ComputerWillTravel 

This is a Linux Iptables script I put this together to get a better understanding on iptables and other security reasons.

copy and past this in the Terminal log in as root like this then do the second command. You need to find out your interface I'm on a  cable connection  so My interface is eth0 so after you paste the firewall.bash script you need to change it to your interface wlan0 or whatever. Also if you use KDE use kate text edit  

Now after you find that out close it out and go back to the Terminal you should be in root and type this in or copy paste. When you see the text editer copy and paste firewall.bash

Now its time for the script copy and past this in the text editor

#!/bin/bash echo "Starting Iptables... " # For debugging use iptables -v. IPTABLES=/sbin/iptables IP6TABLES=/sbin/ip6tables MODPROBE=/sbin/modprobe RMMOD=/sbin/rmmod ARP=/usr/sbin/arp # Logging options. # Note: We use --log-level debug, so that the messages are not output # to all virtual consoles (which would be quite annoying). # Alternative: Start klogd with -c 4 (e.g. by setting KLOGD="-c 4" in the #/etc/init.d/klogd startup-script. LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options" LOG="$LOG --log-ip-options" # Defaults for rate limiting (to prevent DoS attacks and excessive logging). RLIMIT="-m limit --limit 3/s --limit-burst 8" # Unprivileged ports. PHIGH="1024:65535" # Common SSH source ports. PSSH="1000:1023" # Load required kernel modules (if automatic module loading is disabled). modprobe ip_tables modprobe iptable_filter modprobe iptable_nat modprobe iptable_mangle modprobe iptable_raw modprobe ipt_MASQUERADE modprobe ipt_REJECT modprobe ip6_tables modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ip_nat_irc # No spoofing echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then for f in /proc/sys/net/ipv4/conf/default/rp_filter do echo 2 > $f done fi # Protect against SYN flood attacks (see http://cr.yp.to/syncookies.html). echo 1 > /proc/sys/net/ipv4/tcp_syncookies # No icmp ping for i in /proc/sys/net/ipv4/icmp_echo_ignore_all; do echo 1 > $i; done for i in /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts; do echo 1 > $i; done # Don't log invalid responses to broadcast frames for i in /proc/sys/net/ipv4/icmp_ratelimit; do echo 1 > $i; done for i in /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses; do echo 1 > $i; done echo 1 > /proc/sys/net/ipv4/icmp_ratemask # Log packets with impossible addresses. for i in /proc/sys/net/ipv4/conf/all/log_martians; do echo 1 > $i; done # Turn off IP forwarding/unless you want to filter all the computer's on your LAN just set 0 to 1 if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 0 > /proc/sys/net/ipv4/ip_forward fi # do not reply to 'proxyarp' packets if [ -e /proc/sys/net/ipv4/proxy_arp ]; then echo 0 > /proc/sys/net/ipv4/proxy_arp fi # Disable bootp_relay. Should not be needed, usually. echo 0 > /proc/sys/net/ipv4/conf/all/bootp_relay # These may mitigate ARP Poisoning attacks for i in /proc/sys/net/ipv4/neigh/default/locktime; do echo 1 > $i; done for i in /proc/sys/net/ipv4/neigh/default/gc_stale_time; do echo 1 > $i; done # Disable ICMP Redirect Acceptance echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then for f in /proc/sys/net/ipv4/conf/default/accept_redirects do echo 0 > $f done fi # Do not reply to 'redirected' packets if requested if [ -e /proc/sys/net/ipv4/send_redirects ]; then echo 0 > /proc/sys/net/ipv4/send_redirects fi # Disable Source Routed Packets echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then for f in /proc/sys/net/ipv4/conf/default/accept_source_route do echo 0 > $f done fi # Enabling Dynamic echo 1 > /proc/sys/net/ipv4/ip_dynaddr #------------------------------------------------------------------------------ # Default policies. #------------------------------------------------------------------------------ # Flush any rules that may still be configured iptables -t filter -F INPUT iptables -t filter -F OUTPUT iptables -t filter -F FORWARD # Set the default policies for the chains iptables -t filter -P INPUT DROP iptables -t filter -P OUTPUT ACCEPT iptables -t filter -P FORWARD DROP # Firewall iptables -F INPUT iptables -F OUTPUT iptables -t filter -F FORWARD # Drop everything by default. # Note: The default policies are set _before_ flushing the chains, to prevent # a short timespan between flushing the chains and setting policies where # any traffic would be allowed. iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # Set the nat/mangle/raw tables' chains to ACCEPT (we don't use them). # Packets will simply pass through these tables unchanged. # TODO: What happens if the modules aren't loaded? iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P OUTPUT ACCEPT iptables -t nat -P POSTROUTING ACCEPT iptables -t mangle -P PREROUTING ACCEPT iptables -t mangle -P INPUT ACCEPT iptables -t mangle -P FORWARD ACCEPT iptables -t mangle -P OUTPUT ACCEPT iptables -t mangle -P POSTROUTING ACCEPT # TODO: Correct? Remove this? #iptables -t raw -P PREROUTING ACCEPT #iptables -t raw -P OUTPUT ACCEPT #------------------------------------------------------------------------------ # Cleanup. #------------------------------------------------------------------------------ # Delete all rules. iptables -F iptables -t nat -F iptables -t mangle -F # Delete all (non-builtin) user-defined chains. iptables -X iptables -t nat -X iptables -t mangle -X # Zero all packet and byte counters. iptables -Z iptables -t nat -Z iptables -t mangle -Z #------------------------------------------------------------------------------ # Completely disable IPv6. #------------------------------------------------------------------------------ # Block all IPv6 traffic, otherwise the firewall might be circumvented by an # attacker who simply sends IPv6 traffic instead of IPv4 traffic. # Note: The safest way to prevent IPv6 traffic is to not enable support for # IPv6 in the kernel in the first place (neither built-in nor as a module). # If the ip6tables command is available, try to block all IPv6 traffic. if test -x ip6tables; then # Set the default policies (drop everything). ip6tables -P INPUT DROP 2>/sbin/ip6tables ip6tables -P FORWARD DROP 2>/sbin/ip6tables ip6tables -P OUTPUT DROP 2>/sbin/ip6tables # The mangle table can pass everything through unaltered (we don't use it). ip6tables -t mangle -P PREROUTING ACCEPT 2>/sbin/ip6tables ip6tables -t mangle -P INPUT ACCEPT 2>/sbin/ip6tables ip6tables -t mangle -P FORWARD ACCEPT 2>/sbin/ip6tables ip6tables -t mangle -P OUTPUT ACCEPT 2>/sbin/ip6tables ip6tables -t mangle -P POSTROUTING ACCEPT 2>/sbin/ip6tables # Delete all rules. ip6tables -F 2>/sbin/ip6tables ip6tables -t mangle -F 2>/sbin/ip6tables # Delete all (non-builtin) user-defined chains. ip6tables -X 2>/sbin/ip6tables ip6tables -t mangle -X 2>/sbin/ip6tables # Zero all packet and byte counters. ip6tables -Z 2>/sbin/ip6tables ip6tables -t mangle -Z 2>/sbin/ip6tables fi #------------------------------------------------------------------------------ ###Script Rules###Start Here #------------------------------------------------------------------------------ # Logg it to check oil later iptables -I INPUT 1 -m limit --limit 1/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Masquerading iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -p tcp --tcp-flags SYN,FIN,ACK,ALL ALL -j DROP # DROP all Forward packets iptables -A FORWARD -j DROP # Mac/Ip filter iptables -N MACfilter iptables -N IPfilter # LOG packets, then DROP them. iptables -N DROPLOG iptables -A DROPLOG -j $LOG $RLIMIT --log-prefix "DROP" iptables -A DROPLOG -j DROP # LOG packets, then REJECT them. TCP packets are rejected with a TCP reset. iptables -N REJECTLOG iptables -A REJECTLOG -j $LOG $RLIMIT --log-prefix "REJECT" iptables -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset iptables -A REJECTLOG -j REJECT # IGMP noise, log & drop iptables -A INPUT -i eth0 -p 2 -j LOG --log-level debug --log-prefix "IPTABLES IGMP-IN: " # A custom chain which only allows minimal (RELATED) ICMP types # (destination-unreachable, time-exceeded, and parameter-problem). # TODO: Rate-limit this traffic? # TODO: Allow fragmentation-needed? # TODO: Test. iptables -N RELATED_ICMP iptables -A RELATED_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT $RLIMIT iptables -A RELATED_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT $RLIMIT iptables -A RELATED_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT $RLIMIT iptables -A RELATED_ICMP -j DROPLOG # First, drop all fragmented ICMP packets (almost always malicious). iptables -A INPUT -p icmp --fragment -j DROPLOG iptables -A OUTPUT -p icmp --fragment -j DROPLOG iptables -A FORWARD -p icmp --fragment -j DROPLOG # Allow all ESTABLISHED ICMP traffic. # TODO: Tighten this some more? iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT iptables -A OUTPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT # Disallow all of the RELATED ICMP traffic, block iptables -A INPUT -p tcp --tcp-flags ALL,ALL ALL -j DROP # TODO: FORWARD? iptables -A INPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT iptables -A OUTPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT # Allow incoming ICMP echo requests (ping), but only rate-limited. iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT # Allow outgoing ICMP echo requests (ping), but only rate-limited. # TODO: Really do rate limiting here? iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT # Drop any other ICMP traffic. iptables -A INPUT -p icmp -j DROPLOG iptables -A OUTPUT -p icmp -j DROPLOG iptables -A FORWARD -p icmp -j DROPLOG # Allow all incoming and outgoing connections on the loopback interface if you DROP this your computer will not boot right. iptables -t filter -A INPUT -i lo -j ACCEPT iptables -t filter -A OUTPUT -o lo -j ACCEPT # Allow incoming connections related to existing allowed connections. iptables -t filter -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t filter -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Explicitly drop invalid incoming traffic (use DROPLOG if you want logging). iptables -A INPUT -m state --state INVALID -j DROP iptables -A INPUT -i eth0 -m state --state INVALID -j DROP # Disallow NEW and INVALID incoming or forwarded packets from ra0. iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP # Drop invalid outgoing traffic, too. # Note: This may prevent you from performing certain scans. Also, see above # comment about ICMP packets being erroneously marked as INVALID instead of # RELATED in kernels older than 2.4.29. Remove this rule if needed. iptables -A OUTPUT -m state --state INVALID -j DROP # This is not needed, as we use policy DROP for FORWARD, and we disabled # ip_forward anyways. However, if we would use NAT, INVALID packets would # bypass our rules, so we block them explicitly here, just in case. iptables -A FORWARD -m state --state INVALID -j DROP # Hinder portscanners a bit. iptables -A INPUT -m state --state NEW -p tcp --tcp-flags ALL, ALL -j DROP # Some more anti-spoofing rules iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP iptables -A INPUT -p tcp --tcp-flags ALL,FIN URG,PSH -j DROP iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A INPUT -p tcp --tcp-flags ALL, ALL -j DROP # IPfilter block some bad popup's you may have to remove some of thies iptables -t filter -A FORWARD -j IPfilter iptables -A IPfilter -s 199.106.234.119 -j DROP iptables -A IPfilter -s 199.106.234.146 -j DROP iptables -A IPfilter -s 199.106.234.124 -j DROP iptables -A IPfilter -s 199.106.211.53 -j DROP iptables -A IPfilter -s 199.93.44.126 -j DROP iptables -A IPfilter -s 199.106.234.158 -j DROP # MAC ID Filter iptables -t filter -A FORWARD -j MACfilter iptables -A MACfilter -m mac --mac-source ff:ff:ff:ff:ff:ff -j DROP iptables -A MACfilter -m mac --mac-source 00:00:00:00:00:00 -j DROP # Block UDP-Traceroute iptables -A INPUT -i eth0 -p udp --dport 33434:33523 -j DROP # Kill connections to the local interface from the outside world (--> Should be already catched by kernel/rp_filter) iptables -A INPUT -d 127.0.0.0/8 -j DROP iptables -A INPUT -p all -s localhost -j DROP # Block Mutilecast iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP iptables -A INPUT -m pkttype --pkt-type multicast -j DROP iptables -I INPUT -m pkttype --pkt-type multicast -j DROP iptables -I INPUT -m pkttype --pkt-type broadcast -j DROP iptables -A INPUT -i eth0 -p all -d 224.0.0.1 -j DROP iptables -A INPUT -i eth0 -p 2 -j DROP iptables -I INPUT -p all -d 224.0.0.1 -j DROP iptables -I OUTPUT -p all -d 224.0.0.1 -j DROP # Drop incomeing MICS PORTS iptables -A INPUT -i eth0 -p tcp -m multiport \--dport 177,178,7100,1023,8200,5631,5900,389,636,8888,2401,8080,8090,3690 -j DROP iptables -A INPUT -i eth0 -p udp -m multiport \--sport 178,7100,1023,8200,5631,389,636,8888,133 -j DROP iptables -A INPUT -i eth0 -p tcp -m multiport \--dport 135,137,138,139,445,1433,1434 -j DROP iptables -A INPUT -i eth0 -p udp -m multiport \--sport 135,137,138,139,445,1433,1434 -j DROP iptables -A INPUT -i eth0 -p udp -m multiport \--sport 123,119,3389,139,2869,563,445,1025,500,5800,4500,1900,5500,1194 -j DROP iptables -A INPUT -i eth0 -p tcp -m multiport \--dport 123,3389,139,2869,563,445,1025,500,5800,4500,1900,5500,587,995 -j DROP iptables -A INPUT -i eth0 -p tcp -m multiport \--dport 1801,9001,9002,9030,9031,9090,9091,465,9101,9103,9102 -j DROP iptables -A INPUT -i eth0 -p tcp -m multiport \--dport 4899,993,992,873,556,111,107,444,487,749 -j DROP iptables -A INPUT -i eth0 -p udp -m multiport \--sport 4899,993,992,873,111,107,444,487,749,2030 -j DROP iptables -A INPUT -i eth0 -p tcp -m multiport \--dport 1701,1723,47,465,25,2030,9102,9103 -j DROP iptables -A INPUT -i eth0 -p udp -m multiport \--sport 47,1701,1723,3076,3107,3131,3142,3145,3527,1801 -j DROP iptables -A INPUT -i eth0 -p tcp -m multiport \--dport 5901,5902,5903,6000,6001,6002,6003,27015,27960,3306,2401,520 -j DROP iptables -A INPUT -i eth0 -p tcp -m multiport \--dport 2401,512,513,89,992 -j DROP # Drop out going MISC PORTS iptables -A OUTPUT -o eth0 -p tcp -m multiport \--dport 177,178,7100,1023,8200,5631,5900,389,636,8888 -j DROP iptables -A OUTPUT -o eth0 -p udp -m multiport \--sport 178,7100,1023,8200,5631,389,636,8888,133 -j DROP iptables -A OUTPUT -o eth0 -p tcp -m multiport \--dport 135,137,138,139,445,1433,1434 -j DROP iptables -A OUTPUT -o eth0 -p udp -m multiport \--sport 135,137,138,139,445,1433,1434 -j DROP iptables -A OUTPUT -o eth0 -p udp -m multiport \--sport 123,3389,139,2869,563,445,1025,500,5800,4500,1900,5500 -j DROP iptables -A OUTPUT -o eth0 -p tcp -m multiport \--dport 123,3389,139,2869,563,445,1025,500,5800,4500,1900,5500 -j DROP iptables -A OUTPUT -o eth0 -p tcp -m multiport \--dport 4899,993,992,873,556,111,107,444,487,749 -j DROP iptables -A OUTPUT -o eth0 -p udp -m multiport \--sport 4899,993,992,873,111,107,444,487,749,123,2030,2049 -j DROP iptables -A OUTPUT -o eth0 -p tcp -m multiport \--dport 1701,1723,47,587,995,465,995,119,123,8080,8090,2401,3690,2049 -j DROP iptables -A OUTPUT -o eth0 -p tcp -m multiport \--dport 1801,9001,9002,9030,9031,9091,9101,9101,9102,1194,515 -j DROP iptables -A OUTPUT -o eth0 -p udp -m multiport \--sport 47,1701,1723,3076,3107,3131,3142,3145,3527,1801,515 -j DROP iptables -A OUTPUT -o eth0 -p tcp -m multiport \--dport 5901,5902,5903,6000,6001,6002,6003,27015,27960,3306,2401,520 -j DROP iptables -A OUTPUT -o eth0 -p tcp -m multiport \--dport 2401,512,513,89,992 -j DROP # Disallow/Allow Samba MS Browser iptables -A OUTPUT -o eth0 -p tcp --dport 137:139 -j DROP iptables -A OUTPUT -o eth0 -p udp --dport 137:139 -j DROP iptables -A INPUT -i eth0 -p tcp --dport 137:139 -j DROP iptables -A INPUT -i eth0 -p udp --dport 137:139 -j DROP iptables -A INPUT -i eth0 -p udp --dport 445 -j DROP iptables -A OUTPUT -o eth0 -p udp --dport 445 -j DROP # Allow outgoing/incomeing DHCP requests. Unencrypted, use with care. iptables -A OUTPUT -o eth0 -p udp --dport 67:68 -j ACCEPT iptables -A INPUT -i eth0 -p udp --dport 67:68 -j ACCEPT # Disallow XDMCP iptables -A INPUT -i eth0 -p udp --dport 177 -j DROP iptables -A OUTPUT -o eth0 -p udp --dport 177 -j DROP iptables -A INPUT -i eth0 -p tcp --dport 6000:6009 -j DROP iptables -A OUTPUT -o eth0 -p tcp --dport 6000:6009 -j DROP iptables -A INPUT -i eth0 -p udp --dport 6000:6009 -j DROP iptables -A OUTPUT -o eth0 -p udp --dport 6000:6009 -j DROP # VNC iptables -A INPUT -i eth0 -p tcp --dport 5900 -j DROP iptables -A OUTPUT -o eth0 -p tcp --dport 5900 -j DROP # MSQL iptables -A INPUT -i eth0 -p udp --dport 1434 -j DROP iptables -A OUTPUT -o eth0 -p udp --dport 1434 -j DROP iptables -A INPUT -i eth0 -p udp --dport 1026:1027 -j DROP iptables -A OUTPUT -o eth0 -p udp --dport 1026:1027 -j DROP # SOCKS iptables -A INPUT -i eth0 -p tcp --dport socks -j DROP iptables -A OUTPUT -o eth0 -p tcp --dport socks -j DROP iptables -A INPUT -i eth0 -p udp --dport snmp -j DROP iptables -A OUTPUT -o eth0 -p udp --dport snmp -j DROP iptables -A INPUT -i eth0 -p udp --dport socks -j DROP iptables -A OUTPUT -o eth0 -p udp --dport socks -j DROP # Allow Incoming/Outgoing DNS requests. iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT iptables -A INPUT -p tcp --dport 53 -j DROP iptables -A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT iptables -A OUTPUT -p tcp --dport 53 -j DROP # Allow gnutella-svc:gnutella-rtr you could turn this on or off accept iptables -A INPUT -i eth0 -p tcp --sport 6346:6347 -j DROP iptables -A OUTPUT -o eth0 -p tcp --dport 6346:6347 -j DROP iptables -A INPUT -i eth0 -p udp --sport 6346:6347 -j DROP iptables -A OUTPUT -o eth0 -p udp --dport 6346:6347 -j DROP # Allow incoming/Outgoing HTTP requests. # Allow web traffic iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT # Allow https I turn this on and off when I'm done) iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --dport 443 -j ACCEPT # Allow pop3nsmtp iptables -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --dport 25 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --dport 110 -j ACCEPT # Disallow HyperText Transfer Protocol iptables -A INPUT -i eth0 -p udp --dport 80 -j DROP iptables -A OUTPUT -o eth0 -p udp --dport 80 -j DROP # SOCKS this proto can be used to bypass firewalls iptables -A INPUT -i eth0 -p tcp --dport socks -j DROP iptables -A OUTPUT -o eth0 -p tcp --dport socks -j DROP iptables -A INPUT -i eth0 -p udp --dport socks -j DROP iptables -A OUTPUT -o eth0 -p udp --dport socks -j DROP # IRC Chat iptables -A INPUT -i eth0 -p tcp --dport 6667 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --dport 6667 -j ACCEPT # MSN Chat iptables -A INPUT -i eth0 -p tcp --dport 1863 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --dport 1863 -j ACCEPT iptables -A INPUT -i eth0 -p udp --dport 1863 -j ACCEPT iptables -A OUTPUT -o eth0 -p udp --dport 1863 -j ACCEPT # Paltalk iptables -A INPUT -i eth0 -p tcp --dport 8200:8700 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 2090:2095 -j ACCEPT iptables -A INPUT -i eth0 -p udp --dport 2090:2095 -j ACCEPT iptables -A OUTPUT -o eth0 -p udp --dport 8200:8700 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --dport 2090:2095 -j ACCEPT iptables -A OUTPUT -o eth0 -p udp --dport 2090:2095 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --dport 5001:50015 -j ACCEPT iptables -A OUTPUT -o eth0 -p udp --dport 1025:2500 -j ACCEPT # Disallow incoming SSH requests. iptables -A INPUT -i eth0 -p tcp --dport 22 -j DROP iptables -A INPUT -i eth0 -p udp -m udp --dport 443 -j DROP iptables -A INPUT -i eth0 -p tcp --dport ssh -j DROP iptables -A OUTPUT -o eth0 -p tcp --dport ssh -j DROP # Disallow whatever iptables -A INPUT -i eth0 -p udp --sport 5353 -j DROP iptables -A OUTPUT -o eth0 -p udp --sport 5353 -j DROP iptables -A INPUT -i eth0 -p udp --sport 32768 -j DROP iptables -A OUTPUT -o eth0 -p udp --sport 32768 -j DROP iptables -A INPUT -i eth0 -p tcp --dport 23 -j DROP iptables -A OUTPUT -o eth0 -p tcp --dport 23 -j DROP iptables -A INPUT -i eth0 -p udp --dport 23 -j DROP iptables -A OUTPUT -o eth0 -p udp --dport 23 -j DROP # Allow FTP just for virus scanner updates turn on and off iptables -A INPUT -i eth0 -p tcp --dport 21 -j DROP iptables -A OUTPUT -o eth0 -p tcp --dport 21 -j DROP # Disallow incoming FTP requests. iptables -A INPUT -i eth0 -p tcp -m tcp --dport 21 --syn -j DROP iptables -A INPUT -i eth0 -p tcp -m tcp --dport 115 --syn -j DROP iptables -A INPUT -i eth0 -p tcp -m tcp --dport 989 --syn -j DROP iptables -A INPUT -i eth0 -p tcp -m tcp --dport 990 --syn -j DROP iptables -A INPUT -i eth0 -p udp -m udp --dport 21 -j DROP iptables -A INPUT -i eth0 -p udp -m udp --dport 115 -j DROP iptables -A INPUT -i eth0 -p udp -m udp --dport 989 -j DROP iptables -A INPUT -i eth0 -p udp -m udp --dport 990 -j DROP iptables -A INPUT -i eth0 -p tcp --dport 20 -j DROP # Dissallow LDAP and Remote IRC iptables -A INPUT -i eth0 -p tcp -m tcp --dport 389 --syn -j DROP iptables -A INPUT -i eth0 -p tcp -m tcp --dport 636 --syn -j DROP iptables -A INPUT -i eth0 -p udp -m udp --dport 389 -j DROP iptables -A INPUT -i eth0 -p udp -m udp --dport 636 -j DROP iptables -A INPUT -i eth0 -p tcp -m tcp --dport 8888 --syn -j DROP iptables -A INPUT -i eth0 -p udp -m udp --dport 8888 -j DROP # Use REJECT instead of REJECTLOG if you don't need/want logging. iptables -A INPUT -j REJECTLOG iptables -A OUTPUT -j REJECTLOG iptables -A FORWARD -j REJECTLOG # End message echo " [End Iptables rules setting]"

