iptables script

I’ve been running Fedora Core 1 for about, hmm…5 years(?) on my little ‘ole work-horse server, but this reliable/stable OS has started showing its age.  Repository issues, keeping software and everything else up-to-date.  Ugh.  =0( 

I was initially sold on installing RHEL ES 4 (I had the disks already), but my server had problems with the “transferring image to install…” phase.  So, I took it as a sign to stick with Fedora, which I was happy about since I’m used to it.  More importantly, however, it was an opportunity to try out the new Fedora Core release.

So with tools in hand, I backed up all my scripts and website files and installed Fedora Core 6 last night.  It took about 4 hours to install and configure – in fact, I started a “how-to” on my wiki, just in case I have to do it all over again.

OK, so enough of the rambling.  This post is, after all, about iptables (hats off to to the netfilter.org guys/gals and thanks to Dan Farino for helping out with this).  BTW, I had to disable the security firewall on Fedora to have more control over the firewall.

Steps to take:

  1. Open up a terminal
  2. cd /usr/local/src
  3. mkdir iptables
  4. vi iptables
  5. Copy and paste the script below
  6. chmod 777 scriptname
  7. ./scriptname

Verify no errors occurred, then once done, type the following:

tail -f /var/log/messages

From this point, watch for some interesting stuff.  =0)

Simple enough, huh?  Hopefully, you can make use of this script to build your personal *nix firewall.  Take care.

Make sure /proc/sys/net/ipv4/p_forward is ‘1’ and both ip_conntrack_ftp & ip_nat_ftp modules are loaded (use modprobe modulename).


# flush and delete chains
iptables -F
iptables -X
iptables -t nat -F

# default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

iptables -t nat –policy PREROUTING ACCEPT
iptables -t nat –policy POSTROUTING ACCEPT
iptables -t nat –policy OUTPUT ACCEPT

# new user-defined chains
iptables -N tcp-state-flags
iptables -N fragments
iptables -N spoof
iptables -N syn-flood

iptables -N log-tcp-state
iptables -N log-drop-spoof

iptables -N log-input-accept

iptables -N log-input-drop
iptables -N log-fwd-drop


# input rules
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i ! eth0 -j ACCEPT
iptables -A INPUT -p tcp -j tcp-state-flags
iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -f -j fragments
iptables -A INPUT -m state –state NEW -j spoof
iptables -A INPUT -p tcp –dport 80 -m state –state NEW -j ACCEPT
iptables -A INPUT -j log-input-drop

# forward rules
iptables -A FORWARD -i lo -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state –state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -j log-fwd-drop

# output rules
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o eth0 -m state –state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth1 -m state –state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state –state INVALID -j DROP


# tcp-state-flags rules
iptables -A tcp-state-flags -p tcp –tcp-flags ALL NONE -j log-tcp-state
iptables -A tcp-state-flags -p tcp –tcp-flags SYN,FIN SYN,FIN -j log-tcp-state
iptables -A tcp-state-flags -p tcp –tcp-flags SYN,RST SYN,RST -j log-tcp-state
iptables -A tcp-state-flags -p tcp –tcp-flags FIN,RST FIN,RST -j log-tcp-state
iptables -A tcp-state-flags -p tcp –tcp-flags ACK,FIN FIN -j log-tcp-state
iptables -A tcp-state-flags -p tcp –tcp-flags ACK,PSH PSH -j log-tcp-state
iptables -A tcp-state-flags -p tcp –tcp-flags ACK,URG URG -j log-tcp-state

# fragments rules
iptables -A fragments -f -j LOG –log-level info –log-prefix “___ipt:fragment___: “
iptables -A fragments -f -j DROP

# spoof rules
iptables -A spoof -s -j log-drop-spoof
iptables -A spoof -s -j log-drop-spoof
iptables -A spoof -s -j log-drop-spoof
iptables -A spoof -s -j log-drop-spoof
iptables -A spoof -s -j log-drop-spoof
iptables -A spoof -s -j log-drop-spoof
iptables -A spoof -s -j log-drop-spoof
iptables -A spoof -s -j log-drop-spoof
iptables -A spoof -s -j log-drop-spoof
iptables -A spoof -s -j log-drop-spoof
iptables -A spoof -s -j log-drop-spoof

# syn-flood rules
iptables -A syn-flood -m limit –limit 1/s –limit-burst 4 -j RETURN
iptables -A syn-flood -j LOG –log-level info –log-prefix “___ipt-fw:syn-flood___: “
iptables -A syn-flood -j DROP

# log-tcp-state rules
iptables -A log-tcp-state -j LOG –log-level info –log-prefix “___ipt:invalid-tcp-flag___: “
iptables -A log-tcp-state -j DROP

# log-drop-spoof rules
iptables -A log-drop-spoof -j LOG –log-level info –log-prefix “___ipt:spoof,mcast___: “
iptables -A log-drop-spoof -j DROP

# log-input-accept rules
iptables -A log-input-accept -j LOG –log-level info –log-prefix “___ipt:input-accept___: “
iptables -A log-input-accept -j ACCEPT

# log-input-drop
iptables -A log-input-drop -j LOG –log-level info –log-prefix “___ipt:input-drop___: “
iptables -A log-input-drop -j DROP

# log-fwd-drop
iptables -A log-fwd-drop -j LOG –log-level info –log-prefix “___ipt:fwd-drop___: “
iptables -A log-fwd-drop -j DROP


# postrouting
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


# activate rules
iptables-save > /etc/sysconfig/iptables
service iptables restart


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.