Description

When using iptables I like to keep a text file of my firewall so I can see everything when I need to edit it, open ports, etc. . . There is no requirement where this file is stored, however, I store the file in /system/configuration/firewall.txt.

firewall.txt

[bash]
# Generated by iptables-save v1.4.2 on Fri Mar 20 14:20:07 2009
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [16059:5970755]
:BADFLAGS – [0:0]
:FIREWALL – [0:0]
:REJECTWALL – [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp –tcp-flags FIN,ACK FIN -j BADFLAGS
-A INPUT -p tcp -m tcp –tcp-flags PSH,ACK PSH -j BADFLAGS
-A INPUT -p tcp -m tcp –tcp-flags ACK,URG URG -j BADFLAGS
-A INPUT -p tcp -m tcp –tcp-flags FIN,RST FIN,RST -j BADFLAGS
-A INPUT -p tcp -m tcp –tcp-flags FIN,SYN FIN,SYN -j BADFLAGS
-A INPUT -p tcp -m tcp –tcp-flags SYN,RST SYN,RST -j BADFLAGS
-A INPUT -p tcp -m tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j BADFLAGS
-A INPUT -p tcp -m tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j BADFLAGS
-A INPUT -p tcp -m tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j BADFLAGS
-A INPUT -p tcp -m tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH,URG -j BADFLAGS
-A INPUT -p tcp -m tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j BADFLAGS
-A INPUT -p icmp -m icmp –icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp –icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp –icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp –icmp-type 8 -m limit –limit 1/sec -j ACCEPT
-A INPUT -p icmp -j FIREWALL
-A INPUT -i eth0 -p tcp -m state –state NEW -m tcp –dport 20 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state –state NEW -m tcp –dport 21 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state –state NEW -m tcp –dport 53 -j ACCEPT
-A INPUT -i eth0 -p udp -m state –state NEW -m udp –dport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state –state NEW -m tcp –dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state –state NEW -m tcp –dport 139 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state –state NEW -m tcp –dport 443 -j ACCEPT
#-A INPUT -i eth0 -p tcp -m state –state NEW -m tcp –dport 445 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state –state NEW -m tcp –dport 902 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state –state NEW -m tcp –dport 3306 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state –state NEW -m tcp –dport 3688 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state –state NEW -m tcp –dport 3689 -j ACCEPT
-A INPUT -i eth0 -p udp -m state –state NEW -m udp –dport 4444 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state –state NEW -m tcp –dport 6881 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state –state NEW -m tcp –dport 8222 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state –state NEW -m tcp –dport 8333 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state –state NEW -m tcp –dport 9312 -j ACCEPT
-A INPUT -s dornick.alunduil.com -i eth0 -p tcp -m state –state NEW -m tcp –dport 9101:9103 -j ACCEPT
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m udp –dport 1024:65535 -j DROP
-A INPUT -i eth0 -p tcp -m tcp –dport 1024:65535 -j DROP
-A INPUT -j REJECTWALL
-A FORWARD -o eth0 -m state –state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -m state –state RELATED,ESTABLISHED -j ACCEPT
-A BADFLAGS -m limit –limit 10/min -j LOG –log-prefix "BADFLAGS: "
-A BADFLAGS -j DROP
-A FIREWALL -m limit –limit 10/min -j LOG –log-prefix "FIREWALL: "
-A FIREWALL -j DROP
-A REJECTWALL -m limit –limit 10/min -j LOG –log-prefix "REJECTWALL: "
-A REJECTWALL -j REJECT –reject-with icmp-host-unreachable
COMMIT
# Completed on Fri Mar 20 14:20:07 2009
[/bash]

How to update your iptables with this firewall

I use fail2ban, which you can set up if you desire and I highly recommend it. Each time the firewall.txt file is edited this is how you update it.
[bash]
/etc/init.d/fail2ban stop
iptables-restore < /system/configuration/firewall.txt
/etc/init.d/iptables save
/etc/init.d/fail2ban start
[/bash]