-
-
Save amiad/0e7a36dd58234cb60948137dc9f9835a to your computer and use it in GitHub Desktop.
iptable rules to allow outgoing DNS lookups, all connection on port 80 and 443, incoming connections on SSH port, outgoing SMTP port, and everything on localhost
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
IPT="/sbin/iptables" | |
# Server IP | |
SERVER_IP="$(ip addr show eth0 | grep 'inet ' | cut -f2 | awk '{ print $2}')" | |
# Your DNS servers you use: cat /etc/resolv.conf | |
DNS_SERVER=$(egrep -v '^#' /etc/resolv.conf | cut -f2 -d' ') | |
# SSH Port | |
SSH_PORT=22 | |
echo "flush iptable rules" | |
$IPT -F | |
$IPT -X | |
$IPT -t nat -F | |
$IPT -t nat -X | |
$IPT -t mangle -F | |
$IPT -t mangle -X | |
echo "Set default policy to 'DROP'" | |
$IPT -P INPUT DROP | |
$IPT -P FORWARD DROP | |
$IPT -P OUTPUT DROP | |
## This should be one of the first rules. | |
## so dns lookups are already allowed for your other rules | |
for ip in $DNS_SERVER | |
do | |
echo "Allowing DNS lookups (tcp, udp port 53) to server '$ip'" | |
$IPT -A OUTPUT -p udp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT | |
$IPT -A INPUT -p udp -s $ip --sport 53 -m state --state ESTABLISHED -j ACCEPT | |
$IPT -A OUTPUT -p tcp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT | |
$IPT -A INPUT -p tcp -s $ip --sport 53 -m state --state ESTABLISHED -j ACCEPT | |
done | |
echo "allow all and everything on localhost" | |
$IPT -A INPUT -i lo -j ACCEPT | |
$IPT -A OUTPUT -o lo -j ACCEPT | |
####################################################################################################### | |
## Global iptable rules. Not IP specific | |
echo "Allowing outgoing and incoming connections to port 80, 443" | |
$IPT -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT | |
$IPT -A OUTPUT -p tcp -m multiport --sports 80,443 -j ACCEPT | |
$IPT -A INPUT -p tcp -m multiport --sports 80,443 -j ACCEPT | |
$IPT -A OUTPUT -p tcp -m multiport --dports 80,443 -j ACCEPT | |
echo "Allow all ingoing connections to port $SSH_PORT" | |
$IPT -A INPUT -p tcp --dport $SSH_PORT -m state --state NEW,ESTABLISHED -j ACCEPT | |
$IPT -A OUTPUT -p tcp --sport $SSH_PORT -m state --state ESTABLISHED -j ACCEPT | |
echo "Allow outgoing connections to port 123 (ntp syncs)" | |
$IPT -A OUTPUT -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT | |
$IPT -A INPUT -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT | |
echo "Allow outgoing connections to port 25 (SMTP)" | |
$IPT -A OUTPUT -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT | |
$IPT -A INPUT -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT | |
$IPT -A INPUT -j DROP | |
$IPT -A OUTPUT -j DROP | |
echo "done!" | |
exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment