Code:
#The NAT portion of the ruleset. Used for Network Address Transalation.
#Usually not needed on a typical web server, but it's there if you need it.
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -o br0 -s 192.168.1.0/24 -d 192.168.1.0/24 -j MASQUERADE
-A PREROUTING -p tcp -m tcp -d wan_ip --dport 33770 -j DNAT --to-destination 192.168.1.1:80
# === port forwarding rules go here
#The Mangle portion of the ruleset. Here is where unwanted packet types get dropped.
#This helps in making port scans against your server a bit more time consuming and difficult, but not impossible.
*mangle
:PREROUTING ACCEPT [444:43563]
:INPUT ACCEPT [444:43563]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [402:144198]
:POSTROUTING ACCEPT [402:144198]
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
COMMIT
#The FILTER section of the ruleset is where we initially drop all packets and then selectively open certain ports.
#We will also enable logging of all dropped requests.
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:MACS - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
:bad_addresses - [0:0]
-A INPUT -m state --state INVALID -j DROP
# and now some stuff from http://linux.jamesnet.ca/filter
#
-A FORWARD -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
# Allow any traffic originating locally
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
# allow all communication on internal device , you may use lanip on a hub,
# most at home switches dont like when you use this,
-A INPUT -i br0 -j ACCEPT
-A OUTPUT -o br0 -j ACCEPT
# allow output on external device from lan ips
-A OUTPUT -o eth1 -s 192.168.1.0/24 -j ACCEPT
# Weed out bad addresses
-A INPUT -i eth1 -j bad_addresses
# Drop stealth scans
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags ACK,FIN FIN -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
# allow related and established
# allow INPUT of RELATED and ESTABLISHED communication except for ICMP
-A INPUT -i eth1 -p ! icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
# Traceroute - allows output on external interface of UDP packets from source port of defined
# ports for traceroute, and to specified UDP destination ports of the state NEW.
-A OUTPUT -o eth1 -p udp --sport 32769:65535 --dport 33434:33523 -m state --state NEW -j ACCEPT
# ICMP this is of course required to recieve response time back from traceroute ping
-A INPUT -i eth1 -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -o eth1 -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# ALLOW OUTGOING DNS (some weird issues were happening involving that)
-A OUTPUT -o eth1 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -o eth1 -p tcp -m tcp --dport 53 -j ACCEPT
#-A INPUT -i br0 -m state --state NEW -j ACCEPT
#-A INPUT -i eth1 -p udp --dport 68 -j DROP
-A INPUT -i br0 -p udp --sport 67 --dport 68 -j ACCEPT
# Custom services/from firmware
-A FORWARD -i br0 -o br0 -j ACCEPT
#-A FORWARD -i eth1 -p tcp --syn -m limit --limit 1/s -j ACCEPT
#-A FORWARD -i eth1 -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
#-A FORWARD -i eth1 -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# Restrict ICMP traffic
#-A INPUT -i eth1 -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
#-A INPUT -i eth1 -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
#-A INPUT -i eth1 -p icmp -m icmp --icmp-type echo-request -j ACCEPT
#-A INPUT -i eth1 -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Log everything else
#-A INPUT -m limit --limit 3 -j LOG
# --- Bad Address tables ---
-A bad_addresses -s 192.168.0.0/255.255.0.0 -j DROP
-A bad_addresses -s 10.0.0.0/255.0.0.0 -j DROP
-A bad_addresses -s 172.16.0.0/12 -j DROP
-A bad_addresses -s 127.0.0.0/8 -j DROP
-A bad_addresses -s 0.0.0.0/8 -j DROP
-A bad_addresses -s 169.254.0.0/16 -j DROP
-A bad_addresses -s 224.0.0.0/4 -j DROP
-A bad_addresses -s 240.0.0.0/5 -j DROP
-A bad_addresses -d 224.0.0.0/4 -p ! udp -j DROP
-A OUTPUT -m state -p icmp --state INVALID -j DROP
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP" --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT