Allowing netqmail + dovecot + roundcube for mail server.

basic_tables.sh

#!/bin/sh

set -eu

function rules() {
$IPT -F
$IPT -X
$IPT -Z

if [[ $IPT == "iptables" ]]; then
  $IPT -F -t nat
  $IPT -X -t nat
  $IPT -Z -t nat
fi

echo "# reset"

#------------------------------

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

echo "# basic rules"

#------------------------------

### filter

$IPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -m conntrack --ctstate INVALID -j DROP
if [[ $IPT == "iptables" ]]; then
  $IPT -A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
fi
$IPT -N TCP
$IPT -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
$IPT -N UDP
$IPT -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
$IPT -A INPUT -p tcp -j LOG -m limit --limit 5/s --log-prefix "TCP-DROP: "
$IPT -A INPUT -p tcp -j REJECT --reject-with tcp-reset
$IPT -A INPUT -p udp -j LOG -m limit --limit 5/s --log-prefix "UDP-DROP: "
if [[ $IPT == "iptables" ]]; then
  $IPT -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
else
  $IPT -A INPUT -p udp -j REJECT
fi
$IPT -A INPUT -j LOG -m limit --limit 5/s --log-prefix "INPUT-DROP: "
if [[ $IPT == "iptables" ]]; then
  $IPT -A INPUT -j REJECT --reject-with icmp-proto-unreachable
else
  $IPT -A INPUT -j REJECT
fi
echo "# first round of INPUT"

#------------------------------

#$IPT -A TCP -p tcp -m tcp --dport 465 -j LOG --log-prefix "SMTPS blocked: " --log-uid
#$IPT -A TCP -p tcp -m tcp --dport 465 -j REJECT
$IPT -A TCP -p tcp -m tcp --dport 993 -j LOG --log-prefix "IMAPS blocked: " --log-uid
$IPT -A TCP -p tcp -m tcp --dport 993 -j REJECT
$IPT -A TCP -p tcp -m tcp --dport 22 -j ACCEPT
$IPT -A TCP -p tcp -m tcp --dport 25 -j ACCEPT
$IPT -A TCP -p tcp -m tcp --dport 80 -j ACCEPT
$IPT -A TCP -p tcp -m tcp --dport 143 -j ACCEPT
$IPT -A TCP -p tcp -m tcp --dport 443 -j ACCEPT
$IPT -A TCP -p tcp -m tcp --dport 587 -j ACCEPT
$IPT -A TCP -p tcp -m tcp --dport 465 -j ACCEPT
$IPT -A TCP -p tcp -m tcp --dport 110 -j ACCEPT
$IPT -A TCP -p tcp -m tcp --dport 995 -j ACCEPT

$IPT -A TCP -i lo -p tcp -m tcp --dport 53 -j ACCEPT
$IPT -A TCP -i lo -p tcp -m tcp --dport 3306 -j ACCEPT

$IPT -A TCP -p tcp -m tcp --dport 0:1023 -j REJECT --reject-with tcp-reset

echo "# TCP INPUT"

#------------------------------

$IPT -A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "ctstate leak blocked: " --log-uid
$IPT -A OUTPUT -m conntrack --ctstate INVALID -j DROP
$IPT -A OUTPUT -m state --state INVALID -j LOG --log-prefix "state leak blocked: " --log-uid
$IPT -A OUTPUT -m state --state INVALID -j DROP
$IPT -A OUTPUT -d localhost -p tcp --dport 53 -j ACCEPT
$IPT -A OUTPUT -d localhost -p udp --dport 53 -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 53 -m owner --uid-owner Gdnscache -j ACCEPT 
$IPT -A OUTPUT -p udp --dport 53 -m owner --uid-owner Gdnscache -j ACCEPT 
$IPT -A OUTPUT -p tcp --dport 53 -m owner ! --uid-owner Gdnscache -j LOG --log-prefix "DNS blocked: " --log-uid
$IPT -A OUTPUT -p tcp --dport 53 -m owner ! --uid-owner Gdnscache -j DROP
$IPT -A OUTPUT -p udp --dport 53 -m owner ! --uid-owner Gdnscache -j LOG --log-prefix "DNS blocked: " --log-uid
$IPT -A OUTPUT -p udp --dport 53 -m owner ! --uid-owner Gdnscache -j DROP
echo "# OUTPUT"

#------------------------------
}

function no_v6 {
$IPT -F
$IPT -X
$IPT -Z

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

$IPT -A INPUT -i lo -j ACCEPT

echo "# blocked v6 except lo INPUT and OUTPUT"
}

IPT=iptables
echo '
### v4 ###
'
rules

IPT=ip6tables
echo '
### v6 ###
'
#rules
no_v6