You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
51 lines
1.4 KiB
51 lines
1.4 KiB
#!/bin/sh
|
|
|
|
#
|
|
# Original version from the OpenWrt project.
|
|
#
|
|
|
|
# Interfaces
|
|
LAN=eth0
|
|
|
|
## CLEAR TABLES
|
|
iptables -t filter -F
|
|
iptables -t filter -X
|
|
|
|
### INPUT
|
|
### (connections with the router as destination)
|
|
|
|
# base case
|
|
iptables -P INPUT DROP
|
|
iptables -A INPUT -m state --state INVALID -j DROP
|
|
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j DROP
|
|
|
|
# allow
|
|
iptables -A INPUT -p icmp -j ACCEPT # allow ICMP
|
|
iptables -A INPUT -p tcp --sport 22 -j ACCEPT # allow SSH
|
|
iptables -A INPUT -p tcp --sport 80 -j ACCEPT # allow HTTP
|
|
iptables -A INPUT -p tcp --sport 443 -j ACCEPT # allow HTTPS
|
|
|
|
# reject (what to do with anything not allowed earlier)
|
|
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
|
|
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
|
|
|
|
### OUTPUT
|
|
### (connections with the router as source)
|
|
|
|
# base case
|
|
iptables -P OUTPUT DROP
|
|
iptables -A OUTPUT -m state --state INVALID -j DROP
|
|
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
|
|
#
|
|
# insert accept rule here
|
|
#
|
|
|
|
# allow
|
|
iptables -A OUTPUT -j ACCEPT #allow everything out
|
|
|
|
# reject (what to do with anything not allowed earlier)
|
|
iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
|
|
iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
|
|
|
|
|