iptables script

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

# Must be run by root
#@(#) 4 MAR 2005

/usr/sbin/iptables -N LOGDROP
/usr/sbin/iptables -A LOGDROP -j LOG --log-level 4
/usr/sbin/iptables -A LOGDROP -j DROP

# Stuff from LACNIC, RIPE and broadband

#  /usr/sbin/iptables -A INPUT -s -j LOG --log-level debug # LACNIC
whois servers are in this range
/usr/sbin/iptables -A INPUT -s -j LOGDROP
#  /usr/sbin/iptables -A INPUT -s   -j LOGDROP  # my IP address is in
this range
#  /usr/sbin/iptables -A INPUT -s  -j LOGDROP  # www.latimes.com is
in this range
/usr/sbin/iptables -A INPUT -s  -j LOGDROP
/usr/sbin/iptables -A INPUT -s  -j LOGDROP
/usr/sbin/iptables -A INPUT -s  -j LOGDROP
/usr/sbin/iptables -A INPUT -s  -j LOGDROP
/usr/sbin/iptables -A INPUT -s  -j LOGDROP
/usr/sbin/iptables -A INPUT -s  -j LOGDROP

# Crap from Bharti in India
/usr/sbin/iptables -A INPUT -s -j LOGDROP

# Crap from advertising.com SAVVIS???  Earthlink crap

/usr/sbin/iptables -A INPUT -s  -j LOGDROP
/usr/sbin/iptables -A INPUT -s -j LOGDROP

/usr/sbin/iptables -A INPUT -p TCP --dport 20 -j LOGDROP
/usr/sbin/iptables -A INPUT -p UDP --dport 20 -j LOGDROP
/usr/sbin/iptables -A INPUT -p TCP --dport 21 -j LOGDROP
/usr/sbin/iptables -A INPUT -p UDP --dport 21 -j LOGDROP

/usr/sbin/iptables -A INPUT -p TCP --dport 22 -j LOGDROP
/usr/sbin/iptables -A INPUT -p UDP --dport 22 -j LOGDROP

/usr/sbin/iptables -A INPUT -p TCP --dport 23 -j LOGDROP
/usr/sbin/iptables -A INPUT -p UDP --dport 23 -j LOGDROP

/usr/sbin/iptables -A INPUT -p TCP --dport 25 -j LOGDROP
/usr/sbin/iptables -A INPUT -p UDP --dport 25 -j LOGDROP

/usr/sbin/iptables -A INPUT -p TCP --dport 80 -j LOGDROP
/usr/sbin/iptables -A INPUT -p UDP --dport 80 -j LOGDROP
/usr/sbin/iptables -A INPUT -p TCP --dport 8080 -j LOGDROP
/usr/sbin/iptables -A INPUT -p UDP --dport 8080 -j LOGDROP

# POP3
/usr/sbin/iptables -A INPUT -p TCP --dport 110 -j LOGDROP
/usr/sbin/iptables -A INPUT -p UDP --dport 110 -j LOGDROP

# NNTP  Network News
/usr/sbin/iptables -A INPUT -p TCP --dport 119 -j LOGDROP
/usr/sbin/iptables -A INPUT -p UDP --dport 119 -j LOGDROP

# Port 123 Network Time
/usr/sbin/iptables -A INPUT -p TCP --dport 123 -j LOGDROP
/usr/sbin/iptables -A INPUT -p UDP --dport 123 -j LOGDROP

# Microsoft
/usr/sbin/iptables -A INPUT -p TCP --dport 135:139 -j LOGDROP
/usr/sbin/iptables -A INPUT -p UDP --dport 135:139 -j LOGDROP

# RPC  Commented out. Generates false hits on

#/usr/sbin/iptables -A INPUT -p TCP --dport 111 -j LOGDROP
#/usr/sbin/iptables -A INPUT -p UDP --dport 111 -j LOGDROP

/usr/sbin/iptables -A INPUT -p TCP --dport 143 -j LOGDROP
/usr/sbin/iptables -A INPUT -p UDP --dport 143 -j LOGDROP

# Microsoft
/usr/sbin/iptables -A INPUT -p TCP --dport 445 -j LOGDROP
/usr/sbin/iptables -A INPUT -p UDP --dport 445 -j LOGDROP

# Print spooler
/usr/sbin/iptables -A INPUT -p TCP --dport 515 -j LOGDROP
/usr/sbin/iptables -A INPUT -p UDP --dport 515 -j LOGDROP

