Instantly share code, notes, and snippets.

@alexh-name /basic_tables.sh
Last active Nov 8, 2016

Embed
What would you like to do?
Download ZIP
Allowing netqmail + dovecot + roundcube for mail server.
Raw
basic_tables.sh
#!/bin/sh
set -eu
function rules() {
$IPT -F
$IPT -X
$IPT -Z
if [[ $IPT == "iptables" ]]; then
$IPT -F -t nat
$IPT -X -t nat
$IPT -Z -t nat
fi
echo "# reset"
#------------------------------
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
echo "# basic rules"
#------------------------------
### filter
$IPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -m conntrack --ctstate INVALID -j DROP
if [[ $IPT == "iptables" ]]; then
$IPT -A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
fi
$IPT -N TCP
$IPT -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
$IPT -N UDP
$IPT -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
$IPT -A INPUT -p tcp -j LOG -m limit --limit 5/s --log-prefix "TCP-DROP: "
$IPT -A INPUT -p tcp -j REJECT --reject-with tcp-reset
$IPT -A INPUT -p udp -j LOG -m limit --limit 5/s --log-prefix "UDP-DROP: "
if [[ $IPT == "iptables" ]]; then
$IPT -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
else
$IPT -A INPUT -p udp -j REJECT
fi
$IPT -A INPUT -j LOG -m limit --limit 5/s --log-prefix "INPUT-DROP: "
if [[ $IPT == "iptables" ]]; then
$IPT -A INPUT -j REJECT --reject-with icmp-proto-unreachable
else
$IPT -A INPUT -j REJECT
fi
echo "# first round of INPUT"
#------------------------------
#$IPT -A TCP -p tcp -m tcp --dport 465 -j LOG --log-prefix "SMTPS blocked: " --log-uid
#$IPT -A TCP -p tcp -m tcp --dport 465 -j REJECT
$IPT -A TCP -p tcp -m tcp --dport 993 -j LOG --log-prefix "IMAPS blocked: " --log-uid
$IPT -A TCP -p tcp -m tcp --dport 993 -j REJECT
$IPT -A TCP -p tcp -m tcp --dport 22 -j ACCEPT
$IPT -A TCP -p tcp -m tcp --dport 25 -j ACCEPT
$IPT -A TCP -p tcp -m tcp --dport 80 -j ACCEPT
$IPT -A TCP -p tcp -m tcp --dport 143 -j ACCEPT
$IPT -A TCP -p tcp -m tcp --dport 443 -j ACCEPT
$IPT -A TCP -p tcp -m tcp --dport 587 -j ACCEPT
$IPT -A TCP -p tcp -m tcp --dport 465 -j ACCEPT
$IPT -A TCP -p tcp -m tcp --dport 110 -j ACCEPT
$IPT -A TCP -p tcp -m tcp --dport 995 -j ACCEPT
$IPT -A TCP -i lo -p tcp -m tcp --dport 53 -j ACCEPT
$IPT -A TCP -i lo -p tcp -m tcp --dport 3306 -j ACCEPT
$IPT -A TCP -p tcp -m tcp --dport 0:1023 -j REJECT --reject-with tcp-reset
echo "# TCP INPUT"
#------------------------------
$IPT -A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "ctstate leak blocked: " --log-uid
$IPT -A OUTPUT -m conntrack --ctstate INVALID -j DROP
$IPT -A OUTPUT -m state --state INVALID -j LOG --log-prefix "state leak blocked: " --log-uid
$IPT -A OUTPUT -m state --state INVALID -j DROP
$IPT -A OUTPUT -d localhost -p tcp --dport 53 -j ACCEPT
$IPT -A OUTPUT -d localhost -p udp --dport 53 -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 53 -m owner --uid-owner Gdnscache -j ACCEPT
$IPT -A OUTPUT -p udp --dport 53 -m owner --uid-owner Gdnscache -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 53 -m owner ! --uid-owner Gdnscache -j LOG --log-prefix "DNS blocked: " --log-uid
$IPT -A OUTPUT -p tcp --dport 53 -m owner ! --uid-owner Gdnscache -j DROP
$IPT -A OUTPUT -p udp --dport 53 -m owner ! --uid-owner Gdnscache -j LOG --log-prefix "DNS blocked: " --log-uid
$IPT -A OUTPUT -p udp --dport 53 -m owner ! --uid-owner Gdnscache -j DROP
echo "# OUTPUT"
#------------------------------
}
function no_v6 {
$IPT -F
$IPT -X
$IPT -Z
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
echo "# blocked v6 except lo INPUT and OUTPUT"
}
IPT=iptables
echo '
### v4 ###
'
rules
IPT=ip6tables
echo '
### v6 ###
'
#rules
no_v6
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment