICMP redirect messages
11 echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
13 # Don't send ICMP redirect messages
14 echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
16 # Enable source address spoofing protection
17 echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
19 # Log packets with impossible source addresses
20 echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
23 /sbin/iptables --flush
25 # Allow unlimited traffic on the loopback interface
26 /sbin/iptables -A INPUT -i lo -j ACCEPT
27 /sbin/iptables -A OUTPUT -o lo -j ACCEPT
29 # Set default policies
30 /sbin/iptables --policy INPUT DROP
31 /sbin/iptables --policy OUTPUT DROP
32 /sbin/iptables --policy FORWARD DROP
34 # Previously initiated and accepted exchanges bypass rule checking
35 # Allow unlimited outbound traffic
36 /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
37 /sbin/iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
39 # Allow incoming TCP port 22 (ssh) traffic from office
40 /sbin/iptables -A INPUT -p tcp -s 192.168.1.100 --dport 22 -m state --state NEW -j ACCEPT
42 # Drop all other traffic
43 /sbin/iptables -A INPUT -j DROP
45 # Have these rules take effect when iptables is started
46 /sbin/service iptables save