Created
November 3, 2016 06:15
-
-
Save Rudis1261/c35c0d924bc8e3e8721d16926cc7b70b to your computer and use it in GitHub Desktop.
Firewall Setup Script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
source hostlist.sh | |
hostname=`hostname` | |
private_range=$(printf ",%s" "${ips[@]}") | |
private_range=${private_range:1} | |
iptables -P INPUT ACCEPT | |
iptables -P OUTPUT ACCEPT | |
iptables -P FORWARD ACCEPT | |
iptables -F | |
echo "Running Firewall Rules for ${hostname}" | |
# Rules Specific to Director | |
if [ "$hostname" == "TheDirector" ]; | |
then | |
echo "Running TheDirector's Specific Rules" | |
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT | |
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT | |
echo "Enabling ICMP for The Director" | |
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT | |
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT | |
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT | |
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT | |
echo "Setting Throttling for public ports" | |
iptables -A INPUT -i eth0 -p tcp --match multiport --dport 80,443,15672,64738 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT | |
iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j ACCEPT | |
fi | |
# Rules Specifically for (EU) - Data droplet | |
if [ "$hostname" == "eu" ]; | |
then | |
echo "Running EU Specific Firewall Rules" | |
# Also only allow inbound traffic for RabbitMQ http://178.62.50.217:15672/ | |
#iptables -A INPUT -i eth0 -p tcp -d 178.62.50.217 --dport 15672 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT | |
#iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j ACCEPT | |
#iptables -A INPUT -i eth0 -p tcp -d 178.62.50.217 --dport 15672 -j ACCEPT | |
#iptables -A OUTPUT -p tcp --sport 15672 -o eth0 -m state --state ESTABLISHED -j ACCEPT | |
fi | |
# Enable Ping on private ip | |
iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j ACCEPT | |
iptables -A INPUT -i eth1 -p icmp --icmp-type echo-reply -j ACCEPT | |
iptables -A OUTPUT -o eth1 -p icmp --icmp-type echo-reply -j ACCEPT | |
iptables -A OUTPUT -o eth1 -p icmp --icmp-type echo-request -j ACCEPT | |
# Public traffic | |
iptables -I OUTPUT -o eth0 -d 0.0.0.0/0 -j ACCEPT | |
iptables -I INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
iptables -I OUTPUT -o eth1 -d "$private_range" -j ACCEPT | |
iptables -I INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
# ALLOW other traffic from the private address | |
iptables -A INPUT -p tcp -s "$private_range" -j ACCEPT | |
# lo | |
iptables -A INPUT -i lo -j ACCEPT | |
iptables -A OUTPUT -o lo -j ACCEPT | |
# INTERNAL ports SSH, Redis, MySQL, NFS and PORT Mapper, Redis, StatsD, Elastic Search | |
# TCP | |
iptables -A INPUT -p tcp -s "$private_range" --match multiport --dport 22,80,6379,3306,111,2049,32764:32769,5672,2003,9200:9400 -i eth1 -j ACCEPT | |
iptables -A OUTPUT -p tcp -d "$private_range" --match multiport --sport 22,80,6379,3306,111,2049,32764:32769,5672,2003,9200:9400 -o eth1 -m state --state ESTABLISHED -j ACCEPT | |
# UDP | |
iptables -A INPUT -p udp -s "$private_range" --match multiport --dport 111,2049,32764:32769,8125,2003 -i eth1 -j ACCEPT | |
iptables -A OUTPUT -p udp -d "$private_range" --match multiport --sport 111,2049,32764:32769,8125,2003 -o eth1 -m state --state ESTABLISHED -j ACCEPT | |
# DROP other traffic | |
iptables -P INPUT DROP | |
iptables -P OUTPUT DROP | |
iptables -P FORWARD DROP | |
# Persist it | |
iptables-save > /etc/iptables/rules.v4 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
source hostlist.sh | |
hostname=`hostname` | |
private_range=$(printf ",%s" "${ips[@]}") | |
private_range=${private_range:1} | |
iptables -P INPUT ACCEPT | |
iptables -P OUTPUT ACCEPT | |
iptables -P FORWARD ACCEPT | |
iptables -F | |
echo "Running Firewall Rules for ${hostname}" | |
# Rules Specific to Director | |
if [ "$hostname" == "TheDirector" ]; | |
then | |
echo "Running TheDirector's Specific Rules" | |
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT | |
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT | |
echo "Enabling ICMP for The Director" | |
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT | |
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT | |
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT | |
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT | |
echo "Setting Throttling for public ports" | |
iptables -A INPUT -i eth0 -p tcp --match multiport --dport 80,443,15672,64738 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT | |
iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j ACCEPT | |
fi | |
# Rules Specifically for (EU) - Data droplet | |
if [ "$hostname" == "eu" ]; | |
then | |
echo "Running EU Specific Firewall Rules" | |
# Also only allow inbound traffic for RabbitMQ http://178.62.50.217:15672/ | |
#iptables -A INPUT -i eth0 -p tcp -d 178.62.50.217 --dport 15672 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT | |
#iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j ACCEPT | |
#iptables -A INPUT -i eth0 -p tcp -d 178.62.50.217 --dport 15672 -j ACCEPT | |
#iptables -A OUTPUT -p tcp --sport 15672 -o eth0 -m state --state ESTABLISHED -j ACCEPT | |
fi | |
# Enable Ping on private ip | |
iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j ACCEPT | |
iptables -A INPUT -i eth1 -p icmp --icmp-type echo-reply -j ACCEPT | |
iptables -A OUTPUT -o eth1 -p icmp --icmp-type echo-reply -j ACCEPT | |
iptables -A OUTPUT -o eth1 -p icmp --icmp-type echo-request -j ACCEPT | |
# Public traffic | |
iptables -I OUTPUT -o eth0 -d 0.0.0.0/0 -j ACCEPT | |
iptables -I INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
iptables -I OUTPUT -o eth1 -d "$private_range" -j ACCEPT | |
iptables -I INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
# ALLOW other traffic from the private address | |
iptables -A INPUT -p tcp -s "$private_range" -j ACCEPT | |
# lo | |
iptables -A INPUT -i lo -j ACCEPT | |
iptables -A OUTPUT -o lo -j ACCEPT | |
# INTERNAL ports SSH, Redis, MySQL, NFS and PORT Mapper, Redis, StatsD, Elastic Search | |
# TCP | |
iptables -A INPUT -p tcp -s "$private_range" --match multiport --dport 22,80,6379,3306,111,2049,32764:32769,5672,2003,9200:9400 -i eth1 -j ACCEPT | |
iptables -A OUTPUT -p tcp -d "$private_range" --match multiport --sport 22,80,6379,3306,111,2049,32764:32769,5672,2003,9200:9400 -o eth1 -m state --state ESTABLISHED -j ACCEPT | |
# UDP | |
iptables -A INPUT -p udp -s "$private_range" --match multiport --dport 111,2049,32764:32769,8125,2003 -i eth1 -j ACCEPT | |
iptables -A OUTPUT -p udp -d "$private_range" --match multiport --sport 111,2049,32764:32769,8125,2003 -o eth1 -m state --state ESTABLISHED -j ACCEPT | |
# DROP other traffic | |
iptables -P INPUT DROP | |
iptables -P OUTPUT DROP | |
iptables -P FORWARD DROP | |
# Persist it | |
iptables-save > /etc/iptables/rules.v4 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment