#!/bin/sh
# linux/iptables example
# mostly oriented towards protecting a single end host.
#
# however the host in question, also leads to two other
# hosts (one that is virtual) thru some internal plumbing 
# so we are actually  blocking THREE hosts here in terms of various services
# and allowing access to one other remote host for X apps.
# note that all the rules are iptables INPUT rules.
#
# We accept some things.  We deny some things.
# basically accept all though.
VHOST1=$1	# ixp NIC card
REMOTEXSERVER=$2	# x server we want access to
iptables -A INPUT -p tcp --dport 25 -j DROP 
iptables -A INPUT -p tcp  -s $REMOTEXSERVER --dport 6000 -j ACCEPT 
iptables -A INPUT -p tcp  --dport 6000 -j DROP 
iptables -A INPUT -s $VHOST1/32 -p tcp --dport 111 -j ACCEPT 
iptables -A INPUT -s $VHOST1/32 -p udp --dport 111 -j ACCEPT 
# windows running on this box has IP address 192.168.65.1
# it is using NAT to get access
# NAT rules not shown
iptables -A INPUT -s 192.168.65.1/32 -p tcp --dport 111 -j ACCEPT 
iptables -A INPUT -s 192.168.65.1/32 -p udp  --dport 111 -j ACCEPT 
iptables -A INPUT -p tcp --dport 111 -j DROP 
iptables -A INPUT -p udp --dport 111 -j DROP 
# samba port (netbios-ssn)
iptables -A INPUT -s $VHOST1/32 -p tcp --dport 139 -j ACCEPT 
iptables -A INPUT -s 192.168.65.1/32 -p tcp --dport 139 -j ACCEPT 
iptables -A INPUT -p tcp --dport 139 -j DROP 
# one had best know this one
iptables -A INPUT -s $VHOST1/32 -p udp --dport 2049 -j ACCEPT 
iptables -A INPUT -s 192.168.65.1/32 -p udp --dport 2049 -j ACCEPT 
iptables -A INPUT -p udp --dport 2049 -j DROP 
# another samba port (netbios-ns)
iptables -A INPUT -s $VHOST1/32 -p udp --dport 137 -j ACCEPT 
iptables -A INPUT -s 192.168.65.1/32 -p udp --dport 137 -j ACCEPT 
iptables -A INPUT -p udp --dport 137 -j DROP 
# another samba port (netbios-dgm)
iptables -A INPUT -s VHOST1/32 -p udp --dport 138 -j ACCEPT 
iptables -A INPUT -s 192.168.65.1/32 -p udp --dport 138 -j ACCEPT 
iptables -A INPUT -p udp --dport 138 -j DROP