Last active
February 18, 2021 17:14
-
-
Save jacquesbh/6271734 to your computer and use it in GitHub Desktop.
/etc/init.d/firewall
Iptables firewall
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
### BEGIN INIT INFO | |
# Provides: firewall | |
# Required-Start: | |
# Required-Stop: | |
# Default-Start: 2 3 4 5 | |
# Default-Stop: 0 1 6 | |
# Short-Description: Firewall | |
# Description: Configure all iptables rules. | |
### END INIT INFO | |
echo "Empty actual rules" | |
iptables -t filter -F | |
echo "Empty personnal rules" | |
iptables -t filter -X | |
echo "Empty NAT rules" | |
iptables -t nat -F | |
iptables -t nat -X | |
echo "Empty the mangle table's rules" | |
iptables -t mangle -F | |
iptables -t mangle -X | |
echo "Drop all connexions in, out and forward" | |
iptables -t filter -P INPUT DROP | |
iptables -t filter -P FORWARD DROP | |
iptables -t filter -P OUTPUT DROP | |
# ---------------------------------------------- | |
echo "Don't break existing connections" | |
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
echo "Allow loopback" | |
iptables -t filter -A INPUT -i lo -j ACCEPT | |
iptables -t filter -A OUTPUT -o lo -j ACCEPT | |
echo "Allow ping" | |
iptables -t filter -A INPUT -p icmp -j ACCEPT | |
iptables -t filter -A OUTPUT -p icmp -j ACCEPT | |
# ---------------------------------------------- | |
# /!\ SSH In and Out | |
# ------------------ | |
# Be careful! Don't brake your SSH connections ;) | |
echo "SSH :)" | |
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT | |
iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT | |
# DNS Out & In | |
#------------- | |
echo "DNS Out" | |
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT | |
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT | |
#echo "DNS In" | |
#iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT | |
#iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT | |
# NTP Out | |
#-------- | |
echo "NTP Out" | |
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT | |
# HTTP + HTTPS Out & In | |
#---------------------- | |
echo "HTTP(S) Out" | |
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT | |
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT | |
#echo "HTTP(S) In" | |
#iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT | |
#iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT | |
# MySQL In & Out | |
#--------------- | |
#echo "MySQL In" | |
#iptables -t filter -A INPUT -p tcp --dport 3306 -j ACCEPT | |
#echo "MySQL Out" | |
#iptables -t filter -A OUTPUT -p tcp --dport 3306 -j ACCEPT | |
# FTP In & Out | |
#------------- | |
#iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT | |
#iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT | |
#iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
# SMTP (mail) | |
#------------ | |
#echo "SMTP In" | |
#iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT | |
#echo "SMTP Out" | |
#iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT | |
# IRC | |
#---- | |
#echo "IRC !" | |
#iptables -t filter -A OUTPUT -p tcp --dport 6667 -j ACCEPT | |
# OpenVPN (with IPs 10.8.0.0/24) | |
#-------- | |
#echo "OpenVPN" | |
#iptables -A FORWARD -i eth0 -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
#iptables -A FORWARD -s 10.8.0.0/24 -o eth0 -j ACCEPT | |
#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE | |
#iptables -t filter -A INPUT -p tcp --dport 1194 -j ACCEPT | |
#iptables -t filter -A INPUT -p udp --dport 1194 -j ACCEPT | |
#iptables -t filter -A OUTPUT -p tcp --dport 1194 -j ACCEPT | |
#iptables -t filter -A OUTPUT -p udp --dport 1194 -j ACCEPT | |
# Routed VPN tunnels | |
#------------------- | |
#echo "Routed VPN tunnels" | |
#iptables -t filter -A INPUT -i tun+ -j ACCEPT | |
#iptables -t filter -A FORWARD -i tun+ -j ACCEPT | |
#iptables -t filter -A FORWARD -o tun+ -j ACCEPT | |
#iptables -t filter -A OUTPUT -o tun+ -j ACCEPT | |
# Bridged VPN tunnels (don't uncomment if you used PPTP, see below) | |
#-------------------- | |
#echo "Bridged VPN tunnels" | |
#iptables -A INPUT -i tap0 -j ACCEPT | |
#iptables -A FORWARD -i tap0 -j ACCEPT | |
#iptables -A FORWARD -o tap0 -j ACCEPT | |
#iptables -A OUTPUT -o tap0 -j ACCEPT | |
#iptables -A INPUT -i br0 -j ACCEPT | |
#iptables -A FORWARD -i br0 -j ACCEPT | |
#iptables -A OUTPUT -o br0 -j ACCEPT | |
# Samba | |
#------ | |
#echo "Samba In" | |
#iptables -t filter -A INPUT -p tcp --dport 135 ACCEPT | |
#iptables -t filter -A INPUT -p udp --dport 137:138 -j ACCEPT | |
#iptables -t filter -A INPUT -p tcp --dport 139 -j ACCEPT | |
#iptables -t filter -A INPUT -p tcp --dport 445 -j ACCEPT | |
#echo "Samba Out" | |
#iptables -t filter -A OUTPUT -p tcp --sport 135 -j ACCEPT | |
#iptables -t filter -A OUTPUT -p udp --sport 137:138 -j ACCEPT | |
#iptables -t filter -A OUTPUT -p tcp --sport 139 -j ACCEPT | |
#iptables -t filter -A OUTPUT -p tcp --sport 445 -j ACCEPT | |
# pptp(d) (VPN) | |
#-------------- | |
#echo "PPTP(d)" | |
#iptables -A INPUT -i ppp+ -j ACCEPT | |
#iptables -A OUTPUT -o ppp+ -j ACCEPT | |
#iptables -A INPUT -p tcp --dport 1723 -j ACCEPT | |
## GRE protocol used by PPTP | |
#iptables -A INPUT -p 47 -j ACCEPT | |
#iptables -A OUTPUT -p 47 -j ACCEPT | |
## Accept postrouting | |
#iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE | |
#iptables -A POSTROUTING -t nat -o ppp+ -j MASQUERADE | |
## Accept forward | |
#iptables -F FORWARD | |
#iptables -A FORWARD -j ACCEPT | |
# Puppet | |
#echo "Puppet" | |
#iptables -t filter -A INPUT -p tcp --dport 8140 -j ACCEPT | |
#iptables -t filter -A OUTPUT -p tcp --dport 8140 -j ACCEPT | |
echo "Firewall done." | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add the firewall at startup:
update-rc.d firewall defaults
Remove it:
update-rc.d -f firewall remove