amiad/iptables.sh

## iptables.sh
#!/bin/bash
IPT="/sbin/iptables"

# Server IP
SERVER_IP="$(ip addr show eth0 | grep 'inet ' | cut -f2 | awk '{ print $2}')"

# Your DNS servers you use: cat /etc/resolv.conf
DNS_SERVER=$(egrep -v '^#' /etc/resolv.conf | cut -f2 -d' ')

# SSH Port
SSH_PORT=22

echo "flush iptable rules"
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X

echo "Set default policy to 'DROP'"
$IPT -P INPUT   DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT  DROP

## This should be one of the first rules.
## so dns lookups are already allowed for your other rules
for ip in $DNS_SERVER
do
	echo "Allowing DNS lookups (tcp, udp port 53) to server '$ip'"
	$IPT -A OUTPUT -p udp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPT -A INPUT  -p udp -s $ip --sport 53 -m state --state ESTABLISHED     -j ACCEPT
	$IPT -A OUTPUT -p tcp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPT -A INPUT  -p tcp -s $ip --sport 53 -m state --state ESTABLISHED     -j ACCEPT
done

echo "allow all and everything on localhost"
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT


#######################################################################################################
## Global iptable rules. Not IP specific

echo "Allowing outgoing and incoming connections to port 80, 443"
$IPT -A INPUT  -p tcp -m multiport --dports 80,443 -j ACCEPT
$IPT -A OUTPUT -p tcp -m multiport --sports 80,443 -j ACCEPT
$IPT -A INPUT  -p tcp -m multiport --sports 80,443 -j ACCEPT
$IPT -A OUTPUT -p tcp -m multiport --dports 80,443 -j ACCEPT

echo "Allow all ingoing connections to port $SSH_PORT"
$IPT -A INPUT -p tcp --dport $SSH_PORT -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT  -p tcp --sport $SSH_PORT -m state --state ESTABLISHED     -j ACCEPT

echo "Allow outgoing connections to port 123 (ntp syncs)"
$IPT -A OUTPUT -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT  -p udp --sport 123 -m state --state ESTABLISHED     -j ACCEPT

echo "Allow outgoing connections to port 25 (SMTP)"
$IPT -A OUTPUT -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT  -p tcp --sport 25 -m state --state ESTABLISHED     -j ACCEPT

$IPT -A INPUT  -j DROP

$IPT -A OUTPUT -j DROP

echo "done!"

exit 0
	#!/bin/bash
	IPT="/sbin/iptables"

	# Server IP
	SERVER_IP="$(ip addr show eth0 \| grep 'inet ' \| cut -f2 \| awk '{ print $2}')"

	# Your DNS servers you use: cat /etc/resolv.conf
	DNS_SERVER=$(egrep -v '^#' /etc/resolv.conf \| cut -f2 -d' ')

	# SSH Port
	SSH_PORT=22

	echo "flush iptable rules"
	$IPT -F
	$IPT -X
	$IPT -t nat -F
	$IPT -t nat -X
	$IPT -t mangle -F
	$IPT -t mangle -X

	echo "Set default policy to 'DROP'"
	$IPT -P INPUT DROP
	$IPT -P FORWARD DROP
	$IPT -P OUTPUT DROP

	## This should be one of the first rules.
	## so dns lookups are already allowed for your other rules
	for ip in $DNS_SERVER
	do
	echo "Allowing DNS lookups (tcp, udp port 53) to server '$ip'"
	$IPT -A OUTPUT -p udp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPT -A INPUT -p udp -s $ip --sport 53 -m state --state ESTABLISHED -j ACCEPT
	$IPT -A OUTPUT -p tcp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPT -A INPUT -p tcp -s $ip --sport 53 -m state --state ESTABLISHED -j ACCEPT
	done

	echo "allow all and everything on localhost"
	$IPT -A INPUT -i lo -j ACCEPT
	$IPT -A OUTPUT -o lo -j ACCEPT


	#######################################################################################################
	## Global iptable rules. Not IP specific

	echo "Allowing outgoing and incoming connections to port 80, 443"
	$IPT -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
	$IPT -A OUTPUT -p tcp -m multiport --sports 80,443 -j ACCEPT
	$IPT -A INPUT -p tcp -m multiport --sports 80,443 -j ACCEPT
	$IPT -A OUTPUT -p tcp -m multiport --dports 80,443 -j ACCEPT

	echo "Allow all ingoing connections to port $SSH_PORT"
	$IPT -A INPUT -p tcp --dport $SSH_PORT -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPT -A OUTPUT -p tcp --sport $SSH_PORT -m state --state ESTABLISHED -j ACCEPT

	echo "Allow outgoing connections to port 123 (ntp syncs)"
	$IPT -A OUTPUT -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPT -A INPUT -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT

	echo "Allow outgoing connections to port 25 (SMTP)"
	$IPT -A OUTPUT -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPT -A INPUT -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT

	$IPT -A INPUT -j DROP

	$IPT -A OUTPUT -j DROP

	echo "done!"

	exit 0