Last active
December 1, 2015 19:56
-
-
Save baldasso/19e3348099657aedd60a to your computer and use it in GitHub Desktop.
Generate rules for iptables. Use it as reference
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| #------------------------------------------------------------------------------ | |
| # iptables_setup.sh - Set default rules for iptables. | |
| # Matheus Baldasso, <[email protected]> | |
| # Clean up all tables, set default policy for table filter, set a bunch of | |
| # rules for INPUT and OUTPUT chain and log all dropped packets. By Default all | |
| # requests are blocked, unless a rule is set. Used for reference and customize | |
| # for your environment. | |
| # Require: xtables, geoip module for iptables. | |
| # References: | |
| # Install geoip | |
| # https://www.wipmania.com/en/blog/geoip-for-iptables/ | |
| # | |
| # Learn how to change default policy, create rules for incoming and outgoing | |
| # traffic. | |
| # http://www.thegeekstuff.com/2011/03/iptables-inbound-and-outbound-rules/ | |
| # | |
| # Allow ICMP (ping) traffic | |
| # http://www.cyberciti.biz/tips/linux-iptables-9-allow-icmp-ping.html | |
| # | |
| # Examples: | |
| # http://www.thegeekstuff.com/scripts/iptables-rules | |
| # https://gist.github.com/thomasfr/9712418 | |
| # Usage: iptables_setup.sh | |
| # Revision history: | |
| # 2015-11-04 Created | |
| #------------------------------------------------------------------------------ | |
| # Variables | |
| PUBLIC_IP=0.0 | |
| # Clean up all tables | |
| iptables -F | |
| iptables -X | |
| iptables -t nat -F | |
| iptables -t nat -X | |
| iptables -t mangle -F | |
| iptables -t mangle -X | |
| # Set default policy to DROP | |
| iptables -P INPUT DROP | |
| iptables -P FORWARD DROP | |
| iptables -P OUTPUT DROP | |
| # | |
| # Rules | |
| # | |
| # Protect from common attacks | |
| # Null packets | |
| iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP | |
| # SYN-flood attack | |
| iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP | |
| # XMAS attack | |
| iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP | |
| # Allow loopback access | |
| iptables -A INPUT -i lo -j ACCEPT | |
| iptables -A OUTPUT -o lo -j ACCEPT | |
| # Allow incoming SSH from Brazil | |
| iptables -A INPUT -p tcp --dport 22 -m geoip --src-cc BR -m state --state NEW,ESTABLISHED -j ACCEPT | |
| iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT | |
| # Allow outbound DNS | |
| # This rule should be on top for others rules can use it. | |
| iptables -A OUTPUT -p udp --dport 53 -j ACCEPT | |
| iptables -A INPUT -p udp --sport 53 -j ACCEPT | |
| # Allow ping from inside to outside | |
| iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT | |
| iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT | |
| # Allow incoming HTTP/HTTPS from specific countries | |
| # Countries allowed: | |
| # Brazil | |
| # Chile | |
| # Paraguay | |
| iptables -A INPUT -p tcp -m multiport --dports 80,443 -m geoip --src-cc BR,CL,PY -m state --state NEW,ESTABLISHED -j ACCEPT | |
| iptables -A OUTPUT -p tcp -m multiport --sports 80,443 -m state --state ESTABLISHED -j ACCEPT | |
| # Allow MySQL connection from inside to outside | |
| iptables -A OUTPUT -p tcp --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT | |
| iptables -A INPUT -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT | |
| # Allow Locaweb SMTP | |
| #iptables -A OUTPUT -p tcp -m multiport --dports 465,587 -d smtplw.com.br -m state --state NEW,ESTABLISHED -j ACCEPT | |
| #iptables -A INPUT -p tcp -m multiport --sports 465,587 -s smtplw.com.br -m state --state ESTABLISHED -j ACCEPT | |
| # Allow connection to public ip. | |
| # Is need for Drupal projects. | |
| iptables -A OUTPUT -p tcp --dport 80 -d $PUBLIC_IP -m state --state NEW,ESTABLISHED -j ACCEPT | |
| iptables -A INPUT -p tcp --dport 80 -s $PUBLIC_IP -m state --state NEW,ESTABLISHED -j ACCEPT | |
| # | |
| # Allow Repositories | |
| # | |
| # Allow us-east-1.ec2.archive.ubuntu.com | |
| iptables -A OUTPUT -p tcp --dport 80 -d us-east-1.ec2.archive.ubuntu.com -m state --state NEW,ESTABLISHED -j ACCEPT | |
| iptables -A INPUT -p tcp --sport 80 -s us-east-1.ec2.archive.ubuntu.com -m state --state ESTABLISHED -j ACCEPT | |
| # Allow security.ubuntu.com | |
| iptables -A OUTPUT -p tcp --dport 80 -d security.ubuntu.com -m state --state NEW,ESTABLISHED -j ACCEPT | |
| iptables -A INPUT -p tcp --sport 80 -s security.ubuntu.com -m state --state ESTABLISHED -j ACCEPT | |
| # Allow nginx.org | |
| iptables -A OUTPUT -p tcp --dport 80 -d nginx.org -m state --state NEW,ESTABLISHED -j ACCEPT | |
| iptables -A INPUT -p tcp --sport 80 -s nginx.org -m state --state ESTABLISHED -j ACCEPT | |
| # Log dropped packets | |
| iptables -A INPUT -j LOG -m limit --limit 12/min --log-level 4 --log-prefix 'IP INPUT drop: ' | |
| iptables -A INPUT -j DROP | |
| iptables -A OUTPUT -j LOG -m limit --limit 12/min --log-level 4 --log-prefix 'IP OUTPUT drop: ' | |
| iptables -A OUTPUT -j DROP | |
| exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment