hi there
your’re looking for iptables firewall?
here is my suggestion to do this :-)
#!/bin/bash ### BEGIN INIT INFO # Provides: firewall # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: IPTABLES Firewall # Description: Used to Firewall a computer ### END INIT INFO # Author: Paranoids <markus(at)paranoids(dot)at> PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin" IPT="/sbin/iptables" IPT6="/sbin/ip6tables" ETH0="eth0" TUN6TO4="tun6to4" LOCAL="lo" ALLOWEDTCPPORTS="80" ALLOWEDUDPPORTS="53" ALLOWEDTCPPORTS6="80" ALLOWEDUDPPORTS6="53" ALLOWEDIPS="192.168.1.1 192.168.2.0/24" ALLOWEDIPS6="dead:beef:dead::/48" case "$1" in start) echo "Starting Firewall" if [ -r /proc/sys/net/ipv4/ip_forward ]; then echo "Disabling ipv4 forwarding"; echo "0" > /proc/sys/net/ipv4/ip_forward fi if [ -r /proc/sys/net/ipv4/tcp_syncookies ]; then echo "Enabling ipv4 tcp_syncookies"; echo "1" > /proc/sys/net/ipv4/tcp_syncookies fi #flushing firewall $IPT -F $IPT -X $IPT -P INPUT ACCEPT $IPT -P OUTPUT ACCEPT $IPT -P FORWARD ACCEPT $IPT6 -F $IPT6 -X $IPT6 -P INPUT ACCEPT $IPT6 -P OUTPUT ACCEPT $IPT6 -P FORWARD ACCEPT #set input chain $IPT -N IN_ETH0 $IPT -A IN_ETH0 -p tcp --syn -m state --state NEW -m connlimit --connlimit-above 50 --connlimit-mask 32 -m recent --set --name firewall $IPT -A IN_ETH0 -p tcp -m recent --update --seconds 60 --hitcount 2 --name firewall -j DROP $IPT -A IN_ETH0 -p tcp -m state --state INVALID -j DROP for PORT in $ALLOWEDTCPPORTS do $IPT -A IN_ETH0 -p tcp --dport $PORT -j ACCEPT done for PORT in $ALLOWEDUDPPORTS do $IPT -A IN_ETH0 -p udp --dport $PORT -j ACCEPT done for PORT in $ALLOWEDIPS do $IPT -A IN_ETH0 -s $PORT -j ACCEPT done $IPT -A IN_ETH0 -p icmp --icmp-type echo-request -j ACCEPT $IPT -A IN_ETH0 -m state --state RELATED,ESTABLISHED -j ACCEPT #$IPT -A IN_ETH0 -j LOG --log-prefix "iptables: " $IPT -A IN_ETH0 -j DROP $IPT6 -N IN_TUN6TO4 $IPT6 -A IN_TUN6TO4 -p tcp --syn -m state --state NEW -m connlimit --connlimit-above 50 --connlimit-mask 32 -m recent --set --name firewall6 $IPT6 -A IN_TUN6TO4 -p tcp -m recent --rttl --update --seconds 60 --hitcount 1 --name firewall6 -j DROP $IPT6 -A IN_TUN6TO4 -p tcp -m state --state INVALID -j DROP for PORT in $ALLOWEDTCPPORTS6 do $IPT6 -A IN_TUN6TO4 -p tcp --dport $PORT -j ACCEPT done for PORT in $ALLOWEDUDPPORTS6 do $IPT6 -A IN_TUN6TO4 -p udp --dport $PORT -j ACCEPT done for PORT in $ALLOWEDIPS6 do $IPT6 -A IN_TUN6TO4 -s $PORT -j ACCEPT done $IPT6 -A IN_TUN6TO4 -p icmpv6 -j ACCEPT $IPT6 -A IN_TUN6TO4 -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT6 -A IN_TUN6TO4 -j LOG --log-prefix "iptables: " $IPT6 -A IN_TUN6TO4 -j DROP $IPT -A INPUT -i $ETH0 -j IN_ETH0 $IPT -A INPUT -i $LOCAL -j ACCEPT $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT -A INPUT -j LOG --log-prefix "iptables: " $IPT -A INPUT -j DROP $IPT6 -A INPUT -i $TUN6TO4 -j IN_TUN6TO4 $IPT6 -A INPUT -i $LOCAL -j ACCEPT $IPT6 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT6 -A INPUT -j LOG --log-prefix "iptables: " $IPT6 -A INPUT -j DROP $IPT -A FORWARD -j LOG --log-prefix "iptables: " $IPT -A FORWARD -j DROP $IPT6 -A FORWARD -j LOG --log-prefix "iptables: " $IPT6 -A FORWARD -j DROP $IPT -N OUT_ETH0 for PORT in $ALLOWEDTCPPORTS do $IPT -A OUT_ETH0 -p tcp --sport $PORT -j ACCEPT done for PORT in $ALLOWEDUDPPORTS do $IPT -A OUT_ETH0 -p udp --sport $PORT -j ACCEPT done for PORT in $ALLOWEDIPS do $IPT -A OUT_ETH0 -d $PORT -j ACCEPT done $IPT -A OUT_ETH0 -p udp --dport 53 -j ACCEPT $IPT -A OUT_ETH0 -p tcp --dport 53 -j ACCEPT $IPT -A OUT_ETH0 -p udp --dport 123 -j ACCEPT #antiwebspamming(hacking) $IPT -A OUT_ETH0 -m owner --uid-owner 0 -j ACCEPT $IPT -A OUT_ETH0 -m owner --gid-owner 0 -j ACCEPT $IPT -A OUT_ETH0 -m owner --uid-owner 1004 -j ACCEPT $IPT -A OUT_ETH0 -m owner --gid-owner 1004 -j ACCEPT $IPT -A OUT_ETH0 -m state --state NEW -p udp -j LOG --log-uid --log-prefix "iptables: " $IPT -A OUT_ETH0 -m state --state NEW -p udp -j DROP $IPT -A OUT_ETH0 -p tcp --dport 25 -m owner --uid-owner 1000:50000 -j LOG --log-uid --log-prefix "iptables: " $IPT -A OUT_ETH0 -p tcp --dport 25 -m owner --uid-owner 1000:50000 -j DROP $IPT -A OUT_ETH0 -p tcp --dport 25 -m owner --gid-owner 1000:50000 -j LOG --log-uid --log-prefix "iptables: " $IPT -A OUT_ETH0 -p tcp --dport 25 -m owner --gid-owner 1000:50000 -j DROP $IPT -A OUT_ETH0 -m state --state NEW -p tcp --dport 1024: -j LOG --log-uid --log-prefix "iptables: " $IPT -A OUT_ETH0 -m state --state NEW -p tcp --dport 1024: -j DROP $IPT -A OUT_ETH0 -j ACCEPT $IPT6 -N OUT_TUN6TO4 for PORT in $ALLOWEDTCPPORTS do $IPT6 -A OUT_TUN6TO4 -p tcp --sport $PORT -j ACCEPT done for PORT in $ALLOWEDUDPPORTS do $IPT6 -A OUT_TUN6TO4 -p udp --sport $PORT -j ACCEPT done for PORT in $ALLOWEDIPS6 do $IPT6 -A OUT_TUN6TO4 -d $PORT -j ACCEPT done #antiwebspamming(hacking) $IPT6 -A OUT_TUN6TO4 -p udp --dport 53 -j ACCEPT $IPT6 -A OUT_TUN6TO4 -p tcp --dport 53 -j ACCEPT $IPT6 -A OUT_TUN6TO4 -p udp --dport 123 -j ACCEPT $IPT6 -A OUT_TUN6TO4 -m owner --uid-owner 0 -j ACCEPT $IPT6 -A OUT_TUN6TO4 -m owner --gid-owner 0 -j ACCEPT $IPT6 -A OUT_TUN6TO4 -m owner --uid-owner 1004 -j ACCEPT $IPT6 -A OUT_TUN6TO4 -m owner --gid-owner 1004 -j ACCEPT $IPT6 -A OUT_TUN6TO4 -m state --state NEW -p udp -j LOG --log-uid --log-prefix "iptables: " $IPT6 -A OUT_TUN6TO4 -m state --state NEW -p udp -j DROP $IPT6 -A OUT_TUN6TO4 -p tcp --dport 25 -m owner --uid-owner 1000:50000 -j LOG --log-uid --log-prefix "iptables: " $IPT6 -A OUT_TUN6TO4 -p tcp --dport 25 -m owner --uid-owner 1000:50000 -j DROP $IPT6 -A OUT_TUN6TO4 -p tcp --dport 25 -m owner --gid-owner 1000:50000 -j LOG --log-uid --log-prefix "iptables: " $IPT6 -A OUT_TUN6TO4 -p tcp --dport 25 -m owner --gid-owner 1000:50000 -j DROP $IPT6 -A OUT_TUN6TO4 -m state --state NEW -p tcp --dport 1024: -j LOG --log-uid --log-prefix "iptables: " $IPT6 -A OUT_TUN6TO4 -m state --state NEW -p tcp --dport 1024: -j DROP $IPT6 -A OUT_TUN6TO4 -j ACCEPT $IPT -A OUTPUT -o $ETH0 -j OUT_ETH0 $IPT -A OUTPUT -o $LOCAL -j ACCEPT $IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT -A OUTPUT -j LOG --log-prefix "iptables: " $IPT -A OUTPUT -j DROP $IPT6 -A OUTPUT -o $TUN6TO4 -j OUT_TUN6TO4 $IPT6 -A OUTPUT -o $LOCAL -j ACCEPT $IPT6 -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT6 -A OUTPUT -j LOG --log-prefix "iptables: " $IPT6 -A OUTPUT -j DROP ;; stop) echo "Shutting down Firewall" $IPT -F $IPT -X $IPT -P INPUT ACCEPT $IPT -P OUTPUT ACCEPT $IPT -P FORWARD ACCEPT $IPT6 -F $IPT6 -X $IPT6 -P INPUT ACCEPT $IPT6 -P OUTPUT ACCEPT $IPT6 -P FORWARD ACCEPT ;; restart) ## Stop the service and regardless of whether it was ## running or not, start it again. $0 stop $0 start ;; status) $IPT -L -v -n --line-numbers ;; status6) $IPT6 -L -v -n --line-numbers ;; *) echo "Usage: $0 {start|stop|status|restart}" exit 1 ;; esac
have fun!