5 IPTABLES
=$(which iptables)
6 IP6TABLES
=$(which ip6tables)
13 IPTABLES
="echo ${IPTABLES}"
14 IP6TABLES
="echo ${IP6TABLES}"
20 echo "Usage: $(basename "$0") external_interface" 1>&2
25 if ! ip link show
"${EXT_IF}" >/dev
/null
2>&1
27 echo "'${EXT_IF}' does not seem to be a valid interface"
40 $IPTABLES -P INPUT DROP
41 $IPTABLES -P OUTPUT ACCEPT
43 $IP6TABLES -P INPUT DROP
44 $IP6TABLES -P OUTPUT ACCEPT
46 # accept local traffic
47 $IPTABLES -A INPUT
-i lo
-j ACCEPT
49 $IP6TABLES -A INPUT
-i lo
-j ACCEPT
52 $IPTABLES -A INPUT
-p icmp
-j ACCEPT
54 $IP6TABLES -A INPUT
-p ipv6
-icmp -j ACCEPT
56 # drop source-route rh0 headery things
57 $IP6TABLES -A INPUT
-m rt
--rt-type 0 -j DROP
59 # accept things we set up
60 $IPTABLES -A INPUT
-m conntrack
--ctstate RELATED
,ESTABLISHED
-j ACCEPT
62 $IP6TABLES -A INPUT
-m conntrack
--ctstate RELATED
,ESTABLISHED
-j ACCEPT
64 # accept ipv6 link-local traffic
65 $IP6TABLES -A INPUT
-s fe80
::/10 -j ACCEPT
67 # accept ipv6 multicast
68 $IP6TABLES -A INPUT
-s ff00
::/8 -j ACCEPT
70 # log and drop invalid flag combinations
71 for flags
in 'ALL FIN,URG,PSH' 'ALL ALL' 'ALL SYN,RST,ACK,FIN,URG' 'ALL NONE' 'SYN,RST SYN,RST' 'SYN,FIN SYN,FIN'
73 $IPTABLES -A INPUT
-p tcp
--tcp-flags ${flags} -j DROP
76 $IPSET -exist create allowed_udp bitmap
:port range
0-65535
77 $IPSET -exist create allowed_tcp bitmap
:port range
0-65535
78 for p
in 22 25 53 80 143 443 587 993 1194 5000 5222 5269 22556 64738
80 $IPSET -exist add allowed_tcp
${p}
82 for p
in 53 123 1194 64738
84 $IPSET -exist add allowed_udp
${p}
87 $IPTABLES -A INPUT
-i "${EXT_IF}" -p tcp
-m set --match-set allowed_tcp dst
-j ACCEPT
88 $IPTABLES -A INPUT
-i "${EXT_IF}" -p udp
-m set --match-set allowed_udp dst
-j ACCEPT
89 $IP6TABLES -A INPUT
-i "${EXT_IF}" -p tcp
-m set --match-set allowed_tcp dst
-j ACCEPT
90 $IP6TABLES -A INPUT
-i "${EXT_IF}" -p udp
-m set --match-set allowed_udp dst
-j ACCEPT
92 # insert persistent-pest-blocker
95 # insert trusted passes