## http://www.sentry.net/~obsid/IPTables/rc.scripts.dir/current/rc.firewall.iptables.dual ############################################################################### ## Adjust for your requirements/preferences. ## For more information regarding the options below see the resources ## listed at the top of the script or the Documentation that comes with ## the Linux Kernel source. ## For Example: linux/Documentation/filesystems/proc.txt ## linux/Documentation/networking/ip-sysctl.txt ##========================================================================## ## Set the maximum number of connections to track. (Kernel Default: 2048) if [ -e /proc/sys/net/ipv4/ip_conntrack_max ]; then echo "4096" > /proc/sys/net/ipv4/ip_conntrack_max fi ##========================================================================## ##========================================================================## ## Local port range for TCP/UDP connections if [ -e /proc/sys/net/ipv4/ip_local_port_range ]; then echo -e "32768\t61000" > /proc/sys/net/ipv4/ip_local_port_range fi ##========================================================================## ##========================================================================## ## Disable TCP Explicit Congestion Notification Support # if [ -e /proc/sys/net/ipv4/tcp_ecn ]; then # echo "0" > /proc/sys/net/ipv4/tcp_ecn # fi ##========================================================================## ##========================================================================## ## Disable source routing of packets if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo "0" > $i; done fi ##========================================================================## ##========================================================================## ## Enable rp_filter if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo "1" > $i; done fi ##========================================================================## ##========================================================================## ## Ignore any broadcast icmp echo requests if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts fi ##========================================================================## ##========================================================================## ## Ignore all icmp echo requests on all interfaces # if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_all ]; then # echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all # fi ##========================================================================## ##========================================================================## ## Log packets with impossible addresses to kernel log. if [ -e /proc/sys/net/ipv4/conf/all/log_martians ]; then echo "1" > /proc/sys/net/ipv4/conf/all/log_martians fi ##========================================================================## ##========================================================================## ## Don't accept ICMP redirects ## Disable on all interfaces # if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then # echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects # fi ## Disable only on the external interface. if [ -e /proc/sys/net/ipv4/conf/$EXTERNAL/accept_redirects ]; then echo "0" > /proc/sys/net/ipv4/conf/$EXTERNAL/accept_redirects fi ##========================================================================## ##========================================================================## ## Additional options for dialup connections with a dynamic ip address ## See: linux/Documentation/networking/ip_dynaddr.txt # if [ -e /proc/sys/net/ipv4/ip_dynaddr ]; then # echo "1" > /proc/sys/net/ipv4/ip_dynaddr # fi ##========================================================================## ##========================================================================## ## Enable IP Forwarding if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo "1" > /proc/sys/net/ipv4/ip_forward else echo "Uh oh: /proc/sys/net/ipv4/ip_forward does not exist" echo "(That may be a problem)" echo fi ##========================================================================## ## EOF ##