#!/bin/sh . /etc/rc.d/init.d/functions . /etc/sysconfig/network if [ ${NETWORKING} = "no" ] then exit 0 fi if [ ! -x /sbin/iptables ]; then exit 0 fi case "$1" in start) echo -n "Starting Firewalling: " IPADDR=`ifconfig eth0 | fgrep -i inet | cut -d : -f 2 | cut -d \ -f 1` EXTERNAL_INTERFACE="eth0 " LOOPBACK_INTERFACE="lo" P="66.49.194.253" S="66.49.254.254" LOOPBACK="127.0.0.0/8" C_A="10.0.0.0/8" C_B="172.16.0.0/12" C_C="192.168.0.0/16" C_D_MULTICAST="224.0.0.0/4" C_E_RESERVED_NET="240.0.0.0/5" BROADCAST_SRC="0.0.0.0" BROADCAST_DEST="255.255.255.255" PRIVPORTS="0:1023" UNPRIVPORTS="1024:" UNPRIVPORTS1="27909:28001" SSH_REMOTE_PORTS="513:65535" TRACEROUTE_SRC_PORTS="32769:65535" TRACEROUTE_DEST_PORTS="33434:33523" iptables -F iptables -X iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT if [ -f /etc/rc.d/rc.firewall.blocked ]; then deny_file="/etc/rc.d/rc.firewall.blocked" temp_file="/tmp/temp.ip.addresses" cat $deny_file | sed -n -e "s/^[ ]*\([0-9.]*\).*$/\1/p" \ | awk ' $1 ' > $temp_file while read ip_addy do case $ip_addy in *) iptables -A INPUT -i $EXTERNAL_INTERFACE -s $ip_addy -j DROP iptables -A INPUT -i $EXTERNAL_INTERFACE -d $ip_addy -j DROP iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $ip_addy -j REJECT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $ip_addy -j REJECT ;; esac done < $temp_file rm -f $temp_file > /dev/null 2>&1 unset temp_file unset deny_file fi iptables -A INPUT -s $IPADDR -j DROP iptables -A INPUT -s $C_A -j DROP iptables -A INPUT -s $C_B -j DROP iptables -A INPUT -s $C_C -j DROP iptables -A INPUT -s $BROADCAST_DEST -j DROP iptables -A INPUT -d $BROADCAST_SRC -j DROP iptables -A INPUT -s $C_D_MULTICAST -j DROP iptables -A INPUT -s $C_E_RESERVED_NET -j DROP iptables -A INPUT -s 0.0.0.0/8 -j DROP iptables -A INPUT -s 127.0.0.0/8 -j DROP iptables -A INPUT -s 169.254.0.0/16 -j DROP iptables -A INPUT -s 192.0.2.0/24 -j DROP iptables -A INPUT -s 224.0.0.0/3 -j DROP iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \ --source-port $TRACEROUTE_SRC_PORTS \ -d $IPADDR --destination-port $TRACEROUTE_DEST_PORTS -j DROP iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \ -s $IPADDR --source-port $TRACEROUTE_SRC_PORTS \ --destination-port $TRACEROUTE_DEST_PORTS -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \ -s $P --source-port 53 \ -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \ -s $IPADDR --source-port $UNPRIVPORTS \ -d $P --destination-port 53 -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \ -s $S --source-port 53 \ -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \ -s $IPADDR --source-port $UNPRIVPORTS \ -d $S --destination-port 53 -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s 66.49.252.2/32 --source-port $SSH_REMOTE_PORTS \ -d 0/0 --destination-port 19635 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \ -s 0/0 --source-port 19635 \ -d 66.49.252.2/32 --destination-port $SSH_REMOTE_PORTS -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --source-port $UNPRIVPORTS \ -d 0/0 --destination-port 25 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \ -s 0/0 --source-port 25 \ -d 0/0 --destination-port $UNPRIVPORTS -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --source-port $UNPRIVPORTS \ -d 0/0 --destination-port 443 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \ -s 0/0 --source-port 443 \ -d 0/0 --destination-port $UNPRIVPORTS -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --source-port $UNPRIVPORTS \ -d 0/0 --destination-port 80 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \ -s 0/0 --source-port 80 \ -d 0/0 --destination-port $UNPRIVPORTS -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --source-port $UNPRIVPORTS \ -d 0/0 --destination-port 19638 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \ -s 0/0 --source-port 19638 \ -d 0/0 --destination-port $UNPRIVPORTS -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --source-port $UNPRIVPORTS \ -d 0/0 --destination-port 110 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \ -s 0/0 --source-port 110 \ -d 0/0 --destination-port $UNPRIVPORTS -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --source-port $UNPRIVPORTS \ -d 0/0 --destination-port 953 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \ -s 0/0 --source-port 953 \ -d 0/0 --destination-port $UNPRIVPORTS -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s 66.49.254.2/32 --source-port $UNPRIVPORTS \ -d $IPADDR --destination-port 23 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \ -s $IPADDR --source-port 23 \ -d 66.49.254.2/32 --destination-port $UNPRIVPORTS -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --source-port $UNPRIVPORTS \ -d 0/0 --destination-port 80 -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \ -s 0/0 --source-port 80 \ -d 0/0 --destination-port $UNPRIVPORTS -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --source-port $SSH_REMOTE_PORTS \ -d 0/0 --destination-port 22 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \ -s 0/0 --source-port 22 \ -d 0/0 --destination-port $SSH_REMOTE_PORTS -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --source-port $UNPRIVPORTS \ -d 0/0 --destination-port 21 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \ -s 0/0 --source-port 21 \ -d 0/0 --destination-port $UNPRIVPORTS -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --source-port 20 \ -d 0/0 --destination-port $UNPRIVPORTS -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \ -s 0/0 --source-port $UNPRIVPORTS \ -d 0/0 --destination-port 20 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --source-port $UNPRIVPORTS \ -d 0/0 --destination-port 25 -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \ -s 0/0 --source-port 25 \ -d 0/0 --destination-port $UNPRIVPORTS -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --source-port $UNPRIVPORTS \ -d 0/0 --destination-port $UNPRIVPORTS -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \ -s 0/0 --source-port $UNPRIVPORTS \ -d 0/0 --destination-port $UNPRIVPORTS -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --source-port $UNPRIVPORTS \ -d 66.49.128.0/17 --destination-port 21 -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \ -s 0/0 --source-port 21 \ -d 66.49.128.0/17 --destination-port $UNPRIVPORTS -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --source-port 20 \ -d 66.49.128.0/17 --destination-port $UNPRIVPORTS -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \ -s 0/0 --source-port $UNPRIVPORTS \ -d 66.49.128.0/17 --destination-port 20 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --source-port $UNPRIVPORTS \ -d 67.55.0.0/18 --destination-port 21 -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \ -s 0/0 --source-port 21 \ -d 67.55.0.0/18 --destination-port $UNPRIVPORTS -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --source-port 20 \ -d 67.55.0.0/18 --destination-port $UNPRIVPORTS -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \ -s 0/0 --source-port $UNPRIVPORTS \ -d 67.55.0.0/18 --destination-port 20 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --source-port $UNPRIVPORTS \ -d 0/0 --destination-port $UNPRIVPORTS -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \ -s 0/0 --source-port $UNPRIVPORTS \ -d 0/0 --destination-port $UNPRIVPORTS -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s 66.49.255.14/32 --source-port $UNPRIVPORTS \ -d 0/0 --destination-port 3493 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \ -s 0/0 --source-port 3493 \ -d 66.49.255.14/32 --destination-port $UNPRIVPORTS -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s 66.49.255.14/32 --source-port $UNPRIVPORTS \ -d 0/0 --destination-port 5666 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \ -s 0/0 --source-port 5666 \ -d 66.49.255.14/32 --destination-port $UNPRIVPORTS -j ACCEPT iptables -A INPUT -s 67.55.0.0/18 -p icmp \ --icmp-type echo-request \ -d 0/0 -j ACCEPT iptables -A OUTPUT -d 67.55.0.0/18 -p icmp \ -s 0/0 --icmp-type echo-reply -j ACCEPT iptables -A INPUT -s 66.49.128.0/17 -p icmp \ --icmp-type echo-request \ -d 0/0 -j ACCEPT iptables -A INPUT -s 72.138.25.218/32 -p icmp \ --icmp-type echo-request \ -d 0/0 -j ACCEPT iptables -A OUTPUT -d 72.138.25.218/32 -p icmp \ -s 0/0 --icmp-type echo-reply -j ACCEPT iptables -A OUTPUT -d 66.49.128.0/17 -p icmp \ -s 0/0 --icmp-type echo-reply -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \ --icmp-type echo-reply \ -d 0/0 -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \ --icmp-type destination-unreachable \ -d 0/0 -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \ --icmp-type source-quench \ -d 0/0 -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \ --icmp-type time-exceeded \ -d 0/0 -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \ --icmp-type parameter-problem \ -d 0/0 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \ -s 0/0 --icmp-type fragmentation-needed -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \ -s 0/0 --icmp-type source-quench -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \ -s 0/0 --icmp-type echo-request -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \ -s 0/0 --icmp-type parameter-problem -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp -j DROP iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \ --destination-port $PRIVPORTS -j DROP iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \ --destination-port $UNPRIVPORTS -j DROP iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \ --icmp-type 5 -j DROP iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \ --icmp-type 13/255 -j DROP iptables -A OUTPUT -o $EXTERNAL_INTERFACE -j REJECT ;; stop) echo -n "Shutting Firewalling: " iptables -F iptables -X iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT ;; status) status iptables ;; restart|reload) $0 stop $0 start ;; *) echo "Usage: iptables {start|stop|status|restart|reload}" exit 1 esac echo "done" exit 0