Skip to content

Instantly share code, notes, and snippets.

@Rudis1261
Created November 3, 2016 06:15
Show Gist options
  • Save Rudis1261/c35c0d924bc8e3e8721d16926cc7b70b to your computer and use it in GitHub Desktop.
Save Rudis1261/c35c0d924bc8e3e8721d16926cc7b70b to your computer and use it in GitHub Desktop.
Firewall Setup Script
#!/bin/bash
source hostlist.sh
hostname=`hostname`
private_range=$(printf ",%s" "${ips[@]}")
private_range=${private_range:1}
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
echo "Running Firewall Rules for ${hostname}"
# Rules Specific to Director
if [ "$hostname" == "TheDirector" ];
then
echo "Running TheDirector's Specific Rules"
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
echo "Enabling ICMP for The Director"
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
echo "Setting Throttling for public ports"
iptables -A INPUT -i eth0 -p tcp --match multiport --dport 80,443,15672,64738 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT
iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j ACCEPT
fi
# Rules Specifically for (EU) - Data droplet
if [ "$hostname" == "eu" ];
then
echo "Running EU Specific Firewall Rules"
# Also only allow inbound traffic for RabbitMQ http://178.62.50.217:15672/
#iptables -A INPUT -i eth0 -p tcp -d 178.62.50.217 --dport 15672 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT
#iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j ACCEPT
#iptables -A INPUT -i eth0 -p tcp -d 178.62.50.217 --dport 15672 -j ACCEPT
#iptables -A OUTPUT -p tcp --sport 15672 -o eth0 -m state --state ESTABLISHED -j ACCEPT
fi
# Enable Ping on private ip
iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -i eth1 -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -o eth1 -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -o eth1 -p icmp --icmp-type echo-request -j ACCEPT
# Public traffic
iptables -I OUTPUT -o eth0 -d 0.0.0.0/0 -j ACCEPT
iptables -I INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I OUTPUT -o eth1 -d "$private_range" -j ACCEPT
iptables -I INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
# ALLOW other traffic from the private address
iptables -A INPUT -p tcp -s "$private_range" -j ACCEPT
# lo
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# INTERNAL ports SSH, Redis, MySQL, NFS and PORT Mapper, Redis, StatsD, Elastic Search
# TCP
iptables -A INPUT -p tcp -s "$private_range" --match multiport --dport 22,80,6379,3306,111,2049,32764:32769,5672,2003,9200:9400 -i eth1 -j ACCEPT
iptables -A OUTPUT -p tcp -d "$private_range" --match multiport --sport 22,80,6379,3306,111,2049,32764:32769,5672,2003,9200:9400 -o eth1 -m state --state ESTABLISHED -j ACCEPT
# UDP
iptables -A INPUT -p udp -s "$private_range" --match multiport --dport 111,2049,32764:32769,8125,2003 -i eth1 -j ACCEPT
iptables -A OUTPUT -p udp -d "$private_range" --match multiport --sport 111,2049,32764:32769,8125,2003 -o eth1 -m state --state ESTABLISHED -j ACCEPT
# DROP other traffic
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Persist it
iptables-save > /etc/iptables/rules.v4
#!/bin/bash
source hostlist.sh
hostname=`hostname`
private_range=$(printf ",%s" "${ips[@]}")
private_range=${private_range:1}
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
echo "Running Firewall Rules for ${hostname}"
# Rules Specific to Director
if [ "$hostname" == "TheDirector" ];
then
echo "Running TheDirector's Specific Rules"
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
echo "Enabling ICMP for The Director"
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
echo "Setting Throttling for public ports"
iptables -A INPUT -i eth0 -p tcp --match multiport --dport 80,443,15672,64738 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT
iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j ACCEPT
fi
# Rules Specifically for (EU) - Data droplet
if [ "$hostname" == "eu" ];
then
echo "Running EU Specific Firewall Rules"
# Also only allow inbound traffic for RabbitMQ http://178.62.50.217:15672/
#iptables -A INPUT -i eth0 -p tcp -d 178.62.50.217 --dport 15672 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT
#iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j ACCEPT
#iptables -A INPUT -i eth0 -p tcp -d 178.62.50.217 --dport 15672 -j ACCEPT
#iptables -A OUTPUT -p tcp --sport 15672 -o eth0 -m state --state ESTABLISHED -j ACCEPT
fi
# Enable Ping on private ip
iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -i eth1 -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -o eth1 -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -o eth1 -p icmp --icmp-type echo-request -j ACCEPT
# Public traffic
iptables -I OUTPUT -o eth0 -d 0.0.0.0/0 -j ACCEPT
iptables -I INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I OUTPUT -o eth1 -d "$private_range" -j ACCEPT
iptables -I INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
# ALLOW other traffic from the private address
iptables -A INPUT -p tcp -s "$private_range" -j ACCEPT
# lo
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# INTERNAL ports SSH, Redis, MySQL, NFS and PORT Mapper, Redis, StatsD, Elastic Search
# TCP
iptables -A INPUT -p tcp -s "$private_range" --match multiport --dport 22,80,6379,3306,111,2049,32764:32769,5672,2003,9200:9400 -i eth1 -j ACCEPT
iptables -A OUTPUT -p tcp -d "$private_range" --match multiport --sport 22,80,6379,3306,111,2049,32764:32769,5672,2003,9200:9400 -o eth1 -m state --state ESTABLISHED -j ACCEPT
# UDP
iptables -A INPUT -p udp -s "$private_range" --match multiport --dport 111,2049,32764:32769,8125,2003 -i eth1 -j ACCEPT
iptables -A OUTPUT -p udp -d "$private_range" --match multiport --sport 111,2049,32764:32769,8125,2003 -o eth1 -m state --state ESTABLISHED -j ACCEPT
# DROP other traffic
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Persist it
iptables-save > /etc/iptables/rules.v4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment