Allowing netqmail + dovecot + roundcube for mail server.
#!/bin/sh | |
set -eu | |
function rules() { | |
$IPT -F | |
$IPT -X | |
$IPT -Z | |
if [[ $IPT == "iptables" ]]; then | |
$IPT -F -t nat | |
$IPT -X -t nat | |
$IPT -Z -t nat | |
fi | |
echo "# reset" | |
#------------------------------ | |
$IPT -P INPUT DROP | |
$IPT -P FORWARD DROP | |
$IPT -P OUTPUT ACCEPT | |
echo "# basic rules" | |
#------------------------------ | |
### filter | |
$IPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
$IPT -A INPUT -i lo -j ACCEPT | |
$IPT -A INPUT -m conntrack --ctstate INVALID -j DROP | |
if [[ $IPT == "iptables" ]]; then | |
$IPT -A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT | |
fi | |
$IPT -N TCP | |
$IPT -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP | |
$IPT -N UDP | |
$IPT -A INPUT -p udp -m conntrack --ctstate NEW -j UDP | |
$IPT -A INPUT -p tcp -j LOG -m limit --limit 5/s --log-prefix "TCP-DROP: " | |
$IPT -A INPUT -p tcp -j REJECT --reject-with tcp-reset | |
$IPT -A INPUT -p udp -j LOG -m limit --limit 5/s --log-prefix "UDP-DROP: " | |
if [[ $IPT == "iptables" ]]; then | |
$IPT -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable | |
else | |
$IPT -A INPUT -p udp -j REJECT | |
fi | |
$IPT -A INPUT -j LOG -m limit --limit 5/s --log-prefix "INPUT-DROP: " | |
if [[ $IPT == "iptables" ]]; then | |
$IPT -A INPUT -j REJECT --reject-with icmp-proto-unreachable | |
else | |
$IPT -A INPUT -j REJECT | |
fi | |
echo "# first round of INPUT" | |
#------------------------------ | |
#$IPT -A TCP -p tcp -m tcp --dport 465 -j LOG --log-prefix "SMTPS blocked: " --log-uid | |
#$IPT -A TCP -p tcp -m tcp --dport 465 -j REJECT | |
$IPT -A TCP -p tcp -m tcp --dport 993 -j LOG --log-prefix "IMAPS blocked: " --log-uid | |
$IPT -A TCP -p tcp -m tcp --dport 993 -j REJECT | |
$IPT -A TCP -p tcp -m tcp --dport 22 -j ACCEPT | |
$IPT -A TCP -p tcp -m tcp --dport 25 -j ACCEPT | |
$IPT -A TCP -p tcp -m tcp --dport 80 -j ACCEPT | |
$IPT -A TCP -p tcp -m tcp --dport 143 -j ACCEPT | |
$IPT -A TCP -p tcp -m tcp --dport 443 -j ACCEPT | |
$IPT -A TCP -p tcp -m tcp --dport 587 -j ACCEPT | |
$IPT -A TCP -p tcp -m tcp --dport 465 -j ACCEPT | |
$IPT -A TCP -p tcp -m tcp --dport 110 -j ACCEPT | |
$IPT -A TCP -p tcp -m tcp --dport 995 -j ACCEPT | |
$IPT -A TCP -i lo -p tcp -m tcp --dport 53 -j ACCEPT | |
$IPT -A TCP -i lo -p tcp -m tcp --dport 3306 -j ACCEPT | |
$IPT -A TCP -p tcp -m tcp --dport 0:1023 -j REJECT --reject-with tcp-reset | |
echo "# TCP INPUT" | |
#------------------------------ | |
$IPT -A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "ctstate leak blocked: " --log-uid | |
$IPT -A OUTPUT -m conntrack --ctstate INVALID -j DROP | |
$IPT -A OUTPUT -m state --state INVALID -j LOG --log-prefix "state leak blocked: " --log-uid | |
$IPT -A OUTPUT -m state --state INVALID -j DROP | |
$IPT -A OUTPUT -d localhost -p tcp --dport 53 -j ACCEPT | |
$IPT -A OUTPUT -d localhost -p udp --dport 53 -j ACCEPT | |
$IPT -A OUTPUT -p tcp --dport 53 -m owner --uid-owner Gdnscache -j ACCEPT | |
$IPT -A OUTPUT -p udp --dport 53 -m owner --uid-owner Gdnscache -j ACCEPT | |
$IPT -A OUTPUT -p tcp --dport 53 -m owner ! --uid-owner Gdnscache -j LOG --log-prefix "DNS blocked: " --log-uid | |
$IPT -A OUTPUT -p tcp --dport 53 -m owner ! --uid-owner Gdnscache -j DROP | |
$IPT -A OUTPUT -p udp --dport 53 -m owner ! --uid-owner Gdnscache -j LOG --log-prefix "DNS blocked: " --log-uid | |
$IPT -A OUTPUT -p udp --dport 53 -m owner ! --uid-owner Gdnscache -j DROP | |
echo "# OUTPUT" | |
#------------------------------ | |
} | |
function no_v6 { | |
$IPT -F | |
$IPT -X | |
$IPT -Z | |
$IPT -P INPUT DROP | |
$IPT -P FORWARD DROP | |
$IPT -P OUTPUT ACCEPT | |
$IPT -A INPUT -i lo -j ACCEPT | |
echo "# blocked v6 except lo INPUT and OUTPUT" | |
} | |
IPT=iptables | |
echo ' | |
### v4 ### | |
' | |
rules | |
IPT=ip6tables | |
echo ' | |
### v6 ### | |
' | |
#rules | |
no_v6 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment