#!/bin/sh
#File: /etc/rc.d/rc.firewall
#File: /etc/rc.d/rc.firewall
# Immediately log and drop any known abusive IPs
iptables -A INPUT -p tcp -s 87.118.104.44 -m limit –limit 1/minute –limit-burst 10 -j LOG –log-prefix “[DROPPED_NODE]“ –log-level 4iptables -A INPUT -p tcp -s 87.118.104.44 -j DROP
# Allow from any to any on 127.0.0.1/32
iptables -A INPUT -s 127.0.0.1/32 -j ACCEPT
iptables -A OUTPUT -s 127.0.0.1/32 -j ACCEPT
# Track connection state
iptables -A INPUT -p tcp -m state –state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m state –state NEW,ESTABLISHED -j ACCEPT
# Allow all foreign IPs to access ports 443 and 80
iptables -A INPUT -p TCP –dport 443 -j ACCEPT
iptables -A INPUT -p TCP –dport 80 -j ACCEPT
# Allow access from a specified foreign IP
# to this server’s port 8080
# to this server’s port 8080
iptables -A INPUT -p TCP -s 172.16.88.2/32 –dport 8080 -j ACCEPT
# Allow access from a specified foreign IP
# to any port listening on this server
# to any port listening on this server
iptables -A INPUT -p TCP -s 172.13.88.3/32 -j ACCEPT
# Drop incoming UDP packets on port 137 and 138 without logging
iptables -A INPUT -p UDP –dport 137 -j DROP
iptables -A INPUT -p UDP –dport 138 -j DROP
# Accept all other incoming UDP packets
iptables -A INPUT -p UDP -j ACCEPT
# Log and Drop everything else
iptables -A INPUT -j LOG -m limit –limit 1/minute –limit-burst 10 –log-prefix “[DROPPED_NODE]” –log-level 4
iptables -A INPUT -j DROP
# View all rules
iptables -L -v
# View INPUT rules
iptables -L INPUT -nv
# View max tracked connections
cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
# Set max tracked connections
# add the following line to rc.local if sysctl.conf doesn’t exist
# add the following line to rc.local if sysctl.conf doesn’t exist
echo 128000 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
# View Current HASHSIZE
cat /proc/sys/net/ipv4/netfilter/ip_conntrack_buckets
