Tiny programs (C, C++, C#, ...)
File detail
Source code
#!/bin/sh
IF_PUB=eth3
IF_SUBNET1=eth1
IF_SUBNET2=eth2
IF_SUBNET3=wlan0
IF_SUBNET4=vboxnet0
SUBNET1=172.16.21.0/24
SUBNET2=172.16.22.0/24
SUBNET3=172.16.31.0/24
SUBNET4=192.168.56.0/24
FEDORA_GW=192.168.56.1
FEDORA_VM=192.168.56.2
NB=172.16.21.10
# By default drop all packets on all chains except OUTPUT
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# My world-visible servers
iptables -A INPUT -p TCP --dport 22 -j ACCEPT # SSH
iptables -A INPUT -p TCP --dport 80 -j ACCEPT # Apache
iptables -A INPUT -p TCP --dport 3632 -j ACCEPT # distcc
iptables -A INPUT -p TCP --dport 3826 -j ACCEPT # wormux
iptables -A INPUT -p UDP --dport 3826 -j ACCEPT
iptables -A INPUT -p TCP --dport 8010 -j ACCEPT # Jabber -- file transfer protocol
# VNC Servers
iptables -A INPUT -p UDP --dport 5900:5901 -j ACCEPT
iptables -A INPUT -p TCP --dport 5900:5901 -j ACCEPT
# Q3A
iptables -A INPUT -p UDP --dport 27960 -j ACCEPT
# Wormux
iptables -A INPUT -p UDP --dport 3826 -j ACCEPT
iptables -A INPUT -p TCP --dport 3826 -j ACCEPT
# LinuxDC++
iptables -A INPUT -p UDP --dport 9209 -j ACCEPT
iptables -A INPUT -p TCP --dport 9209 -j ACCEPT
# Enable loopback device
iptables -A INPUT -i lo -j ACCEPT
# My connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# ICMP reply
iptables -A INPUT -p ICMP --icmp-type 3 -j ACCEPT # destination unrecheable
iptables -A INPUT -p ICMP --icmp-type 11 -j ACCEPT # time exceeded
iptables -A INPUT -p ICMP --icmp-type 0 -m limit --limit 1/s --limit-burst 5 -j ACCEPT # echo reply
iptables -A INPUT -p ICMP --icmp-type 8 -m limit --limit 1/s --limit-burst 5 -j ACCEPT # echo request
iptables -A INPUT -p TCP --dport 113 -j REJECT # auth on 113
iptables -A INPUT -p UDP --dport 137 -j REJECT # NETBIOS Name Service
iptables -A INPUT -p UDP --dport 138 -j REJECT # NETBIOS Datagram Service
# Multicast stream
iptables -A INPUT -p IGMP -j ACCEPT
iptables -A INPUT -p UDP --dport 1234 -j ACCEPT
iptables -A INPUT -p UDP --dport 4444 -j ACCEPT
iptables -A INPUT -p UDP --dport 4446 -j ACCEPT
iptables -A INPUT -p UDP --dport 4450 -j ACCEPT
# DNS-proxy for local network
iptables -A INPUT -i $IF_SUBNET1 -s $SUBNET1 -p UDP --dport 53 -j ACCEPT
iptables -A INPUT -i $IF_SUBNET2 -s $SUBNET2 -p UDP --dport 53 -j ACCEPT
iptables -A INPUT -i $IF_SUBNET3 -s $SUBNET3 -p UDP --dport 53 -j ACCEPT
iptables -A INPUT -i $IF_SUBNET4 -s $SUBNET4 -p UDP --dport 53 -j ACCEPT
# NFSv4 from SUBNET1 (TCP only)
iptables -A INPUT -i $IF_SUBNET1 -s $SUBNET1 -p TCP --dport 111 -j ACCEPT # Sun RPC (NFS v3?)
iptables -A INPUT -i $IF_SUBNET1 -s $SUBNET1 -p TCP --dport 2049 -j ACCEPT # NFS v4
iptables -A INPUT -i $IF_SUBNET1 -s $SUBNET1 -p TCP --dport 32767 -j ACCEPT # mountd
# Forwarding for local network
iptables -t nat -A POSTROUTING -o $IF_PUB -j MASQUERADE
iptables -A FORWARD -i $IF_SUBNET1 -s $SUBNET1 -j ACCEPT
iptables -A FORWARD -i $IF_SUBNET2 -s $SUBNET2 -j ACCEPT
iptables -A FORWARD -i $IF_SUBNET3 -s $SUBNET3 -j ACCEPT
iptables -A FORWARD -i $IF_SUBNET4 -s $SUBNET4 -j ACCEPT
iptables -A FORWARD -i $IF_PUB -m state --state ESTABLISHED,RELATED -j ACCEPT
# Fedora SSH
iptables -t nat -A PREROUTING -p TCP --dport 23 -j DNAT --to $FEDORA_VM:22
iptables -A FORWARD -p TCP -d $FEDORA_VM -j LOG
iptables -A FORWARD -p TCP -d $FEDORA_VM --dport 22 -j ACCEPT
iptables -t nat -A POSTROUTING -d $FEDORA_VM -j SNAT --to-source $FEDORA_GW
# SSH to NB
iptables -t nat -A PREROUTING -p TCP --dport 24 -j DNAT --to $NB:22
iptables -A FORWARD -p TCP -d $NB -j LOG
iptables -A FORWARD -p TCP -d $NB --dport 22 -j ACCEPT
# jabber from NB
iptables -t nat -A PREROUTING -p TCP --dport 8019 -j DNAT --to $NB:8019
iptables -A FORWARD -p TCP -d $NB --dport 8019 -j ACCEPT
# Save configuration
/etc/init.d/iptables save
Back to main page
iptables.sh [Download]