Description
When using iptables I like to keep a text file of my firewall so I can see everything when I need to edit it, open ports, etc. . . There is no requirement where this file is stored, however, I store the file in /system/configuration/firewall.txt.
firewall.txt
# Generated by iptables-save v1.4.2 on Fri Mar 20 14:20:07 2009 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [16059:5970755] :BADFLAGS - [0:0] :FIREWALL - [0:0] :REJECTWALL - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j BADFLAGS -A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j BADFLAGS -A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j BADFLAGS -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j BADFLAGS -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j BADFLAGS -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j BADFLAGS -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j BADFLAGS -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j BADFLAGS -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j BADFLAGS -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH,URG -j BADFLAGS -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j BADFLAGS -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT -A INPUT -p icmp -j FIREWALL -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT -A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT #-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 902 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 3688 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 3689 -j ACCEPT -A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 4444 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 6881 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 8222 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 8333 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 9312 -j ACCEPT -A INPUT -s dornick.alunduil.com -i eth0 -p tcp -m state --state NEW -m tcp --dport 9101:9103 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 1024:65535 -j DROP -A INPUT -i eth0 -p tcp -m tcp --dport 1024:65535 -j DROP -A INPUT -j REJECTWALL -A FORWARD -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A BADFLAGS -m limit --limit 10/min -j LOG --log-prefix "BADFLAGS: " -A BADFLAGS -j DROP -A FIREWALL -m limit --limit 10/min -j LOG --log-prefix "FIREWALL: " -A FIREWALL -j DROP -A REJECTWALL -m limit --limit 10/min -j LOG --log-prefix "REJECTWALL: " -A REJECTWALL -j REJECT --reject-with icmp-host-unreachable COMMIT # Completed on Fri Mar 20 14:20:07 2009
How to update your iptables with this firewall
I use fail2ban, which you can set up if you desire and I highly recommend it. Each time the firewall.txt file is edited this is how you update it.
/etc/init.d/fail2ban stop iptables-restore < /system/configuration/firewall.txt /etc/init.d/iptables save /etc/init.d/fail2ban start
