-
-
Save robrocker7/4260159 to your computer and use it in GitHub Desktop.
iptables
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # | |
| # Jonathan Perkin <[email protected]> wrote this file. | |
| # | |
| # You can freely distribute/modify it (and are encouraged to do so), | |
| # and you are welcome to buy me a beer if we ever meet and you think | |
| # this stuff is worth it. Improvements and cleanups always welcome. | |
| # | |
| # IPTables firewall script. There are many. This is mine. | |
| # | |
| # This is primarily for Debian/Ubuntu systems where there is no central | |
| # way to configure iptables, unlike Red Hat derivatives which have a | |
| # proper init service available. | |
| # | |
| # Copy it to /etc/network/if-pre-up.d/iptables, ensure it is executable, | |
| # then modify to taste. | |
| # | |
| # | |
| # Ensure sane path | |
| # | |
| PATH=/sbin:/usr/sbin:/bin:/usr/bin | |
| # | |
| # When running from the command line, provide a -v option to print the | |
| # installed rules at the end. | |
| # | |
| verbose= | |
| if [ "$1" = "-v" ]; then | |
| shift | |
| verbose=on | |
| fi | |
| # | |
| # Rather than duplicate entries for iptables and ip6tables, have some small | |
| # wrapper functions do it for us. | |
| # | |
| # ip4tbl - apply ruleset for just iptables | |
| # ip6tbl - apply ruleset for just ip6tables | |
| # iptbl - apply ruleset for both iptables and ip6tables | |
| # | |
| ip4tbl() | |
| { | |
| iptables "$@" | |
| } | |
| ip6tbl() | |
| { | |
| ip6tables "$@" | |
| } | |
| iptbl() | |
| { | |
| ip4tbl "$@" | |
| ip6tbl "$@" | |
| } | |
| # | |
| # Flush all rulesets | |
| # | |
| iptbl -F | |
| iptbl -X | |
| # | |
| # Block by default except outgoing traffic | |
| # | |
| iptbl -P INPUT DROP | |
| iptbl -P FORWARD DROP | |
| iptbl -P OUTPUT ACCEPT | |
| # | |
| # Allow everything on loopback | |
| # | |
| iptbl -A INPUT -i lo -j ACCEPT | |
| # | |
| # Permit established connections | |
| # | |
| iptbl -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| # | |
| # Allows HTTP and HTTPS connections from anywhere (the normal ports for websites) | |
| # | |
| iptbl -A INPUT -p tcp --dport 80 -j ACCEPT | |
| iptbl -A INPUT -p tcp --dport 443 -j ACCEPT | |
| # | |
| # Permit SSH and SMTP | |
| # | |
| iptbl -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT | |
| iptbl -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT | |
| # | |
| # Permit ICMP and traceroute | |
| # | |
| ip4tbl -A INPUT -p icmp -j ACCEPT | |
| ip6tbl -A INPUT -p ipv6-icmp -j ACCEPT | |
| iptbl -A INPUT -p udp -m udp --dport 33434:33523 -j ACCEPT | |
| # | |
| # Log denied connections | |
| # | |
| iptbl -A INPUT -p tcp -m limit --limit 5/min -j LOG --log-prefix "iptables: " --log-level 7 | |
| iptbl -A INPUT -p udp -m limit --limit 5/min -j LOG --log-prefix "iptables: " --log-level 7 | |
| ip4tbl -A INPUT -p icmp -m limit --limit 5/min -j LOG --log-prefix "iptables: " --log-level 7 | |
| ip6tbl -A INPUT -p ipv6-icmp -m limit --limit 5/min -j LOG --log-prefix "iptables: " --log-level 7 | |
| # | |
| # Finally, reject to keep open connections down | |
| # | |
| iptbl -A INPUT -j REJECT | |
| # | |
| # Display INPUT chain if verbose | |
| # | |
| if [ -n "${verbose}" ]; then | |
| iptables -L INPUT -vn --line-numbers | |
| ip6tables -L INPUT -vn --line-numbers | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment