iptables
Here is a slightly modified iptables policy ruleset that I use for one of my boxen.
#!/bin/bash
############################################
## Script Variables
############################################
IPT="/sbin/iptables"
IP="192.168.1.1" # your ip here
# ips that should not be arriving on interfaces. ignore
BADIP="0.0.0.0/8 169.254.0.0/16 224.0.0.0/4 240.0.0.0/5"
# ips to actively ignore
SHUNIP=" "
# rate limited ip's
RLIMITIP=" "
LOGOPT="--log-level=3 -m limit --limit 3/minute --limit-burst 3"
SYNOPT="-m limit --limit 5/second --limit-burst 10"
if [ ! -x $IPT ]
then
die "firewall: can't execute $IPTABLES"
fi
############################################
## System Settings
############################################
##enable echo broadcast protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
##disable source routed packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
##enable tcp SYN cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
##Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
##Don't send ICMP Redirects
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
##drop spoofed packets coming into an interface
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
##log packets with impossible addresses
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
############################################
## Default Policies
############################################
##set default table policies
$IPT --policy INPUT DROP
$IPT --policy OUTPUT DROP
$IPT --policy FORWARD DROP
## $IPT -t nat --policy PREROUTING DROP
## $IPT -t nat --policy OUTPUT DROP
## $IPT -t nat --policy POSTROUTING DROP
## $IPT -t mangle --policy PREROUTING DROP
## $IPT -t mangle --policy OUTPUT DROP
##remove any existing rules
$IPT -F
## $IPT -t nat -F
## $IPT -t mangle -F
###remove pre-existing user chains
$IPT --delete-chain
## $IPT -t nat --delete-chain
## $IPT -t mangle --delete-chain
############################################
## LOGGING CHAINS
############################################
$IPT -N LDROP
$IPT -A LDROP -j LOG --log-prefix "IPT Drop: " $LOGOPT
$IPT -A LDROP -j DROP
$IPT -N LBADIP
$IPT -A LBADIP -p tcp --dport 137:139 -j DROP
$IPT -A LBADIP -p udp --dport 137:139 -j DROP
$IPT -A LBADIP -j LOG --log-prefix "IPT BADIP: " $LOGOPT
$IPT -A LBADIP -j DROP
$IPT -N LSHUN
$IPT -A LSHUN -j LOG --log-prefix "IPT SHUNIP: " $LOGOPT
$IPT -A LSHUN -j DROP
$IPT -N LFLOOD
$IPT -A LFLOOD -j LOG --log-prefix "IPT Flood: " $LOGOPT
$IPT -A LFLOOD -j DROP
$IPT -N LFLAGS
$IPT -A LFLAGS -j LOG --log-prefix "IPT BADFLAGS: " $LOGOPT
$IPT -A LFLAGS -j DROP
############################################
## Rate limit ips
############################################
$IPT -N RLIMIT
$IPT -A RLIMIT -p tcp -m limit --limit 5/hour --limit-burst 5 -j RETURN
$IPT -A RLIMIT -p tcp -j REJECT --reject-with tcp-reset
############################################
## BAD IPS
############################################
$IPT -N BADIP
for ip in $BADIP; do
$IPT -A BADIP -s $ip -j LBADIP
$IPT -A BADIP -d $ip -j LBADIP
done
############################################
## Shunned IPS
############################################
$IPT -N SHUN
for ip in $SHUNIP; do
$IPT -A SHUN -s $ip -j LSHUN
$IPT -A SHUN -d $ip -j LSHUN
done
############################################
## Rate limited IPS
############################################
$IPT -N LIMITS
for ip in $RLIMITIP; do
$IPT -A LIMITS -s $ip -j RLIMIT
done
############################################
## Traffic COUNTing table
############################################
$IPT -N COUNT
##should count all traffic
$IPT -A COUNT
############################################
## FLood Protection
############################################
$IPT -N FLOOD
##accepts datagrams at limited rates only
$IPT -A FLOOD $SYNOPT -j RETURN
$IPT -A FLOOD -j LFLOOD
############################################
## TCP Flag Validation
############################################
$IPT -N FLAGS
$IPT -A FLAGS -p tcp --tcp-flags ACK,FIN FIN -j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags ACK,PSH PSH -j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags ACK,URG URG -j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags FIN,RST FIN,RST -j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags ALL ALL -j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags ALL NONE -j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags ALL FIN,PSH,URG -j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LFLAGS
