Last active
January 20, 2017 11:21
-
-
Save esmiz/7149d2d3766871e4b987f2d5fe7424f9 to your computer and use it in GitHub Desktop.
base iptables script for web server
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Mainly based on https://gist.github.com/thomasfr/9712418 | |
IPT="/sbin/iptables" | |
# Server IP | |
SERVER_IP="$(ip addr show eth0 | grep 'inet ' | cut -f2 | awk '{ print $2}')" | |
# Your DNS servers you use: cat /etc/resolv.conf | |
DNS_SERVER="8.8.4.4 8.8.8.8" | |
# Allowed outgoing ssh connections | |
SSH_SERVER="178.33.230.37 37.59.32.142 91.121.86.182" | |
# Blacklist ips | |
BLACKLIST=/etc/blacklist.ips | |
echo "flush iptable rules" | |
$IPT -F | |
$IPT -X | |
$IPT -t nat -F | |
$IPT -t nat -X | |
$IPT -t mangle -F | |
$IPT -t mangle -X | |
echo "Set default policy to 'DROP'" | |
$IPT -P INPUT DROP | |
$IPT -P FORWARD DROP | |
$IPT -P OUTPUT DROP | |
## This should be one of the first rules. | |
## so dns lookups are already allowed for your other rules | |
for ip in $DNS_SERVER | |
do | |
echo "Allowing DNS lookups (tcp, udp port 53) to server '$ip'" | |
$IPT -A OUTPUT -p udp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT | |
$IPT -A INPUT -p udp -s $ip --sport 53 -m state --state ESTABLISHED -j ACCEPT | |
$IPT -A OUTPUT -p tcp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT | |
$IPT -A INPUT -p tcp -s $ip --sport 53 -m state --state ESTABLISHED -j ACCEPT | |
done | |
echo "allow all and everything on localhost" | |
$IPT -A INPUT -i lo -j ACCEPT | |
$IPT -A OUTPUT -o lo -j ACCEPT | |
####################################################################################################### | |
## Global iptable rules. Not IP specific | |
echo "Allowing new and established incoming connections to port 22, 80, 443" | |
$IPT -A INPUT -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT | |
$IPT -A OUTPUT -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT | |
echo "Allow some outgoing connections to port 22 and all incoming connections" | |
for ip_ssh in $SSH_SERVER | |
do | |
$IPT -A OUTPUT -d $ip_ssh -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT | |
done | |
$IPT -A INPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT | |
echo "Allow all outgoing connections to port 25 and 587" | |
#$IPT -A OUTPUT -p tcp --dport 587 -j ACCEPT | |
#$IPT -A OUTPUT -p tcp --dport 25 -j ACCEPT | |
#$IPT -A INPUT -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT | |
echo "Allow all outgoing connections to port 3306" | |
$IPT -A OUTPUT -p tcp --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT | |
$IPT -A INPUT -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT | |
echo "Allow all outgoing connections to port 80" | |
$IPT -A OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT | |
$IPT -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT | |
echo "Allow all outgoing connections to port 443" | |
$IPT -A OUTPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT | |
$IPT -A INPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT | |
echo "Allow outgoing icmp connections (pings,...)" | |
$IPT -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | |
$IPT -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT | |
# Log before dropping | |
$IPT -A INPUT -j LOG -m limit --limit 12/min --log-level 4 --log-prefix 'IP INPUT drop: ' | |
$IPT -A INPUT -j DROP | |
$IPT -A OUTPUT -j LOG -m limit --limit 12/min --log-level 4 --log-prefix 'IP OUTPUT drop: ' | |
$IPT -A OUTPUT -j DROP | |
# Block abusing IPs | |
# from ${BLACKLIST} | |
if [[ -f "${BLACKLIST}" ]] && [[ -s "${BLACKLIST}" ]]; then | |
echo " * BLOCKING ABUSIVE IPs" | |
while read IP; do | |
echo "** IP: ${IP}" | |
$IPT -I INPUT -s "${IP}" -j DROP | |
done < <(cat "${BLACKLIST}") | |
fi | |
exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment