As promised to Fuller` on irc.

Typedef · 23-10-2002 4:06pm #1

rc.local

#bin/sh
#
# /etc/rc.d/rc.local: Local system initialization script.
#
# Put any local setup commands in here:
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Enabeling Network Address Translation and Firewall rules resistance is futile!"
iptables -F
##nuke that syn flood
iptables -N syn-flood
iptables -A INPUT -s ! 10.0.0.0/24 -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP #nuke any tcp connection that is not a syn
iptables -A INPUT -s ! 10.0.0.0/24 -p tcp ! --syn -m state --state NEW -j DROP #samba are you in the KBS domin ? if not get lost you can't have netbios
iptables -A INPUT -s ! 10.0.0.0/24 -p tcp --dport 139 -m state --state NEW -j DROP
iptables -A INPUT -s ! 10.0.0.0/24 -p tcp --dport 139 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -d ! 10.0.0.0/24 -p tcp --dport 139 -m state --state NEW,ESTABLISHED -j ACCEPT
#http
iptables -t nat -A PREROUTING -s ! 10.0.0.0/24 -p tcp --dport 80 -j DNAT --to 10.0.0.2:80
iptables -A FORWARD -s ! 10.0.0.0/24 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s ! 10.0.0.0/24 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -d ! 10.0.0.0/24 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
#ftp
iptables -t filter -A INPUT -s ! 10.0.0.0/24 -p tcp --dport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -d ! 10.0.0.0/24 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
#irc
iptables -A INPUT -s ! 10.0.0.0/24 -p tcp --dport 194 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -d ! 10.0.0.0/24 -p tcp --dport 194 -m state --state NEW,ESTABLISHED -j ACCEPT
#allow dns
iptables -A INPUT -s ! 10.0.0.0/24 -p udp --dport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -d ! 10.0.0.0/24 -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
#outgoing ssh
iptables -A INPUT -s ! 10.0.0.0/24 -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -d ! 10.0.0.0/24 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
#telnet out
iptables -A INPUT -s ! 10.0.0.0/24 -p tcp --dport 23 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -d ! 10.0.0.0/24 -p tcp --dport 23 -m state --state NEW,ESTABLISHED -j ACCEPT
#smtp
iptables -A INPUT -s ! 10.0.0.0/24 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -d ! 10.0.0.0/24 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
#nameserver out
iptables -t filter -A INPUT -s ! 10.0.0.0/24 -p tcp --dport 42 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -d ! 10.0.0.0/24 -p tcp --dport 42 -m state --state NEW,ESTABLISHED -j ACCEPT
#rsync out
iptables -A INPUT -s ! 10.0.0.0/24 -p tcp --dport 873 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -d ! 10.0.0.0/24 -p tcp --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
#irc
iptables -A INPUT -s ! 10.0.0.0/24 -p tcp --dport 6667 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -d ! 10.0.0.0/24 -p tcp --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT
#masquerading
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d ! 10.0.0.0/24 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -s ! 10.0.0.0/24 -d 10.0.0.0/24 -p icmp -j LOG
#icmp
iptables -A INPUT -s ! 10.0.0.0/24 -d 10.0.0.0/24 -p icmp -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -s 10.0.0.0/24 -d ! 10.0.0.0/24 -m state --state NEW,ESTABLISHED -j ACCEPT
#drop assholes drop and swivel on it
#iptables -A INPUT -p tcp -s ! 10.0.0.0/24 -m state --state NEW -j LOG
iptables -A INPUT -p tcp -s ! 10.0.0.0/24 -m state --state NEW -j DROP
#iptables -A INPUT -p udp -s ! 10.0.0.0/24 -m state --state NEW -j LOG
iptables -A INPUT -p udp -s ! 10.0.0.0/24 -m state --state NEW -j DROP
#iptables -A INPUT -p icmp -s ! 10.0.0.0/24 -m state --state NEW -j LOG
iptables -A INPUT -p icmp -s ! 10.0.0.0/24 -m state --state NEW -j DROP

echo "Starting Samba"
/usr/sbin/smbd
/usr/sbin/nmbd
echo "Starting Postfix mail relay"
postfix start
echo "Bringing up ADSL connection now fear the Penguin lusers !"
adsl-start
echo "Starting Squid Unix Proxy Server"
/usr/local/squid/bin/squid -s

Something · 23-10-2002 4:19pm

Thanks

Something · 23-10-2002 4:35pm

Thanks

noog · 24-10-2002 12:37pm

get a room

Typedef · 24-10-2002 1:02pm

Only on ports 80 and 25 baby!
http://www.boards.ie/members/typedef/unix.jpg

Edit:
I just noticed your sig
Fuller is ~andrew@81-86-112-52.dsl.pipex.com * andrew
Fuller on #sex #cybersex +#teens4christ
Fuller using *.undernet.org The Undernet Underworld
fuller End of /WHOIS list.

*bump

Something · 25-10-2002 3:28pm

noog made that up.. etc

As promised to Fuller` on irc.

Comments