flacodirt/provision_iptables.sh

## provision_iptables.sh
#!/bin/bash
clear
clear
echo '#'
echo '# iptables Provisioning Script'
echo '#'
echo '# This script will guide you through the initial iptables firewall provisioning for a standard server.'
echo '#'
echo '# @author brockhensley'
echo '# @version 1.0.0'
echo '# @date Last updated April 14th 2013'
echo '# @link brockhensley.com'
echo '# @todo Add UDP support, predefined sets of rules to choose from'
echo '#'
read -p 'Press any key to begin provisioning or [CTRL]+[C] to quit.'
clear

echo '# Usage if no args'
if [ -z "$@" ]
then
    echo ''
    echo 'Enter list of ports to open e.g. script.sh 20 21 25 80 110 143 443 465 587 993 995 2600 2606 2609 9091 4190'
    echo ''
    echo 'Note: UDP 53 is added automatically for DNS client'
    echo ''
    echo 'Finally, make sure you run as root or sudo'
    echo ''
    read -p "Hit enter to exit"
    exit 0
fi

echo '# Reset rules'
iptables -F

echo '# Chain defaults'
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

echo '# Local communication'
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

echo '# DNS Client'
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT

echo '# Add requested rules'
for var in "$@"
do
    echo "* Adding TCP port $var"
    iptables -A INPUT -p tcp --dport $var -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -p tcp --sport $var -m state --state ESTABLISHED -j ACCEPT
done

echo '# Log and drop all other packets'
iptables -X LOGGING
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A OUTPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "iptables:" --log-level 7
iptables -A LOGGING -j DROP

echo ''
echo '# Display rules before applying'
echo ''
iptables -L -v -n | more
echo ''
read -p "Confirm the rules and hit Enter to apply or CTRL+C to abort"

echo '# Save and apply'
/sbin/service iptables save
/sbin/service iptables restart
read -p "Done! Hit enter to exit"
exit 0
	#!/bin/bash
	clear
	clear
	echo '#'
	echo '# iptables Provisioning Script'
	echo '#'
	echo '# This script will guide you through the initial iptables firewall provisioning for a standard server.'
	echo '#'
	echo '# @author brockhensley'
	echo '# @version 1.0.0'
	echo '# @date Last updated April 14th 2013'
	echo '# @link brockhensley.com'
	echo '# @todo Add UDP support, predefined sets of rules to choose from'
	echo '#'
	read -p 'Press any key to begin provisioning or [CTRL]+[C] to quit.'
	clear

	echo '# Usage if no args'
	if [ -z "$@" ]
	then
	echo ''
	echo 'Enter list of ports to open e.g. script.sh 20 21 25 80 110 143 443 465 587 993 995 2600 2606 2609 9091 4190'
	echo ''
	echo 'Note: UDP 53 is added automatically for DNS client'
	echo ''
	echo 'Finally, make sure you run as root or sudo'
	echo ''
	read -p "Hit enter to exit"
	exit 0
	fi

	echo '# Reset rules'
	iptables -F

	echo '# Chain defaults'
	iptables -P INPUT DROP
	iptables -P FORWARD DROP
	iptables -P OUTPUT DROP

	echo '# Local communication'
	iptables -A INPUT -i lo -j ACCEPT
	iptables -A OUTPUT -o lo -j ACCEPT

	echo '# DNS Client'
	iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
	iptables -A INPUT -p udp --sport 53 -j ACCEPT

	echo '# Add requested rules'
	for var in "$@"
	do
	echo "* Adding TCP port $var"
	iptables -A INPUT -p tcp --dport $var -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -A OUTPUT -p tcp --sport $var -m state --state ESTABLISHED -j ACCEPT
	done

	echo '# Log and drop all other packets'
	iptables -X LOGGING
	iptables -N LOGGING
	iptables -A INPUT -j LOGGING
	iptables -A OUTPUT -j LOGGING
	iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "iptables:" --log-level 7
	iptables -A LOGGING -j DROP

	echo ''
	echo '# Display rules before applying'
	echo ''
	iptables -L -v -n \| more
	echo ''
	read -p "Confirm the rules and hit Enter to apply or CTRL+C to abort"

	echo '# Save and apply'
	/sbin/service iptables save
	/sbin/service iptables restart
	read -p "Done! Hit enter to exit"
	exit 0