#!/bin/bash #iptables script reverse-proxy version 1.0 dec 2015 By Hans-Cees Speel. EXTDEV=eth1 #external device LANDEV=eth0 echo -n "flushing all chains" /sbin/iptables -F -t filter /sbin/iptables -F -t nat /sbin/iptables -F -t mangle /sbin/iptables -X -t filter /sbin/iptables -X -t nat /sbin/iptables -X -t mangle /sbin/iptables --flush FORWARD /sbin/iptables --flush INPUT /sbin/iptables --flush OUTPUT #exit #policies for the chains /sbin/iptables --policy FORWARD DROP /sbin/iptables --policy INPUT DROP /sbin/iptables --policy OUTPUT DROP #new chains. Statefull and scrub icmp /sbin/iptables --new-chain StatefulInputFilter /sbin/iptables --new-chain icmpInOut ###INPUT chain #icmp scrubbed via icmpInOut, local loop is accepted #multicast is dropped, rest to stateful chain /sbin/iptables --append INPUT --protocol icmp --jump icmpInOut /sbin/iptables --append INPUT -i lo -j ACCEPT /sbin/iptables --append INPUT -s 224.0.0.0/4 -j DROP /sbin/iptables --append INPUT -d 224.0.0.0/4 -j DROP /sbin/iptables --append INPUT -j StatefulInputFilter #accept outgoing traffic, drop forward traffic /sbin/iptables --append OUTPUT --jump ACCEPT /sbin/iptables --append FORWARD -j DROP #StatefulInputFilter chain for incoming syns # Allow established connections, accept Lan, accept 80,443 internet /sbin/iptables --append StatefulInputFilter -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables --append StatefulInputFilter -m state --state NEW ! -i $EXTDEV -j ACCEPT /sbin/iptables --append StatefulInputFilter -p tcp -m multiport --dport 80,443 -m state --state NEW -j ACCEPT /sbin/iptables --append StatefulInputFilter --jump DROP #chain icmpInOut This chain is used for icmp and lets only certain kinds in. /sbin/iptables --append icmpInOut --proto icmp --icmp-type redirect -o $LANDEV --jump ACCEPT /sbin/iptables --append icmpInOut --proto icmp --icmp-type echo-request --jump ACCEPT /sbin/iptables --append icmpInOut --proto icmp --icmp-type echo-reply --jump ACCEPT /sbin/iptables --append icmpInOut --proto icmp --icmp-type destination-unreachable --jump ACCEPT /sbin/iptables --append icmpInOut --proto icmp --icmp-type source-quench --jump ACCEPT /sbin/iptables --append icmpInOut --proto icmp --icmp-type time-exceeded --jump ACCEPT /sbin/iptables --append icmpInOut --proto icmp --icmp-type parameter-problem --jump ACCEPT /sbin/iptables --append icmpInOut --jump DROP #enable tcp synflood protection by using coockies ddos defense echo 1 > /proc/sys/net/ipv4/tcp_syncookies /usr/bin/logger Iptables script hcs implemented ############# you might also consider installing fail2ban