#THE REST OF THE COMBINATIONS ARE VALID
############################################
## input
############################################
$IPT -N IN
#check for invalid states
$IPT -A IN -m state --state INVALID -j DROP
# check for syn floods
$IPT -A IN -p tcp --syn -j FLOOD
# check for valid flags
$IPT -A IN -p tcp -j FLAGS
# check for ip's that we are dropping
$IPT -A IN -s $IP -j LDROP
# check for ip's that we are Limiting
$IPT -A IN -p tcp -j LIMITS
# auto associate return traffic
$IPT -A IN -m state --state ESTABLISHED,RELATED -j ACCEPT
##accept ssh connections
$IPT -A IN -p tcp --dport 2222 -m state --state NEW -j ACCEPT
##smtp connections
#$IPT -A IN -p tcp --dport 25 -m state --state NEW -j ACCEPT
# dhcp
$IPT -A IN -p udp -s <dhcpserverhere> --sport 67:68 -j ACCEPT
##imap connections
#$IPT -A IN -p tcp --dport 143 -j ACCEPT
#$IPT -A IN -p udp --dport 143 -j ACCEPT
##accept http connections
$IPT -A IN -p tcp --dport 80 -m state --state NEW -j ACCEPT
##accept https connections
$IPT -A IN -p tcp --dport 443 -m state --state NEW -j ACCEPT
##accept NWN traffic
$IPT -A IN -p udp --dport 5121 -m state --state NEW -j ACCEPT
##drop AUTH
$IPT -A IN -p tcp --dport 113 -j DROP
############################################
## output
############################################
$IPT -N OUT
$IPT -A OUT -p tcp -j FLAGS
# this can cause problems if IP changes
#$IPT -A OUT -s ! $IP -j LDROP
##Covers returns based upon a request.
$IPT -A OUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#ftp needed by pacman
$IPT -A OUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
#ssh
$IPT -A OUT -m state --state NEW -p tcp --dport 2222 -j ACCEPT
#smtp
$IPT -A OUT -m state --state NEW -p tcp --dport 25 -j ACCEPT
#dns-tcp
$IPT -A OUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
#dns-udp
$IPT -A OUT -m state --state NEW -p udp --dport 53 -j ACCEPT
#dhcp
$IPT -A OUT -m state --state NEW -p udp -d <dhcpserverhere> --dport 67:68 -j ACCEPT
#http
$IPT -A OUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
#ntp
$IPT -A OUT -m state --state NEW -p udp --dport 123 -j ACCEPT
#https
$IPT -A OUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
#rsync
$IPT -A OUT -m state --state NEW -p tcp --dport 873 -j ACCEPT
#cvs
$IPT -A OUT -m state --state NEW -p tcp --dport 2401 -j ACCEPT
#cvs
$IPT -A OUT -m state --state NEW -p udp --dport 2401 -j ACCEPT
#cvsup
$IPT -A OUT -m state --state NEW -p tcp --dport 5999 -j ACCEPT
##allow all output not explicitly blocked...for testing
#$IPT -A OUT -m state --state NEW -j ACCEPT
############################################
## ICMP Inbound
############################################
$IPT -N IN_ICMP
##allow pings
$IPT -A IN_ICMP -p icmp --icmp-type echo-request -d $IP -j ACCEPT
$IPT -A IN_ICMP -p icmp --icmp-type echo-reply -d $IP -j ACCEPT
$IPT -A IN_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPT -A IN_ICMP -p icmp --icmp-type source-quench -j ACCEPT
$IPT -A IN_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
$IPT -A IN_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT
############################################
## ICMP Outbound
############################################
$IPT -N OUT_ICMP
##allow pings
$IPT -A OUT_ICMP -p icmp --icmp-type echo-reply -j ACCEPT
$IPT -A OUT_ICMP -p icmp --icmp-type echo-request -j ACCEPT
$IPT -A OUT_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPT -A OUT_ICMP -p icmp --icmp-type fragmentation-needed -j ACCEPT
$IPT -A OUT_ICMP -p icmp --icmp-type source-quench -j ACCEPT
$IPT -A OUT_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT
############################################
## Connecting rules for built-in chains
############################################
##unlimited traffic on local interfaces
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A INPUT -j BADIP
$IPT -A INPUT -j SHUN
$IPT -A INPUT -j COUNT
$IPT -A INPUT -p ! icmp -j IN
$IPT -A INPUT -p icmp -j IN_ICMP
$IPT -A INPUT -j DROP
$IPT -A OUTPUT -j BADIP
$IPT -A OUTPUT -j SHUN
$IPT -A OUTPUT -j COUNT
$IPT -A OUTPUT -p ! icmp -j OUT
$IPT -A OUTPUT -p icmp -j OUT_ICMP
$IPT -A OUTPUT -j DROP