# Created: Tue Oct 14 12:25:52 2003 # By : LinWiz://PersonalFirewall, 1.09 # URL : http://www.lowth.com/LinWiz/1.09 # # This file is provided under the terms of the GNU General Public # License which governs your rights to use and redistribute it, and # highlights the fact that it is provided with NO WARRANTY what so ever. # The full text of the license can be viewed on line at .. # http://www.lowth.com/LinWiz/1.09/COPYING.txt # Do not use this file if you disagree with these terms. # # # This facility is available free of charge. If you have found it # useful, please consider helping to keep it free by using the # www.lowth.com website as your gateway to Amazon.com or Amazon.co.uk # when you buy books, music, computers etc from them. This costs you # nothing extra - but Amazon pays Lowth.com a small commission on any # purchases you make via this route. This goes to help funding the # continued development of LinWiz and related tools. # # Please use the following links to get to the Amazon site # # http://www.lowth.com/LinWiz/us-shop (USA and Canadian purchases) # http://www.lowth.com/LinWiz/uk-shop (UK and European) # # If you live elsewhere - just choose the one nearest to you. # Thank You IPTABLES=/sbin/iptables # Flush, Init and Zero the 'built-in' chains $IPTABLES -F INPUT; $IPTABLES -P INPUT ACCEPT; $IPTABLES -Z INPUT $IPTABLES -F FORWARD; $IPTABLES -P FORWARD ACCEPT; $IPTABLES -Z FORWARD $IPTABLES -F OUTPUT; $IPTABLES -P OUTPUT ACCEPT; $IPTABLES -Z OUTPUT # Setup user-defined chains $IPTABLES -X $IPTABLES -N LINWIZ-INPUT; $IPTABLES -N REJECT-PKT; $IPTABLES -N SYN-FLOOD; $IPTABLES -A INPUT -j LINWIZ-INPUT ###################################################################### # Allow all loopback interface traffic $IPTABLES -A LINWIZ-INPUT -i lo -j ACCEPT # Block all attempts to spoof the loopback address $IPTABLES -A LINWIZ-INPUT -s 127.0.0.0/8 -j DROP $IPTABLES -A LINWIZ-INPUT -d 127.0.0.0/8 -j DROP # Block all attempts to spoof the local IP address $IPTABLES -A LINWIZ-INPUT -s 132.230.134.228 -j DROP # Block Syn Flood attacks $IPTABLES -A LINWIZ-INPUT -p tcp -m tcp --syn -j SYN-FLOOD # Ensure that TCP connections start with syn packets $IPTABLES -A LINWIZ-INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP # Allow session continuation traffic $IPTABLES -A LINWIZ-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Allow ICMP ping requests from all hosts $IPTABLES -A LINWIZ-INPUT -p icmp -m icmp --icmp-type ping -j ACCEPT # Allow selected TCP/IP and/or UDP services $IPTABLES -A LINWIZ-INPUT -p udp -m udp --dport 137:138 -j ACCEPT $IPTABLES -A LINWIZ-INPUT -p udp -m udp --sport 137:138 -j ACCEPT # Block all other TCP/IP and UDP traffic $IPTABLES -A LINWIZ-INPUT -j REJECT-PKT ###################################################################### # Syn flood filtering chain $IPTABLES -A SYN-FLOOD -m limit --limit 1/s --limit-burst 4 -j RETURN $IPTABLES -A SYN-FLOOD -j DROP ###################################################################### # Chain used to reject all TCP/IP, UDP and ICMP/PING packets $IPTABLES -A REJECT-PKT -p tcp -m tcp -j REJECT --reject-with tcp-reset $IPTABLES -A REJECT-PKT -p udp -m udp -j REJECT --reject-with icmp-port-unreachable $IPTABLES -A REJECT-PKT -p icmp -m icmp --icmp-type ping -j REJECT --reject-with icmp-host-unreachable