Skip to content

Instantly share code, notes, and snippets.

@jfinstrom

jfinstrom/FreePBXIPTablesBase.sh

Last active August 29, 2015 14:00
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jfinstrom/21d7d83b79d57850deb1 to your computer and use it in GitHub Desktop.
Save jfinstrom/21d7d83b79d57850deb1 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
FreePBXIPTablesBase.sh
#!/bin/bash
# THIS SCRIPT SETS UP SOME BASIC IP TABLES RULES FOR YOUR SYSTEM.
# YOU SHOULD BUY A BOOK AND GOOGLE TO UNDERSTAND WHAT IS GOING ON HERE.
# YOUR SYSTEM'S SECURITY SHOULD NOT BE LEFT UP TO A SCRIPT APPLICATION
# OR ME. IT IS YOUR RESPONSIBILITY TO ENSURE YOUR OWN SECURITY.
# THIS IS PRESENTED WITHOUT ANY WARRANTY. ANY USE OF THIS IS AT YOUR OWN RISK
#
# Written by James Finstrom (james.finstrom@schmoozecom.com)
#
###### SETTINGS #######
#TEST MODE = WRITE RULES BUT DON'T MAKE THEM PERMINENT
TESTMODE=0
#LOCAL SUBNET (0.0.0.0/0 is the same as having no restriction)
LOCALSUB=0.0.0.0/0
#INTERFACE
IFACE=eth0
#ALLOW PEOPLE TO PING THE MACHINE (1 = TRUE, 0 = FALSE)
PINGIN=0
#ALLOW PEOPLE TO PING OUT (1 = TRUE, 0 = FALSE)
PINGOUT=1
#USE SMTP (1 = TRUE, 0 = FALSE)
SMTP=1
#USE POP3 (1 = TRUE, 0 = FALSE)
POP3=1
#USE POP3S (1 = TRUE, 0 = FALSE)
POP3S=0
#USE IMAP (1 = TRUE, 0 = FALSE)
IMAP=0
#USE IMAPS (1 = TRUE, 0 = FALSE)
IMAPS=0
#USE SIP (1 = TRUE, 0 = FALSE)
SIP=1
#USE IAX (1 = TRUE, 0 = FALSE)
IAX=0
#USE IAX2 (1 = TRUE, 0 = FALSE)
IAX2=0
#USE MGCP (1 = TRUE, 0 = FALSE)
MGCP=0
#LOG DROPPED PACKETS (1 = TRUE, 0 = FALSE)
LOGGING=1
##############THE MAGIC STARTS HERE##############
#Flush current rules
iptables -F
#Default Policies AKA "KILL ALL THE THINGS"
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
#SSH ACCESS
##in##
iptables -A INPUT -i $IFACE -p tcp -s $LOCALSUB --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
##out##
#Allow SSH out
iptables -A OUTPUT -o $IFACE -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $IFACE -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
#HTTP(S)
iptables -A INPUT -i $IFACE -p tcp -s $LOCALSUB --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $IFACE -p tcp -s $LOCALSUB --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
#Allow outbound HTTP HTTPS FTP for things like curl
iptables -A OUTPUT -o $IFACE -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $IFACE -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i $IFACE -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i $IFACE -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
if [ $PINGIN -eq 1 ]; then
#Allow people to ping
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
fi
if [ $PINGOUT -eq 1 ]; then
#Allow server to ping out
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
fi
#Allow local loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#Allow outbound DNS
iptables -A OUTPUT -p udp -o $IFACE --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i $IFACE --sport 53 -j ACCEPT
#Allow EMAIL (smtp,pop3(s),imap(s))
if [ $SMTP -eq 1 ]; then
#SMTP
iptables -A INPUT -i $IFACE -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
fi
if [ $IMAP -eq 1 ]; then
#IMAP
iptables -A INPUT -i $IFACE -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT
fi
if [ $IMAPS -eq 1 ]; then
#IMAPS
iptables -A INPUT -i $IFACE -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --sport 993 -m state --state ESTABLISHED -j ACCEPT
fi
if [ $POP3 -eq 1 ]; then
#POP3
iptables -A INPUT -i $IFACE -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT
fi
if [ $POP3S -eq 1 ]; then
#POP3S
iptables -A INPUT -i $IFACE -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT
fi
#ASTERISK RULES
if [ $SIP -eq 1 ]; then
# SIP
iptables -A INPUT -p udp -m udp --dport 5060 -j ACCEPT
fi
if [ $IAX2 -eq 1 ]; then
# IAX2
iptables -A INPUT -p udp -m udp --dport 4569 -j ACCEPT
fi
if [ $IAX -eq 1 ]; then
# IAX
iptables -A INPUT -p udp -m udp --dport 5036 -j ACCEPT
fi
if [ $SIP -eq 1 ]; then
# RTP
iptables -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
fi
if [ $MGCP -eq 1 ]; then
# MGCP
iptables -A INPUT -p udp -m udp --dport 2727 -j ACCEPT
fi
if [ $LOGGING -eq 1 ]; then
#LOGGING
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "Packet Dropped: " --log-level 7
iptables -A LOGGING -j DROP
fi
if [ $TESTMODE -eq 0 ]; then
#SAVE RULES
iptables-save > /etc/sysconfig/iptables-config
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment