# high ports iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT iptables -A INPUT -m state --state NEW,RELATED -p tcp --dport 51000:51999 -j ACCEPT # incoming ICMP - comment this out and un-comment the other two if 2 nics #iptables -A INPUT -p icmp -j DROP iptables -A INPUT -i $INTIF -p icmp -j ACCEPT iptables -A INPUT -i $INTIF2 -p icmp -j ACCEPT iptables -A INPUT -i $EXTIF -p icmp -j DROP # noise reduction iptables -A INPUT -p udp --dport 1027 -j DROP iptables -A INPUT -p udp --dport 1026 -j DROP iptables -A INPUT -p udp --dport 135 -j DROP iptables -A INPUT -p udp --dport 137 -j DROP iptables -A INPUT -p udp --dport 138 -j DROP iptables -A INPUT -p udp --dport 123 -j DROP iptables -A INPUT -p udp --dport 68 -j DROP iptables -A INPUT -p udp --sport 68 --dport 67 -s 0/0 -d 0/0 -j DROP iptables -A INPUT -p udp --sport 2301 --dport 2301 -s 0/0 -d 0/0 -j DROP # permaneant drop go here - delete the "-i $EXTIF" if you only have one nic #iptables -A INPUT -i $EXTIF -s
-d 0/0 -j DROP # wchat #iptables -A INPUT -p tcp --dport 2122 -j ACCEPT # ftp-data (20) and ftp (21) iptables -A INPUT -p tcp --dport 20 -j ACCEPT iptables -A INPUT -p tcp --sport 21 -j ACCEPT iptables -A INPUT -p tcp --dport 21 -j ACCEPT # ssh (22) # from anywhere iptables -A INPUT -p tcp --dport 22 -j ACCEPT # from internal only #iptables -A INPUT -s $INTNET -p tcp --dport 22 -j ACCEPT #iptables -A INPUT -s $INTNET2 -p tcp --dport 22 -j ACCEPT # telnet (23) - dude, don't do it #iptables -A INPUT -s $INTNET -p tcp --dport 23 -j ACCEPT #iptables -A INPUT -s $INTNET2 -p tcp --dport 23 -j ACCEPT # smtp (25) iptables -A INPUT -p tcp --dport 25 -j ACCEPT # DNS (53) iptables -A INPUT -p tcp --dport 53 -j DROP iptables -A INPUT -p udp --dport 53 -j DROP # http (80) iptables -A INPUT -p tcp --dport 80 -j ACCEPT # POP-3 (110) iptables -A INPUT -p tcp -s $INTNET --dport 110 -j ACCEPT iptables -A INPUT -p tcp -s $INTNET2 --dport 110 -j ACCEPT # IMAP4 iptables -A INPUT -p tcp -s 0/0 --dport 143 -j ACCEPT # identd (113) iptables -A INPUT -p tcp --dport 113 -j ACCEPT # ldap (389) iptables -A INPUT -p tcp --dport 389 -j ACCEPT iptables -A INPUT -p udp --dport 389 -j ACCEPT # rmt (514) iptables -A INPUT -p tcp -s $INTNET --dport 514 -j ACCEPT # rsh (513) iptables -A INPUT -p tcp -s $INTNET --dport 513 -j ACCEPT # cups (631) iptables -A INPUT -p tcp -s 10.1.0.1 --dport 631 -j ACCEPT iptables -A INPUT -p tcp -s $INTNET --dport 631 -j ACCEPT iptables -A INPUT -p tcp -s $INTNET2 --dport 631 -j ACCEPT #iptables -A INPUT -p udp --dport 631 -j ACCEPT # ldaps (636) iptables -A INPUT -p tcp --dport 636 -j ACCEPT iptables -A INPUT -p udp --dport 636 -j ACCEPT # CVS (2401) iptables -A INPUT -p tcp -s $INTNET --dport 2401 -j ACCEPT iptables -A INPUT -p udp -s $INTNET --dport 2401 -j ACCEPT iptables -A INPUT -p tcp -s $INTNET2 --dport 2401 -j ACCEPT iptables -A INPUT -p udp -s $INTNET2 --dport 2401 -j ACCEPT # https (443) iptables -A INPUT -p tcp --dport 443 -j ACCEPT # ntop #iptables -A INPUT -p tcp -s $INTNET --dport 3000 -j ACCEPT # postgresql (5432) iptables -A INPUT -p tcp -s $INTNET --dport 5432 -j ACCEPT # torrent iptables -A INPUT -p udp --dport 6881 -j ACCEPT iptables -A INPUT -p tcp --dport 6881 -j ACCEPT iptables -A INPUT -p udp --dport 52361 -j ACCEPT iptables -A INPUT -p tcp --dport 52361 -j ACCEPT iptables -A INPUT -p udp --dport 52362 -j ACCEPT iptables -A INPUT -p tcp --dport 52362 -j ACCEPT # tomcat apj12-8007 apj13-8009 iptables -A INPUT -p tcp -s 127.0.0.1 --dport 8007 -j ACCEPT iptables -A INPUT -p tcp -s 127.0.0.1 --dport 8009 -j ACCEPT # jboss iptables -A INPUT -p tcp -s $INTNET --dport 8080 -j ACCEPT # jboss hypersonic database jdbc:hsqldb:hsql://localhost:1701 #iptables -A INPUT -p tcp -s 127.0.0.1 --dport 1701 -j ACCEPT # jboss UnoConnection #iptables -A INPUT -p tcp -s 127.0.0.1 --dport 8100 -j ACCEPT #iptables -A INPUT -p tcp -s 127.0.0.1 --dport 8083 -j ACCEPT iptables -A INPUT -p udp -s $INTNET --dport 26000 -j ACCEPT iptables -A INPUT -p udp -s $INTNET2 --dport 26000 -j ACCEPT