Last active
December 1, 2015 19:56
Revisions
-
baldasso revised this gist
Nov 4, 2015 . No changes.There are no files selected for viewing
-
Nov 4, 2015 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,123 @@ #!/bin/bash #------------------------------------------------------------------------------ # iptables_setup.sh - Set default rules for iptables. # Matheus Baldasso, <[email protected]> # Clean up all tables, set default policy for table filter, set a bunch of # rules for INPUT and OUTPUT chain and log all dropped packets. By Default all # requests are blocked, unless a rule is set. Used for reference and customize # for your environment. # Require: xtables, geoip module for iptables. # References: # Install geoip # https://www.wipmania.com/en/blog/geoip-for-iptables/ # # Learn how to change default policy, create rules for incoming and outgoing # traffic. # http://www.thegeekstuff.com/2011/03/iptables-inbound-and-outbound-rules/ # # Allow ICMP (ping) traffic # http://www.cyberciti.biz/tips/linux-iptables-9-allow-icmp-ping.html # # Examples: # http://www.thegeekstuff.com/scripts/iptables-rules # https://gist.github.com/thomasfr/9712418 # Usage: iptables_setup.sh # Revision history: # 2015-11-04 Created #------------------------------------------------------------------------------ # Variables PUBLIC_IP=0.0 # Clean up all tables iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X # Set default policy to DROP iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # # Rules # # Protect from common attacks # Null packets iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # SYN-flood attack iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP # XMAS attack iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP # Allow loopback access iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Allow incoming SSH from Brazil iptables -A INPUT -p tcp --dport 22 -m geoip --src-cc BR -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT # Allow outbound DNS # This rule should be on top for others rules can use it. iptables -A OUTPUT -p udp --dport 53 -j ACCEPT iptables -A INPUT -p udp --sport 53 -j ACCEPT # Allow ping from inside to outside iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT # Allow incoming HTTP/HTTPS from specific countries # Countries allowed: # Brazil # Chile # Paraguay iptables -A INPUT -p tcp -m multiport --dports 80,443 -m geoip --src-cc BR,CL,PY -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -m multiport --sports 80,443 -m state --state ESTABLISHED -j ACCEPT # Allow MySQL connection from inside to outside iptables -A OUTPUT -p tcp --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT # Allow Locaweb SMTP #iptables -A OUTPUT -p tcp -m multiport --dports 465,587 -d smtplw.com.br -m state --state NEW,ESTABLISHED -j ACCEPT #iptables -A INPUT -p tcp -m multiport --sports 465,587 -s smtplw.com.br -m state --state ESTABLISHED -j ACCEPT # Allow connection to public ip. # Is need for Drupal projects. iptables -A OUTPUT -p tcp --dport 80 -d $PUBLIC_IP -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 80 -s $PUBLIC_IP -m state --state NEW,ESTABLISHED -j ACCEPT # # Allow Repositories # # Allow us-east-1.ec2.archive.ubuntu.com iptables -A OUTPUT -p tcp --dport 80 -d us-east-1.ec2.archive.ubuntu.com -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --sport 80 -s us-east-1.ec2.archive.ubuntu.com -m state --state ESTABLISHED -j ACCEPT # Allow security.ubuntu.com iptables -A OUTPUT -p tcp --dport 80 -d security.ubuntu.com -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --sport 80 -s security.ubuntu.com -m state --state ESTABLISHED -j ACCEPT # Allow nginx.org iptables -A OUTPUT -p tcp --dport 80 -d nginx.org -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --sport 80 -s nginx.org -m state --state ESTABLISHED -j ACCEPT # Log dropped packets iptables -A INPUT -j LOG -m limit --limit 12/min --log-level 4 --log-prefix 'IP INPUT drop: ' iptables -A INPUT -j DROP iptables -A OUTPUT -j LOG -m limit --limit 12/min --log-level 4 --log-prefix 'IP OUTPUT drop: ' iptables -A OUTPUT -j DROP exit 0