Skip to content

Instantly share code, notes, and snippets.

@jacquesbh

jacquesbh/firewall

Last active February 18, 2021 17:14
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jacquesbh/6271734 to your computer and use it in GitHub Desktop.
Save jacquesbh/6271734 to your computer and use it in GitHub Desktop.
Download ZIP
/etc/init.d/firewall Iptables firewall
Raw
firewall
#!/bin/sh
### BEGIN INIT INFO
# Provides: firewall
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Firewall
# Description: Configure all iptables rules.
### END INIT INFO
echo "Empty actual rules"
iptables -t filter -F
echo "Empty personnal rules"
iptables -t filter -X
echo "Empty NAT rules"
iptables -t nat -F
iptables -t nat -X
echo "Empty the mangle table's rules"
iptables -t mangle -F
iptables -t mangle -X
echo "Drop all connexions in, out and forward"
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
# ----------------------------------------------
echo "Don't break existing connections"
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
echo "Allow loopback"
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT
echo "Allow ping"
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT
# ----------------------------------------------
# /!\ SSH In and Out
# ------------------
# Be careful! Don't brake your SSH connections ;)
echo "SSH :)"
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT
# DNS Out & In
#-------------
echo "DNS Out"
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
#echo "DNS In"
#iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
#iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
# NTP Out
#--------
echo "NTP Out"
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
# HTTP + HTTPS Out & In
#----------------------
echo "HTTP(S) Out"
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
#echo "HTTP(S) In"
#iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
#iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
# MySQL In & Out
#---------------
#echo "MySQL In"
#iptables -t filter -A INPUT -p tcp --dport 3306 -j ACCEPT
#echo "MySQL Out"
#iptables -t filter -A OUTPUT -p tcp --dport 3306 -j ACCEPT
# FTP In & Out
#-------------
#iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
#iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT
#iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# SMTP (mail)
#------------
#echo "SMTP In"
#iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
#echo "SMTP Out"
#iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
# IRC
#----
#echo "IRC !"
#iptables -t filter -A OUTPUT -p tcp --dport 6667 -j ACCEPT
# OpenVPN (with IPs 10.8.0.0/24)
#--------
#echo "OpenVPN"
#iptables -A FORWARD -i eth0 -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -s 10.8.0.0/24 -o eth0 -j ACCEPT
#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
#iptables -t filter -A INPUT -p tcp --dport 1194 -j ACCEPT
#iptables -t filter -A INPUT -p udp --dport 1194 -j ACCEPT
#iptables -t filter -A OUTPUT -p tcp --dport 1194 -j ACCEPT
#iptables -t filter -A OUTPUT -p udp --dport 1194 -j ACCEPT
# Routed VPN tunnels
#-------------------
#echo "Routed VPN tunnels"
#iptables -t filter -A INPUT -i tun+ -j ACCEPT
#iptables -t filter -A FORWARD -i tun+ -j ACCEPT
#iptables -t filter -A FORWARD -o tun+ -j ACCEPT
#iptables -t filter -A OUTPUT -o tun+ -j ACCEPT
# Bridged VPN tunnels (don't uncomment if you used PPTP, see below)
#--------------------
#echo "Bridged VPN tunnels"
#iptables -A INPUT -i tap0 -j ACCEPT
#iptables -A FORWARD -i tap0 -j ACCEPT
#iptables -A FORWARD -o tap0 -j ACCEPT
#iptables -A OUTPUT -o tap0 -j ACCEPT
#iptables -A INPUT -i br0 -j ACCEPT
#iptables -A FORWARD -i br0 -j ACCEPT
#iptables -A OUTPUT -o br0 -j ACCEPT
# Samba
#------
#echo "Samba In"
#iptables -t filter -A INPUT -p tcp --dport 135 ACCEPT
#iptables -t filter -A INPUT -p udp --dport 137:138 -j ACCEPT
#iptables -t filter -A INPUT -p tcp --dport 139 -j ACCEPT
#iptables -t filter -A INPUT -p tcp --dport 445 -j ACCEPT
#echo "Samba Out"
#iptables -t filter -A OUTPUT -p tcp --sport 135 -j ACCEPT
#iptables -t filter -A OUTPUT -p udp --sport 137:138 -j ACCEPT
#iptables -t filter -A OUTPUT -p tcp --sport 139 -j ACCEPT
#iptables -t filter -A OUTPUT -p tcp --sport 445 -j ACCEPT
# pptp(d) (VPN)
#--------------
#echo "PPTP(d)"
#iptables -A INPUT -i ppp+ -j ACCEPT
#iptables -A OUTPUT -o ppp+ -j ACCEPT
#iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
## GRE protocol used by PPTP
#iptables -A INPUT -p 47 -j ACCEPT
#iptables -A OUTPUT -p 47 -j ACCEPT
## Accept postrouting
#iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
#iptables -A POSTROUTING -t nat -o ppp+ -j MASQUERADE
## Accept forward
#iptables -F FORWARD
#iptables -A FORWARD -j ACCEPT
# Puppet
#echo "Puppet"
#iptables -t filter -A INPUT -p tcp --dport 8140 -j ACCEPT
#iptables -t filter -A OUTPUT -p tcp --dport 8140 -j ACCEPT
echo "Firewall done."
@jacquesbh
Copy link
Author

Add the firewall at startup: update-rc.d firewall defaults
Remove it: update-rc.d -f firewall remove

@DevAly
Copy link

DevAly commented Feb 18, 2021

Thanks that's very helpful

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment