The firewall below will let in SSH, HTTP and FTP. To avoid SSH brute force dictionary attacks it uses the iptables recent match module for connection rate limiting. It is intended for a Host with a single interface connected to the net, eg. a webserver.
Hint before enabling it add this to your /etc/crontab
:
*/5 * * * * root /etc/init.d/simplefirewall stop >> /var/log/firewall.stop
And check /var/log/firewall.stop
to make sure it runs. This will open your firewall again after 5 minutes to avoid locking yourself out. When everything works as expected comment it out.
#!/bin/bash # Very simple firewall for a single interface IF="eth0" #Interface HIPORT="1024:65535" #Highports (dont change) IPTABLES=`which iptables` || IPTABLES="/usr/sbin/iptables" case $1 in close) $IPTABLES -F $IPTABLES -X $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type 8 -j ACCEPT $IPTABLES -A INPUT -i lo -j ACCEPT echo "Firewall closed, all connections blocked" exit 0 ;; stop) $IPTABLES -F $IPTABLES -X $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT echo "Firewall closed, all connections allowed" exit 0 ;; start) # First of all, flush all rules $IPTABLES -F $IPTABLES -F -t nat $IPTABLES -X $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD # set default policy and create additional chains $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -N dropchain $IPTABLES -N ssh $IPTABLES -N blacklist # enable additional kernel security echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo "1" > /proc/sys/net/ipv4/tcp_syncookies echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo "1" > /proc/sys/net/ipv4/conf/$IF/rp_filter echo "0" > /proc/sys/net/ipv4/conf/$IF/accept_redirects echo "0" > /proc/sys/net/ipv4/conf/$IF/accept_source_route echo "0" > /proc/sys/net/ipv4/conf/$IF/bootp_relay echo "1" > /proc/sys/net/ipv4/conf/$IF/log_martians # tune tcp params see for info: # http://www.ussg.iu.edu/hypermail/linux/kernel/0202.1/0436.html echo "30" > /proc/sys/net/ipv4/tcp_keepalive_intvl echo "5" > /proc/sys/net/ipv4/tcp_keepalive_probes echo "900" > /proc/sys/net/ipv4/tcp_keepalive_time # local processes: $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT # icmp stuff: $IPTABLES -A INPUT -i $IF -p icmp --icmp-type echo-request -j ACCEPT $IPTABLES -A INPUT -i $IF -p icmp --icmp-type echo-reply -j ACCEPT $IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type echo-request -j ACCEPT $IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type echo-reply -j ACCEPT $IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type source-quench -j ACCEPT $IPTABLES -A INPUT -i $IF -p icmp --icmp-type time-exceeded -j ACCEPT $IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type time-exceeded -j ACCEPT $IPTABLES -A INPUT -i $IF -p icmp --icmp-type parameter-problem -j ACCEPT $IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type parameter-problem -j ACCEPT $IPTABLES -A INPUT -i $IF -p icmp --icmp-type fragmentation-needed -j ACCEPT $IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type fragmentation-needed -j ACCEPT # let answers out: $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -o $IF -p tcp -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED -o $IF -p udp -j ACCEPT # let all answers in: $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -i $IF -p tcp -j ACCEPT $IPTABLES -A INPUT -m state --state ESTABLISHED -i $IF -p udp -j ACCEPT # ssh rate limit support - iptables recent module needed! # see http://www.e18.physik.tu-muenchen.de/~tnagel/ipt_recent/ # prepare blacklist $IPTABLES -A blacklist -m recent --name blacklist --set $IPTABLES -A blacklist -j LOG --log-level info --log-prefix "FW log BLACKLIST: " $IPTABLES -A blacklist -j DROP # drop everyone currently on the blacklist $IPTABLES -A ssh -m recent --update --name blacklist --seconds 600 --hitcount 1 -j DROP # count incomers $IPTABLES -A ssh -m recent --set --name counting1 $IPTABLES -A ssh -m recent --set --name counting2 $IPTABLES -A ssh -m recent --set --name counting3 $IPTABLES -A ssh -m recent --set --name counting4 # add to blacklist on rate exceed $IPTABLES -A ssh -m recent --update --name counting1 --seconds 20 --hitcount 5 -j blacklist $IPTABLES -A ssh -m recent --update --name counting2 --seconds 200 --hitcount 15 -j blacklist $IPTABLES -A ssh -m recent --update --name counting3 --seconds 2000 --hitcount 80 -j blacklist $IPTABLES -A ssh -m recent --update --name counting4 --seconds 20000 --hitcount 400 -j blacklist # accept at the end of SSH chain $IPTABLES -A ssh -j ACCEPT # put all SSH traffic in the ssh chain $IPTABLES -A INPUT -m state --state NEW -i $IF -p tcp --sport $HIPORT --dport ssh -j ssh ########### start of custom rules ############ # let HTTP in $IPTABLES -A INPUT -m state --state NEW -i $IF -p tcp --sport $HIPORT --dport http -j ACCEPT # let FTP in (needs loaded ip_conntrack_ftp module) $IPTABLES -A INPUT -m state --state NEW -i $IF -p tcp --sport $HIPORT --dport ftp -j ACCEPT ########### end of custom rules ############ # drop & log everything else $IPTABLES -A INPUT -j dropchain $IPTABLES -A OUTPUT -j dropchain # dropchain: every packet will be dropped, and, if defined logged... $IPTABLES -A dropchain -p icmp -j DROP #dont log outgoing icmp $IPTABLES -A dropchain -p tcp -m state --state INVALID -j LOG --log-level info --log-prefix "FW log INVALID: " $IPTABLES -A dropchain -j LOG --log-level info --log-prefix "FW log: " #log everything $IPTABLES -A dropchain -j DROP #done echo "Firewall up and running..." exit 0 ;; *) echo "usage: start | stop | close" exit 1 ;; esac exit 1;