home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
chilidog.highland.cc.ks.us
/
chilidog.highland.cc.ks.us.zip
/
chilidog.highland.cc.ks.us
/
backup
/
bradford.20110411.bsc-siteConfiguration.tar.gz
/
bradford.20110411.bsc-siteConfiguration.tar
/
bsc
/
siteConfiguration
/
.factory.firewall
< prev
next >
Wrap
Text File
|
2008-03-31
|
4KB
|
103 lines
#!/bin/sh
# Start with a clean slate
iptables --flush
# For 4.0 -- Don't apply these rules
exit 0;
#eth1:
# Allow DNS
iptables -A INPUT --in-interface eth1 -p UDP --dport 53 -j ACCEPT
# Allow DHCP
iptables -A INPUT --in-interface eth1 -p UDP --dport 67 -j ACCEPT
# Allow HTTP
iptables -A INPUT --in-interface eth1 -p TCP --dport 80 -j ACCEPT
# Allow HTTPS
iptables -A INPUT --in-interface eth1 -p TCP --dport 443 -j ACCEPT
# Allow Agent protocol
iptables -A INPUT --in-interface eth1 -p UDP --dport 4567 -j ACCEPT
# Drop Any other packets
iptables -A INPUT --in-interface eth1 -j DROP
#eth0
# Management Process
iptables -A INPUT --in-interface eth0 -p UDP --dport 5555 -j ACCEPT
iptables -A INPUT --in-interface eth0 -p UDP --dport 5556 -j ACCEPT
# HTTP Mgmt
iptables -A INPUT --in-interface eth0 -p TCP --dport 8080 -j ACCEPT
iptables -A INPUT --in-interface eth0 -p TCP --dport 8443 -j ACCEPT
#ICMP
iptables -A INPUT --in-interface eth0 -p ICMP -j ACCEPT
#mysql
iptables -A INPUT --in-interface eth0 -p TCP --dport 3306 -j ACCEPT
# HTTP portal
iptables -A INPUT --in-interface eth0 -p TCP --dport 443 -j ACCEPT
iptables -A INPUT --in-interface eth0 -p TCP --dport 80 -j ACCEPT
# SSH
iptables -A INPUT --in-interface eth0 -p TCP --dport 22 -j ACCEPT
# RADIUS
iptables -A INPUT --in-interface eth0 -p UDP --dport 1646 -j ACCEPT
iptables -A INPUT --in-interface eth0 -p UDP --dport 1812 -j ACCEPT
iptables -A INPUT --in-interface eth0 -p UDP --dport 1813 -j ACCEPT
# LDAP
iptables -A INPUT --in-interface eth0 -p TCP --dport 389
iptables -A INPUT --in-interface eth0 -p TCP --dport 636
# SYSLOG
iptables -A INPUT --in-interface eth0 -p UDP --dport 514
# SNMP
iptables -A INPUT --in-interface eth0 -p UDP --dport 161 -j ACCEPT
iptables -A INPUT --in-interface eth0 -p UDP --dport 160 -j ACCEPT
# Allow Agent protocol
iptables -A INPUT --in-interface eth0 -p UDP --dport 4567 -j ACCEPT
# CORBA Name Service
iptables -A INPUT --in-interface eth0 -p TCP --dport 1050 -j ACCEPT
# (for CORBA) Ports above 32000 -- NEEDS TESTING
iptables -A INPUT --in-interface eth0 -p TCP --dport 32000: -j ACCEPT
iptables -A INPUT --in-interface eth0 -j DROP
#####
### Customer-provided. NEEDS TESTING
#
# set iptables limit on incoming port 80 to 10/minute with a burst of 30/minute (new sessions) per source IP
# if the limit is exceeded, drop them for 300 seconds / 5 minutes.
#
/usr/bin/sudo /usr/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/bin/sudo /usr/sbin/iptables -A INPUT -i lo -j ACCEPT
/usr/bin/sudo /usr/sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 80 -m hashlimit --hashlimit-name httplimit --hashlimit-mode srcip --hashlimit 10/minute --hashlimit-burst 30 --hashlimit-htable-expire 300000 -j ACCEPT
/usr/bin/sudo /usr/sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 80 -m hashlimit --hashlimit-name floodlog --hashlimit-mode srcip --hashlimit 1/minute --hashlimit-burst 2 -j LOG --log-prefix "HTTP flood:"
/usr/bin/sudo /usr/sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 80 -j DROP
#
# set iptables limit on incoming DNS requests to catch Vista wpad/isatap flooding requests
# typically these occur in thousands per second, we'll threshold at 300/sec (your mileage may vary)
#
/usr/bin/sudo /usr/sbin/iptables -A INPUT -p udp --dport 53 -m hashlimit --hashlimit-name dnslimit --hashlimit-mode srcip --hashlimit 300/sec --hashlimit-burst 500 --hashlimit-htable-expire 300000 -j ACCEPT
/usr/bin/sudo /usr/sbin/iptables -A INPUT -p udp --dport 53 -m hashlimit --hashlimit-name dnslog --hashlimit-mode srcip --hashlimit 1/minute --hashlimit-burst 2 -j LOG --log-prefix "DNS flood:"
/usr/bin/sudo /usr/sbin/iptables -A INPUT -p udp --dport 53 -j DROP