Last active
May 8, 2020 15:04
-
-
Save anthager/c74adf1772d2962dab6a0b58ba7e0f75 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| MY_NETWORK="192.168.2.0/24" | |
| # Replace the ip address here with the ip address for your computer. You can use the programs "/sbin/ifconfig", or "/sbin/ip addr show". | |
| MY_HOST="192.168.2.20" | |
| # Network interfaces | |
| IN=enp0s3 | |
| OUT=enp0s3 | |
| # Path to iptables, "/sbin/iptables" | |
| IPTABLES="/sbin/iptables" | |
| ######################## | |
| ### DON'T TOUCH THIS ### | |
| ######################## | |
| # Flushing all chains and setting default policy | |
| $IPTABLES -P INPUT ACCEPT | |
| $IPTABLES -P FORWARD ACCEPT | |
| $IPTABLES -P OUTPUT ACCEPT | |
| $IPTABLES -F | |
| $IPTABLES -L LOG_DROP &>/dev/null | |
| if [ $? -eq 0 ]; then | |
| $IPTABLES -X LOG_DROP | |
| fi | |
| $IPTABLES -N LOG_DROP | |
| $IPTABLES -A LOG_DROP -j LOG --log-prefix "iptables-dropped: " --log-level debug | |
| $IPTABLES -A LOG_DROP -j DROP | |
| ################## | |
| ### START HERE ### | |
| ################# | |
| $IPTABLES -P INPUT DROP | |
| $IPTABLES -P FORWARD DROP | |
| $IPTABLES -P OUTPUT DROP | |
| # ALLOW localhost input and output | |
| $IPTABLES -A INPUT -i lo -j ACCEPT | |
| $IPTABLES -A OUTPUT -o lo -j ACCEPT | |
| #Requirement 4, spoofing output | |
| $IPTABLES -A OUTPUT -o enp0s3 -d 10.0.0.0/8 -j DROP | |
| $IPTABLES -A OUTPUT -o enp0s3 -d 172.16.0.0/12 -j DROP | |
| $IPTABLES -A OUTPUT -o enp0s3 -d 169.254.0.0/16 -j DROP | |
| # ALLOW OUTPUT ON THE enp0s3 interface (network interface) Requirement 3 | |
| $IPTABLES -A OUTPUT -o enp0s3 -j ACCEPT | |
| #Requirement 4, spoofing input | |
| $IPTABLES -A INPUT -i enp0s3 -s 10.0.0.0/8 -j DROP | |
| $IPTABLES -A INPUT -i enp0s3 -s 172.16.0.0/12 -j DROP | |
| $IPTABLES -A INPUT -i enp0s3 -s 169.254.0.0/16 -j DROP | |
| #Requirement 7, XMAS and NULL dropping | |
| $IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP | |
| $IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP | |
| #Requirement #8 | |
| #SSH (22, tcp, (udp?)) | |
| $IPTABLES -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT | |
| $IPTABLES -A INPUT -p udp --dport 22 -j ACCEPT | |
| #Rpcbind portmapper (111, tcp udp) | |
| $IPTABLES -A INPUT -p tcp --dport 111 -m state --state NEW -j ACCEPT | |
| $IPTABLES -A INPUT -p udp --dport 22 -j ACCEPT | |
| #Apache web server (8080, tcp udp) | |
| $IPTABLES -A INPUT -p tcp --dport 8080 -m state --state NEW -j ACCEPT | |
| $IPTABLES -A INPUT -p tcp --dport 8080 -j ACCEPT | |
| #Requirement #6 Allow 1 ping per second | |
| $IPTABLES -A INPUT -m limit --limit 1/second -p icmp --icmp-type 8 -j ACCEPT | |
| # if a ping packet is not accepted above it should be dropped, | |
| #otherwise it will be accepted below as it is seen as ESTABLISHED | |
| $IPTABLES -A INPUT -p icmp --icmp-type 8 -j DROP | |
| #Requirement 5, allow established connections | |
| $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| $IPTABLES -A INPUT -j LOG | |
| echo "Done!" | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment