#!/bin/sh # # ipt - iptables frontend (Linux 2.3/2.4.x packet filtering) # port of my old ipfwadm/ipchains script, mainly for dialups # # Dedicated to everyone who is too lazy to figure out the new syntax. # (Sorry if this thing sucks, but too many people requested it.) # # Configure the options below accordingly, use -l to log, -f to flush, # and -p to block everything. Remember to take out things like port 53 # if you really run a nameserver. (Much of the stuff is just blocked for # stealth/anti-portscan purposes, which works pretty good with DROP.) # # (c) 2001 Mixter # http://mixter.warrior2k.com http://mixter.void.ru # # blah. # IT=/sbin/iptables INT="-i ppp0" PORT="22 23 25 53 79 80 111 514 587" PORTU="53 653 2049 910 800 111 33400:33500" ITYPES="destination-unreachable source-quench redirect echo-request timestamp-request address-mask-request" PARA= LOG= L0G= modprobe ip_tables if [ $# != 0 ] then case "$1" in '-p') PARA=1 LOG="-j LOG --log-level debug" L0G=31337 echo Paranoid mode. ;; '-l') LOG="-j LOG --log-level info" L0G=31337 echo Syslog enabled. ;; '-f') echo Just flushing... $IT -P INPUT ACCEPT $IT -P FORWARD DROP $IT -P OUTPUT ACCEPT $IT -F exit 0 ;; *) echo Usage: $0 -l\(og\) -p\(aranoid\) -f\(lush\) exit 0 ;; esac fi $IT -P INPUT ACCEPT $IT -P FORWARD DROP $IT -P OUTPUT ACCEPT $IT -F if ! test -z $PARA ; then $IT -A INPUT -p tcp $INT --syn $LOG $IT -A INPUT -p tcp $INT --syn -j DROP else for p in $PORT ; do if ! test -z $L0G ; then $IT -A INPUT -p tcp --destination-port $p $INT $LOG ; fi $IT -A INPUT -p tcp --destination-port $p $INT -j DROP done fi for p in $UPORT ; do if ! test -z $L0G ; then $IT -A INPUT -p udp --destination-port $p $INT $LOG ; fi $IT -A INPUT -p udp --destination-port $p $INT -j DROP done for i in $ITYPES ; do if ! test -z $L0G ; then $IT -A INPUT -p icmp --icmp-type $i ; fi $IT -A INPUT -p icmp --icmp-type $i -j DROP done $IT -L -n --line-numbers # 00m.