gist: 82130


  
      firewall-init #
    
    
        embed
        
      
      raw
    
  
            1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

          
              #!/bin/bash
#
### BEGIN INIT INFO
# Provides:          iptables-config
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: load and unload iptables config
# Description:       loads the firewall.config file in to iptables and flushs iptables
### END INIT INFO
 
conf="/etc/firewall.config"
 
case "${1:-''}" in
	'start')
		sh $conf
		;;
	'stop')
		iptables -P INPUT ACCEPT
		iptables -P FORWARD ACCEPT
		iptables -P OUTPUT ACCEPT
		iptables -F
		;;
	'flush')
		iptables -P INPUT ACCEPT
		iptables -P FORWARD ACCEPT
		iptables -P OUTPUT ACCEPT
		iptables -F
		;;
	'reload')
		iptables -F
		sh $conf
		;;
	'restart')
		iptables -F
		sh $conf
		;;
	*)
		echo "Usage: start|stop|flush|reload|restart"
		exit 1
		;;
esac
            
          
      firewall.config #
    
    
        embed
        
      
      raw
    
  
            1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

          
              #Change policy to drop for input and forward
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
 
#Flush the current chains
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t nat
 
#Keep established connections (don't lock your ass out of the box when you screw up)
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
 
#If a request on the external interface comes from an internal ip, it is malicious so we drop those
iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j DROP
iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
 
#ssh
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 22 -j ACCEPT
 
#web traffic
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 443 -j ACCEPT 	#ssl
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 80 -j ACCEPT		#standard
 
#mail traffic
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 25 -j ACCEPT 		#smtp
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 587 -j ACCEPT		#smtp submissions
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 465 -j ACCEPT		#smtp over ssl
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 110 -j ACCEPT		#pop3
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 995 -j ACCEPT		#pop3 over ssl
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 143 -j ACCEPT		#imap
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 993 -j ACCEPT		#imap over ssl
 
#snmp
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 161 -j ACCEPT		#tcp
iptables -A INPUT -p udp -s 0/0 -d 0/0 --destination-port 161 -j ACCEPT		#udp
 
#allow ping to the host for monitoring
iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d 0/0 -j ACCEPT
 
 
#Ensure a drop of all packets on the input
iptables -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
iptables -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j DROP
Public Clone URL:	git://gist.github.com/82130.git Give this clone URL to anyone. `git clone git://gist.github.com/82130.git gist-82130`
Embed All Files:	show embed