Standalone iptables firewallStandalone iptables firewall The following standalone iptables firewall is suited for a machine with one network interface that allows unlimited loopback traffic and outbound traffic, but does not run any services requiring incoming connection requests. Incoming ICMP ECHO REQUESTS ("pings") are allowed, while all incoming connection requests are silently dropped. #!/bin/sh # Kernel monitoring support # More information: # /usr/src/linux-`uname -r`/Documentation/networking/ip-sysctl.txt # http://www.linuxgazette.com/book/view/1645 # http://www.spirit.com/Network/net0300.html # Drop ICMP echo-request messages sent to broadcast or multicast addresses echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Drop source routed packets echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # Enable TCP SYN cookie protection from SYN floods echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Don't accept ICMP redirect messages echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # Don't send ICMP redirect messages echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects # Enable source address spoofing protection echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter # Log packets with impossible source addresses echo 1 > /proc/sys/net/ipv4/conf/all/log_martians # Flush all chains /sbin/iptables --flush # Allow unlimited traffic on the loopback interface /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A OUTPUT -o lo -j ACCEPT # Set default policies /sbin/iptables --policy INPUT DROP /sbin/iptables --policy OUTPUT DROP /sbin/iptables --policy FORWARD DROP # Previously initiated and accepted exchanges bypass rule checking # Allow unlimited outbound traffic /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Allow ICMP ECHO REQUESTS from anywhere /sbin/iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # Drop all other traffic /sbin/iptables -A INPUT -j DROP # Have these rules take effect when iptables is started /sbin/service iptables save Back to brandonhutchinson.com. Last modified: 02/23/2004