Skip to content

Instantly share code, notes, and snippets.

@mdeous

mdeous/README.txt

Created July 22, 2012 18:46
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save mdeous/3160674 to your computer and use it in GitHub Desktop.
Save mdeous/3160674 to your computer and use it in GitHub Desktop.
Download ZIP
IPtables Basic Configuration
Raw
README.txt
The rules file should be copied to "/etc/iptables/iptables.rules".
The startup script should be copied to "/etc/init.d/iptables", and then the "update-rc.d iptables defaults"
command should be run to enable it on system startup.
Raw
iptables.rules
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-N PORTSCAN
-A PORTSCAN -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
-A PORTSCAN -p tcp --tcp-flags ALL ALL -j DROP
-A PORTSCAN -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
-A PORTSCAN -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PORTSCAN -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-N STATETRACK
-A STATETRACK -m state --state RELATED,ESTABLISHED -j ACCEPT
-A STATETRACK -m state --state INVALID -j DROP
-N SSH
-A SSH -p tcp --dport 22 -m state --state NEW -m recent --set
-A SSH -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 -j DROP
-A SSH -p tcp --dport 22 -j ACCEPT
-A INPUT -j PORTSCAN
-A INPUT -j STATETRACK
-A INPUT -j SSH
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
COMMIT
Raw
iptables.sh
#!/bin/bash
#
# iptables startup script (by MatToufoutu)
# inspired by ArchLinux's version
# requires the rules to be stored in /etc/iptables/iptables.rules
#
### BEGIN INIT INFO
# Provides: iptables
# Required-Start: $remote_fs
# Required-Stop: $remote_fs
# Default-Start: S
# Default-Stop:
# Short-Description: load iptables rules
# Description: load iptables rules
### END INIT INFO
. /lib/lsb/init-functions
IPT=`which iptables`
IPT_RESTORE=`which iptables-restore`
IPT_SAVE=`which iptables-save`
IPT_CONFIG="/etc/iptables/iptables.rules"
IPT_LOCK="/var/run/iptables"
function chkret {
if [ $1 -gt 0 ]; then
log_end_msg $1
exit 1
fi
}
function iptstart {
if [ -f $IPT_LOCK ]; then
echo "* IP Tables is already loaded"
exit 1
fi
log_begin_msg "Starting IP Tables"
if [ ! -f $IPT_CONFIG ]; then
log_end_msg 1
echo "* Cannot load rules: $IPT_CONFIG is missing"
exit 1
fi
$IPT_RESTORE < $IPT_CONFIG
touch $IPT_LOCK
log_end_msg $?
}
function iptstop {
if [ ! -f $IPT_LOCK ]; then
echo "* IP Tables is not running"
exit 1
fi
log_begin_msg "Stopping IP Tables"
for T in `cat /proc/net/ip_tables_names`; do
$IPT -t $T -F &>/dev/null && \
$IPT -t $T -X &>/dev/null && \
$IPT -t $T -Z &>/dev/null
chkret $?
done
for T in filter nat mangle raw; do
if grep -qw $T /proc/net/ip_tables_names; then
$IPT -t $T -P OUTPUT ACCEPT
chkret $?
fi
done
for T in filter mangle; do
if grep -qw $T /proc/net/ip_tables_names; then
$IPT -t $T -P INPUT ACCEPT && \
$IPT -t $T -P FORWARD ACCEPT
chkret $?
fi
done
for T in nat mangle raw; do
if grep -qw $T /proc/net/ip_tables_names; then
$IPT -t $T -P PREROUTING ACCEPT
chkret $?
fi
done
for T in nat mangle; do
if grep -qw $T /proc/net/ip_tables_names; then
$IPT -t $T -P POSTROUTING ACCEPT
chkret $?
fi
done
rm $IPT_LOCK
log_end_msg 0
}
function iptsave {
log_begin_msg "Saving IP Tables rules"
$IPT_SAVE > $IPT_CONFIG
log_end_msg $?
}
function iptstatus {
echo "Filter Rules:"
echo "---------------"
$IPT -L -v
echo ""
echo "NAT Rules:"
echo "---------------"
$IPT -t nat -L -v
echo ""
echo "Mangle Rules:"
echo "---------------"
$IPT -t mangle -L -v
echo ""
}
case "$1" in
start)
iptstart
;;
stop)
iptstop
;;
restart)
iptstop
iptstart
;;
save)
iptsave
;;
status)
iptstatus
;;
*)
echo "Usage: $0 {start|stop|restart|save|status}"
;;
esac
exit 0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment