#! /bin/sh # By simonsays - BlueBox Underground # # This is a simple iptables firewall script that logs and drops US Government, and any unsolicited # computer traffic to your machine. It is probably best suited for workstation use. The specific gov # IP's in the drop section of the ruleset is probably reduntant since we DROP all traffic at the end # of the script. Having the specific networks to DROP first allows for rules to be inserted after # if you want to accept traffic to say http, ssh, ftp, et al. Should work on all *nix platforms that # have iptables/netfilter support in their kernel. This script is best launched at boot. IPTables # logs to /var/log/messages by default. echo "Configuring Firewall:" echo -n "Flushing Tables..." iptables --flush INPUT iptables --flush OUTPUT iptables --flush FORWARD echo "Done." echo -n "Starting Logs..." # Log all connection attempts from banned networks iptables -A INPUT -s 198.81.128.0/18 -j LOG --log-prefix "CIA: " iptables -A INPUT -s 162.81.0.0/16 -j LOG --log-prefix "NCE: " iptables -A INPUT -s 144.51.0.0/16 -j LOG --log-prefix "NCSC/NSA: " iptables -A INPUT -s 199.196.128.0/19 -j LOG --log-prefix "IRS: " iptables -A INPUT -s 198.137.240.0/23 -j LOG --log-prefix "Presidential: " iptables -A INPUT -s 164.117.0.0/16 -j LOG --log-prefix "DOD: " iptables -A INPUT -s 131.84.0.0/16 -j LOG --log-prefix "DTIC: " iptables -A INPUT -m iprange --src-range 140.0.0.0-140.75.0.0 -j LOG --log-prefix "DOD NIC: " # End Logging echo "Done." echo "Loading Ruleset..." # Drop ALL Traffic from the following networks. # US GOVT iptables -A INPUT -s 198.81.128.0/18 -j DROP #Central Intelligence Agency Networks iptables -A INPUT -s 162.81.0.0/16 -j DROP #National Counterintelligence Executive iptables -A INPUT -s 144.51.0.0/16 -j DROP #National Computer Security Center aka NAVY/NSA/.mil iptables -A INPUT -s 199.196.128.0/19 -j DROP #Executive Office of Asset Forfeiture aka IRS/Treasury iptables -A INPUT -s 198.137.240.0/23 -j DROP #Executive Office Of The President USA aka Whitehouse/EOP iptables -A INPUT -s 164.117.0.0/16 -j DROP #Defense Information Systems Agency aka DOD iptables -A INPUT -s 131.84.0.0/16 -j DROP #Defense Technical Information Cntr iptables -A INPUT -s 140.185.0.0/16 -j DROP #Single Agency Manager aka Pentagon iptables -A INPUT -m iprange --src-range 140.0.0.0-140.75.0.0 -j DROP #DOD Defense Informations Center # private networks iptables -A INPUT -s 127.0.0.0/8 -j DROP iptables -A INPUT -s 10.0.0.0/8 -j DROP iptables -A INPUT -s 172.16.0.0/12 -j DROP iptables -A INPUT -s 192.168.0.0/16 -j DROP iptables -A INPUT -s 0.0.0.0/8 -j DROP iptables -A INPUT -s 255.255.255.255/32 -j DROP # End Network Specific Droppings # Begin SYN Flood Protection iptables -A INPUT -p tcp -m state --state INVALID -j DROP iptables -A INPUT -p tcp --syn -m limit --limit 1/second -j ACCEPT iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT # End SYN # Allow Localhost Connections iptables -A INPUT -i lo -p all -j ACCEPT iptables -A OUTPUT -o lo -p all -j ACCEPT # End Localhost # Allow External Traffic To Reply To You iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset # End Reply # Drop everything else not specified iptables -A INPUT -d 0/0 -j DROP # End Drop echo "Done." echo "Firewall Configuration Complete."