tenequm · August 3, 2017 15:21
diff --git a/firewall.bash b/firewall.bash
 #!/bin/bash
 # iptables firewall for common LAMP servers.
 #
 # This file should be located at /etc/firewall.bash, and is meant to work with
 # Jeff Geerling's firewall init script.
 #
 # Common port reference:
 #   22: SSH
 #   25: SMTP
 #   80: HTTP
 #   123: NTP
 #   443: HTTPS
 #   2222: SSH alternate
 #   4949: Munin
 #   6082: Varnish admin
 #   8080: HTTP alternate (often used with Tomcat)
 #   8983: Tomcat HTTP
 #   8443: Tomcat HTTPS
 #   9000: SonarQube
 #
 # @author Jeff Geerling

 # No spoofing.
 if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
 then
 for filter in /proc/sys/net/ipv4/conf/*/rp_filter
 do
 echo 1 > $filter
 done
 fi

 # Completely reset the firewall by removing all rules and chains.
 iptables -P INPUT ACCEPT
 iptables -P FORWARD ACCEPT
 iptables -P OUTPUT ACCEPT
 iptables -t nat -F
 iptables -t mangle -F
 iptables -F
 iptables -X

 # Accept traffic from loopback interface (localhost).
 iptables -A INPUT -i lo -j ACCEPT

 # Forwarded ports.

 # Open ports.

 # Accept icmp ping requests.
 iptables -A INPUT -p icmp -j ACCEPT

 # Allow NTP traffic for time synchronization.
 iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
 iptables -A INPUT -p udp --sport 123 -j ACCEPT

 # Additional custom rules.
 iptables -t nat -A POSTROUTING -o agge -j MASQUERADE
 iptables -A INPUT -i lo -j ACCEPT
 iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
 iptables -A INPUT -p icmp -m icmp --icmp-type 6 -j ACCEPT
 iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 iptables -A INPUT -i agge -m state --state NEW -p udp --dport 1194 -j ACCEPT
 iptables -A INPUT -i agge -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
 iptables -A INPUT -s 142.0.192.0/20 -p tcp --match multiport --dports 22,80,443,514,5601 -j ACCEPT
 iptables -A INPUT -s 91.90.18.78/27  -p tcp --match multiport --dports 22,80,443,514,5601 -j ACCEPT
 iptables -A INPUT -s 94.45.43.202/32 -p tcp --match multiport --dports 22,80,443,514,5601 -j ACCEPT
 iptables -A INPUT -s 62.244.22.38/32 -p tcp --match multiport --dports 22,80,443,514,5601 -j ACCEPT
 iptables -A INPUT -s 91.90.18.78/32  -p tcp --match multiport --dports 22,80,443,514,5601 -j ACCEPT
 iptables -A INPUT -s 89.184.84.0/25 -p tcp --match multiport --dports 22,80,443,514,5601 -j ACCEPT
 iptables -A INPUT -s 52.45.106.65/32 -p tcp --match multiport --dports 22,80,443,514,5601,336,4949,5666 -j ACCEPT
 iptables -A INPUT -s 159.224.217.112/32 -p tcp -m tcp --dport 22 -j ACCEPT
 iptables -A INPUT -s 176.38.253.224/32 -p tcp -m tcp --dport 22 -j ACCEPT
 iptables -A INPUT -s 46.151.87.84/32 -p tcp -m tcp --dport 22 -j ACCEPT
 iptables -A INPUT -s 92.244.106.87/32 -p tcp -m tcp --dport 22 -j ACCEPT
 iptables -A INPUT -s 91.203.63.12/32 -p tcp -m tcp --dport 22 -j ACCEPT
 iptables -A INPUT -s 176.9.26.57/32 -p tcp -m tcp --dport 22 -j ACCEPT
 iptables -A INPUT -s 37.48.106.4/32 -p tcp -m tcp --dport 22 -j ACCEPT
 iptables -A INPUT -i agge -p tcp -j REJECT --reject-with tcp-reset
 iptables -A INPUT -i agge -j DROP
 iptables -A FORWARD -i docker0 -o agge -j ACCEPT
 iptables -A FORWARD -i agge -o docker0 -j ACCEPT
 iptables -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
 iptables -A OUTPUT -p icmp -m icmp --icmp-type 6 -j ACCEPT

 # Allow established connections:
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

 # Log EVERYTHING (ONLY for Debug).
 # iptables -A INPUT -j LOG


 # Drop all other traffic.
 iptables -A INPUT -j DROP


 # Configure IPv6 if ip6tables is present.
 if [ -x "$(which ip6tables 2>/dev/null)" ]; then

  # Remove all rules and chains.
  ip6tables -F
  ip6tables -X

  # Accept traffic from loopback interface (localhost).
  ip6tables -A INPUT -i lo -j ACCEPT

  # Open ports.

  # Accept icmp ping requests.
  ip6tables -A INPUT -p icmp -j ACCEPT

  # Allow NTP traffic for time synchronization.
  ip6tables -A OUTPUT -p udp --dport 123 -j ACCEPT
  ip6tables -A INPUT -p udp --sport 123 -j ACCEPT

