#!/bin/sh #------------------------------------------------------------------------------ # File: fw_blockall # Author: Uwe Hermann # URL: http://www.hermann-uwe.de/files/fw_blockall # License: GNU GPL (version 2, or any later version). # $Id: fw_blockall 223 2005-06-27 19:34:07Z uh1763 $ #------------------------------------------------------------------------------ # This is a firewall script which blocks ALL access from/to everyone (INPUT, # OUTPUT and FORWARD). Not even traffic to/from localhost is allowed. # All pings are disabled (normal and broadcast). # Note: This is work in progress! Any comments and suggestions are welcome! #------------------------------------------------------------------------------ # Configuration. #------------------------------------------------------------------------------ # For debugging: # IPTABLES="/sbin/iptables -v" IPTABLES="/sbin/iptables" #------------------------------------------------------------------------------ # Kernel configuration. # # For details see: # * http://www.linuxgazette.com/issue77/lechnyr.html # * /usr/src/linux/Documentation/filesystems/proc.txt # * /usr/src/linux/Documentation/networking/ip-sysctl.txt #------------------------------------------------------------------------------ # Disable IP forwarding. # Note: Turning this on and off should reset all settings to their defaults. echo 1 > /proc/sys/net/ipv4/ip_forward echo 0 > /proc/sys/net/ipv4/ip_forward # IP spoofing protection (i.e. source address verification). # TODO: Only effective if IP forwarding is turned on? echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter # Enable protection against SYN flood attacks. echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Ignore all ICMP ECHO requests (i.e. disable PING). echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all # Ignore ICMP ECHO requests to broadcast/multicast addresses only. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Log packets with impossible addresses. echo 1 > /proc/sys/net/ipv4/conf/all/log_martians # Don't log invalid responses to broadcast frames, they just clutter the logs. echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Don't accept or send ICMP redirects. echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects # Don't accept source routed packets. echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route #------------------------------------------------------------------------------ # Cleanup. #------------------------------------------------------------------------------ # Delete all rules. $IPTABLES -F $IPTABLES -t nat -F $IPTABLES -t mangle -F # Delete all (non-builtin) user-defined chains. $IPTABLES -X $IPTABLES -t nat -X $IPTABLES -t mangle -X # Zero all packet and byte counters. $IPTABLES -Z $IPTABLES -t nat -Z $IPTABLES -t mangle -Z #------------------------------------------------------------------------------ # Default policies. #------------------------------------------------------------------------------ $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT DROP #------------------------------------------------------------------------------ # Drop / reject everything explicitly, just to be sure. #------------------------------------------------------------------------------ # Use REJECT if you want to be nicer. $IPTABLES -A INPUT -j DROP $IPTABLES -A OUTPUT -j DROP $IPTABLES -A FORWARD -j DROP #------------------------------------------------------------------------------ # Exit gracefully. #------------------------------------------------------------------------------ exit 0