# IPP Internet Printer Protocol
/usr/sbin/iptables -A INPUT -p TCP --dport 631 -j LOGDROP
/usr/sbin/iptables -A INPUT -p UDP --dport 631 -j LOGDROP

# Port 1026
/usr/sbin/iptables -A INPUT -p TCP --dport 1026 -j LOGDROP
/usr/sbin/iptables -A INPUT -p UDP --dport 1026 -j LOGDROP

# X Windows
/usr/sbin/iptables -A INPUT -p TCP --dport 6000:6063 -j LOGDROP
/usr/sbin/iptables -A INPUT -p UDP --dport 6000:6063 -j LOGDROP

# X Windows  Commented out. This generates an error message.
#/usr/sbin/iptables -A OUPUT -p UDP --dport 6000:6063 -j LOGDROP

#xdmcp           177    X Display Manager Control Protocol
/usr/sbin/iptables -A INPUT -p TCP --dport 177 -j LOGDROP
/usr/sbin/iptables -A INPUT -p UDP --dport 177 -j LOGDROP

# open proxy port address
/usr/sbin/iptables -A INPUT -p TCP --dport 65506 -j LOGDROP
/usr/sbin/iptables -A INPUT -p UDP --dport 65506 -j LOGDROP

/usr/sbin/iptables -A INPUT -p TCP --dport 8640 -j LOGDROP
/usr/sbin/iptables -A INPUT -p UDP --dport 8640 -j LOGDROP


Felix Tilley
MAJ, LARTvocate
Fanatic Legionss

Re: iptables script

Felix Tilley wrote:
Quoted text here. Click to load it


Yes I can confirm that it is indeed an iptables script.

Re: iptables script

Mike wrote:
Quoted text here. Click to load it
Quoted text here. Click to load it

..and a poor one at that.

/usr/sbin/iptables -A allow the couple things you want
/usr/sbin/iptables -A -j DROP the rest.

All the rest was a waste of keystrokes, and entirely backwards. Allow what you
need, drop the rest. I certainly hope the OP wasn't posting this as an example
of a usable script.


"I never gave anybody Hell. I just told them the truth, and they thought it was
Hell." - Harry Truman

Re: iptables script

Am Tue, 05 Apr 2005 23:42:10 -0700 schrieb Felix Tilley:

Quoted text here. Click to load it

it might be helpful to tell us the problem/what you want to know...


Re: iptables script

On Tue, 05 Apr 2005 23:42:10 -0700, Felix Tilley wrote:

Quoted text here. Click to load it


How about add ing this to the above and dropping the rest?

ipt -A INPUT  -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
ipt -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
ipt -A INPUT  -i eth0 -j LOGDROP



Smile... it increases your face value!

----== Posted via Newsfeeds.Com - Unlimited-Uncensored-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

Re: iptables script

Quoted text here. Click to load it

Ouch. RPC's over the 'Net huh? Why don't you just block the outsiders off,
while still letting your interal network connect to Portmapper? This is what I
do, if I end up running NFS or something. Someone will end up doing a rpcinfo
-p your.host.org on you and checking out what RPC's you're running.

For me, ppp0 is external and my internal is eth0. INSPECT table is what I
send all packets to that aren't explicitly accepted (for "inspection").

iptables -A INSPECT -i ppp0 -p tcp --dport 111 -m limit --limit 3/min -j LOG
--log-level 7 --log-prefix "RPC.Pm TCP: "
iptables -A INSPECT -i ppp0 -p tcp --dport 111 -j DROP

iptables -A INSPECT -i ppp0 -p udp --dport 111 -m limit --limit 3/min -j LOG
--log-level 7 --log-prefix "RPC.Pm UDP: "
iptables -A INSPECT -i ppp0 -p udp --dport 111 -j DROP

This logs and drops anything sent to rpc.portmapper from the Internet, while
allowing my other machines (on eth0) to still connect to it.

-i interface the packets come in on
-o interface the packets go out on

some interfaces: eth0, ppp0, lo0, etc...depending on the system.

I belive there's a new -m rpc match for conntrack in patch-o-matic, which
might be worth checking out if your setup warrents it. There's lots of
interesting add-ons in patch-o-matic (but it does make building your kernel a
little more work.)

MS09-99896 - Vulnerability in All MS Windows OS
Using Windows Could Allow Remote Code Execution
"Microsoft finally admitted today that you just
shouldn't use Windows for anything. Period."

Site Timeline