#cp /etc/init.d/iptables /etc/init.d/iptables.mostrecent /etc/init.d/iptables stop ## Default deny policy ## iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT # Allow all outbound traffic ## Build our chains for each protocol, plus one for "bad" packets. Having ## more chains with fewer checks makes for fewer checks per packet, and less ## overhead. # This is the one for INVALID packets, or tcp packets that are the first # in a transaction (hence, "NEW") but don't have the SYN flag set. Why # would a valid packet have this? Log these oddities and drop. # iptables -N bad_packets iptables -A bad_packets -j LOG --log-level debug --log-prefix "BAD_PACKETS " iptables -A bad_packets -j DROP # The in/out protocol chains # iptables -N tcp_in iptables -N udp_in iptables -N icmp_in iptables -N tcp_out iptables -N udp_out iptables -N icmp_out # ======================= TCP INPUT RULES =================================== # # These are added in order of (hopefully) most- to least-used matches. This # will allow for less overhead for most encountered packets. # Allow SSH from 18,16,19,21,28 and 3 nets #iptables -A tcp_in -p tcp --dport 22 -s 0/0 -j ACCEPT iptables -A tcp_in -p tcp --dport 22 -s 155.101.3.0/24 -j ACCEPT iptables -A tcp_in -p tcp --dport 22 -s 155.101.16.0/24 -j ACCEPT iptables -A tcp_in -p tcp --dport 22 -s 155.101.18.0/24 -j ACCEPT iptables -A tcp_in -p tcp --dport 22 -s 155.101.19.0/24 -j ACCEPT iptables -A tcp_in -p tcp --dport 22 -s 155.101.21.0/24 -j ACCEPT iptables -A tcp_in -p tcp --dport 22 -s 155.101.28.0/24 -j ACCEPT #iptables -A tcp_in -p tcp --dport 22 -s 209.181.150.41 -j ACCEPT #iptables -A tcp_in -p tcp --dport 22 -s 209.181.150.45 -j ACCEPT # Allow NIS traffic in iptables -A tcp_in -p tcp --dport 731 -s 155.101.3.0/24 -j ACCEPT iptables -A tcp_in -p tcp --dport 731 -s 155.101.16.0/24 -j ACCEPT # Allow the backup server to connect to this machine iptables -A tcp_in -p tcp --dport 617 -s 155.101.12.24 -j ACCEPT # Reject ident requests, rather than drop, so sending mail will not # hang while waiting for ident to time out. iptables -A tcp_in -p tcp --dport 113 -s 155.101.3.60 -j REJECT iptables -A tcp_in -p tcp --dport 113 -s 155.101.3.59 -j REJECT # this is for accessgrid #iptables -A tcp_in -p tcp --dport 8000 -s 0/0 -j ACCEPT #iptables -A tcp_in -p tcp --dport 12000 -s 0/0 -j ACCEPT #iptables -A tcp_in -p tcp --dport 11000 -s 0/0 -j ACCEPT # this is for chromium iptables -A tcp_in -p tcp --dport 10000 -s 0/0 -j ACCEPT iptables -A tcp_in -p tcp --dport 7000 -s 0/0 -j ACCEPT # ======================= UDP INPUT RULES =================================== # Discard the annoying RIP broadcasts from Sierra iptables -A udp_in -p udp --sport 520 --dport 520 -s 155.101.26.63 -d 155.101.26.255 -j DROP # ======================= ICMP INPUT RULES =================================== # Allow ping requests in from campus machines for troubleshooting purposes # iptables -A icmp_in -p icmp --icmp-type 8 -s 155.101.0.0/16 -j ACCEPT iptables -A icmp_in -p icmp --icmp-type 8 -s 155.100.0.0/16 -j ACCEPT iptables -A icmp_in -p icmp --icmp-type 8 -s 155.99.0.0/16 -j ACCEPT iptables -A icmp_in -p icmp --icmp-type 8 -s 155.98.0.0/16 -j ACCEPT iptables -A icmp_in -p icmp --icmp-type 8 -s 155.97.0.0/16 -j ACCEPT iptables -A icmp_in -p icmp --icmp-type 8 -s 128.110.0.0/16 -j ACCEPT # ======================= MAIN INPUT RULES =================================== # ======================= MAIN INPUT RULES =================================== # ======================= MAIN INPUT RULES =================================== ## Here's our main INPUT ruleset. Try to place most frenquently-matched ## rules first, so packets don't need to traverse other rules. # # Toss bad packets as soon as we get them # iptables -A INPUT -m state --state INVALID -j bad_packets iptables -A INPUT -p tcp ! --syn -m state --state NEW -j bad_packets # Toss these annoying broadcasts that fill our logs iptables -A INPUT -d 224.0.0.1 -j DROP # Accept established connections first (most likely packet). Any protocol # will be caught, if it can be determined to be ESTABLISHED/RELATED. # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # An occasional localhost-to-locahost connection is needed. Allow all of # them. iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT # Process everything else per protocol... # Send each primary protocol to it's input chain for processing. # iptables -A INPUT -p tcp --syn -j tcp_in iptables -A INPUT -p udp -j udp_in iptables -A INPUT -p icmp -j icmp_in # Log the rest! # iptables -A INPUT -j LOG --log-level debug --log-prefix "INPUT_LOGS " # ======================= MAIN OUTPUT RULES =================================== # ======================= MAIN OUTPUT RULES =================================== # ======================= MAIN OUTPUT RULES =================================== # None needed, since this is an interactive machine. We should probably let # people connect to whatever machines we want, on whatever protocol they want. # # If we wish to change this behavor, the edit the OUTPUT policy (top of # script) and add a default LOG line as seen above in the MAIN INPUT rules iptables-save > /etc/sysconfig/iptables /etc/init.d/iptables restart