NETMASK=`ifconfig eth0 | grep Mask | perl -pe 's/.*Mask:(.+)$/$1/'`
NETWORK=`netstat -rn| grep eth0 | grep $NETMASK| cut -f1 -d ' '`
iptables -F
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s ${NETWORK}/${NETMASK} -j ACCEPT
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects
for dev in `find /proc -name *source_route*`; do
echo 0 > $dev
done
iptables -N LOG_FRAGMENT
iptables -A LOG_FRAGMENT -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES FRAGMENT] : '
iptables -A LOG_FRAGMENT -j DROP
iptables -A INPUT -f -j LOG_FRAGMENT
iptables -N NET_BIOS
iptables -A NET_BIOS -j LOG --log-prefix '[iptables NETBIOS] :'
iptables -A NET_BIOS -j DROP
iptables -A INPUT -s ! $NETWORK -p tcp -m multiport --dports 135,137,138,139,445 -j DROP
iptables -A INPUT -s ! $NETWORK -p udp -m multiport --dports 135,137,138,139,445 -j DROP
iptables -A OUTPUT -d ! $NETWORK -p tcp -m multiport --dports 135,137,138,139,445 -j DROP
iptables -A OUTPUT -d ! $NETWORK -p udp -m multiport --dports 135,137,138,139,445 -j DROP
iptables -N PING_OF_DEATH
iptables -A PING_OF_DEATH -m limit --limit 1/s --limit-burst 5 -j ACCEPT
iptables -A PING_OF_DEATH -j LOG --log-tcp-options --log-ip-options --log-prefix '[iptables PING_OF_DEATH] :'
iptables -A PING_OF_DEATH -j DROP
iptables -A INPUT -p icmp --icmp-type echo-request -j PING_OF_DEATH
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -d 255.255.255.255 -j DROP
iptables -A INPUT -d 224.0.0.1 -j DROP
iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 3690 -j ACCEPT
iptables -N IPDENY
iptables -A IPDENY -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES IPDENY]: '
iptables -A IPDENY -j DROP
if [ -s /etc/ip.deny ]; then
for ip in `cat /etc/ip.deny`; do
iptables -A INPUT -s $ip -j IPDENY
done
fi
iptables -A INPUT -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES INPUT]: '
iptables -A INPUT -j DROP
iptables -A FORWARD -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES FORWARD]: '
iptables -A FORWARD -j DROP