Alright now click on the floppy icon and close it out in other words save it now we make the script executable if you change any of the rules to ACCEPT or ACCEPTLOG you must make it executable

Ok that part is done I use a flush script because I think its better for the firewall bash script I did not write all this I studyed HARD and came up with this so alot of it is off the net so forgive me!

#!/bin/sh # # Set the default policy # iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # # Set the default policy for the NAT table # iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P POSTROUTING ACCEPT iptables -t nat -P OUTPUT ACCEPT # # Delete all rules # iptables -F iptables -t nat -F # # Delete all chains # iptables -X iptables -t nat -X # End message echo " [End of flush]"

Now make it executable.

This script will allow you to handle your firewall like all other services.

#!/bin/bash RETVAL=0 # To start the firewall start() { echo -n "Iptables rules creation: " /etc/firewall.bash RETVAL=0 } # To stop the firewall stop() { echo -n "Removing all iptables rules: " /etc/flush_iptables.bash RETVAL=0 } case $1 in start) start ;; stop) stop ;; restart) stop start ;; status) /sbin/iptables -L /sbin/iptables -t nat -L RETVAL=0 ;; *) echo "Usage: firewall {start|stop|restart|status}" RETVAL=1 esac exit

Now make it executable.

Do this first the final step is to make your script running on each boot of your computer

Now you can use these commands to start/stop/restart/status your firewall

That's is it kinda easy. so when you make a change just pull it up like this 

make your changes then

Then 

Thats is it when you want to check the status all you got to do is 

or I use I think this way is better because it dont resolve host

I hope this gives you a idea on somethings go back