  # Additional custom rules.

  # Allow established connections:
  ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

  # Log EVERYTHING (ONLY for Debug).
  # ip6tables -A INPUT -j LOG


  # Drop all other traffic.
  ip6tables -A INPUT -j DROP

 fi
	#!/bin/bash
	# iptables firewall for common LAMP servers.
	#
	# This file should be located at /etc/firewall.bash, and is meant to work with
	# Jeff Geerling's firewall init script.
	#
	# Common port reference:
	# 22: SSH
	# 25: SMTP
	# 80: HTTP
	# 123: NTP
	# 443: HTTPS
	# 2222: SSH alternate
	# 4949: Munin
	# 6082: Varnish admin
	# 8080: HTTP alternate (often used with Tomcat)
	# 8983: Tomcat HTTP
	# 8443: Tomcat HTTPS
	# 9000: SonarQube
	#
	# @author Jeff Geerling

	# No spoofing.
	if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
	then
	for filter in /proc/sys/net/ipv4/conf/*/rp_filter
	do
	echo 1 > $filter
	done
	fi

	# Completely reset the firewall by removing all rules and chains.
	iptables -P INPUT ACCEPT
	iptables -P FORWARD ACCEPT
	iptables -P OUTPUT ACCEPT
	iptables -t nat -F
	iptables -t mangle -F
	iptables -F
	iptables -X

	# Accept traffic from loopback interface (localhost).
	iptables -A INPUT -i lo -j ACCEPT

	# Forwarded ports.

	# Open ports.

	# Accept icmp ping requests.
	iptables -A INPUT -p icmp -j ACCEPT

	# Allow NTP traffic for time synchronization.
	iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
	iptables -A INPUT -p udp --sport 123 -j ACCEPT

	# Additional custom rules.
	iptables -t nat -A POSTROUTING -o agge -j MASQUERADE
	iptables -A INPUT -i lo -j ACCEPT
	iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
	iptables -A INPUT -p icmp -m icmp --icmp-type 6 -j ACCEPT
	iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
	iptables -A INPUT -i agge -m state --state NEW -p udp --dport 1194 -j ACCEPT
	iptables -A INPUT -i agge -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
	iptables -A INPUT -s 142.0.192.0/20 -p tcp --match multiport --dports 22,80,443,514,5601 -j ACCEPT
	iptables -A INPUT -s 91.90.18.78/27 -p tcp --match multiport --dports 22,80,443,514,5601 -j ACCEPT
	iptables -A INPUT -s 94.45.43.202/32 -p tcp --match multiport --dports 22,80,443,514,5601 -j ACCEPT
	iptables -A INPUT -s 62.244.22.38/32 -p tcp --match multiport --dports 22,80,443,514,5601 -j ACCEPT
	iptables -A INPUT -s 91.90.18.78/32 -p tcp --match multiport --dports 22,80,443,514,5601 -j ACCEPT
	iptables -A INPUT -s 89.184.84.0/25 -p tcp --match multiport --dports 22,80,443,514,5601 -j ACCEPT
	iptables -A INPUT -s 52.45.106.65/32 -p tcp --match multiport --dports 22,80,443,514,5601,336,4949,5666 -j ACCEPT
	iptables -A INPUT -s 159.224.217.112/32 -p tcp -m tcp --dport 22 -j ACCEPT
	iptables -A INPUT -s 176.38.253.224/32 -p tcp -m tcp --dport 22 -j ACCEPT
	iptables -A INPUT -s 46.151.87.84/32 -p tcp -m tcp --dport 22 -j ACCEPT
	iptables -A INPUT -s 92.244.106.87/32 -p tcp -m tcp --dport 22 -j ACCEPT
	iptables -A INPUT -s 91.203.63.12/32 -p tcp -m tcp --dport 22 -j ACCEPT
	iptables -A INPUT -s 176.9.26.57/32 -p tcp -m tcp --dport 22 -j ACCEPT
	iptables -A INPUT -s 37.48.106.4/32 -p tcp -m tcp --dport 22 -j ACCEPT
	iptables -A INPUT -i agge -p tcp -j REJECT --reject-with tcp-reset
	iptables -A INPUT -i agge -j DROP
	iptables -A FORWARD -i docker0 -o agge -j ACCEPT
	iptables -A FORWARD -i agge -o docker0 -j ACCEPT
	iptables -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
	iptables -A OUTPUT -p icmp -m icmp --icmp-type 6 -j ACCEPT

	# Allow established connections:
	iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

	# Log EVERYTHING (ONLY for Debug).
	# iptables -A INPUT -j LOG


	# Drop all other traffic.
	iptables -A INPUT -j DROP


	# Configure IPv6 if ip6tables is present.
	if [ -x "$(which ip6tables 2>/dev/null)" ]; then

	# Remove all rules and chains.
	ip6tables -F
	ip6tables -X

	# Accept traffic from loopback interface (localhost).
	ip6tables -A INPUT -i lo -j ACCEPT

	# Open ports.

	# Accept icmp ping requests.
	ip6tables -A INPUT -p icmp -j ACCEPT

	# Allow NTP traffic for time synchronization.
	ip6tables -A OUTPUT -p udp --dport 123 -j ACCEPT
	ip6tables -A INPUT -p udp --sport 123 -j ACCEPT

	# Additional custom rules.

	# Allow established connections:
	ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

	# Log EVERYTHING (ONLY for Debug).
	# ip6tables -A INPUT -j LOG


	# Drop all other traffic.
	ip6tables -A INPUT -j DROP

	fi