Last active
August 29, 2015 14:02
-
-
Save narthollis/c51dac6c0903de6a07b4 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # In case for whatever reason the paths change... | |
| IPTABLES=/sbin/iptables | |
| IP6TABLES=/sbin/ip6tables | |
| # RULE CREATION ORDER | |
| # ALL rules are added as created here | |
| # V4 rules are added as created here | |
| # V6 rules are added as created here | |
| # Try and always create new chains in the ALL ruleset | |
| # Try and always create chains - then you can do need things like graph them | |
| # You can use chains to get arround the fact that v4/v6 only rules are added late - see the ssh_restricted chains as an example | |
| # By Default OUTPUT is ACCEPT | |
| # By Default INPUT is DROP unless they have STATE ESTABLISHED or STATE RELATED | |
| # By Default FORWARD is DROP | |
| # By Default lo is ACCEPT | |
| # To make easier managment, we will add all the rules to arrays, then process those later | |
| # This also allows us to create IPv4 and IPv6 rules at the same time | |
| declare -a ALL # both IPv4 and IPv6 rules added | |
| declare -a V4 # ONLY IPv4 rules added | |
| declare -a V6 # ONLY IPv6 rules added | |
| # Flush the tables - its easier to work with a blank slate | |
| ALL[${#ALL[@]}]="-F" | |
| # Dont accept incomming connections | |
| ALL[${#ALL[@]}]="-P INPUT DROP" | |
| ALL[${#ALL[@]}]="-P FORWARD DROP" | |
| # Out going connects are ok though | |
| ALL[${#ALL[@]}]="-P OUTPUT ACCEPT" | |
| # Accept anythin on the loopback interface | |
| ALL[${#ALL[@]}]="-A INPUT -i lo -j ACCEPT" | |
| ########################### | |
| ###### Some basic ip address and ranges to help secure SSH access | |
| ########################### | |
| ALL[${#ALL[@]}]="-N ssh_restrict" | |
| V4[${#V4[@]}]='-A ssh_restrict -s 192.168.0.0/16 -j ACCEPT -m comment --comment "LCC Internal Network"' | |
| V4[${#V4[@]}]='-A ssh_restrict -s 203.122.251.73 -j ACCEPT -m comment --comment "LCA SA/NT District Office"' | |
| ########################### | |
| ###### SSH | |
| ########################### | |
| ALL[${#ALL[@]}]="-N SSH" | |
| ALL[${#ALL[@]}]="-A SSH -m state --state NEW -j ssh_restrict" | |
| ALL[${#ALL[@]}]="-A INPUT -m tcp -p tcp --dport 22 -j SSH" | |
| ALL[${#ALL[@]}]="-N SSH_OUT" | |
| ALL[${#ALL[@]}]="-A OUTPUT -m tcp -p tcp --sport 22 -m state --state ESTABLISHED -j SSH_OUT" | |
| ########################### | |
| ###### FTP | |
| ########################### | |
| ALL[${#ALL[@]}]="-N FTP" | |
| ALL[${#ALL[@]}]="-A FTP -m state --state NEW -j ACCEPT" | |
| ALL[${#ALL[@]}]="-A INPUT -m tcp -p tcp --dport 20 -j FTP" | |
| ALL[${#ALL[@]}]="-A INPUT -m tcp -p tcp --dport 21 -j FTP" | |
| ALL[${#ALL[@]}]="-A INPUT -m tcp -p tcp --dport 41000:41100 -j FTP" | |
| ALL[${#ALL[@]}]="-N FTP_OUT" | |
| ALL[${#ALL[@]}]="-A OUTPUT -m tcp -p tcp --sport 20 -m state --state ESTABLISHED -j FTP_OUT" | |
| ALL[${#ALL[@]}]="-A OUTPUT -m tcp -p tcp --sport 21 -m state --state ESTABLISHED -j FTP_OUT" | |
| ALL[${#ALL[@]}]="-A OUTPUT -m tcp -p tcp --sport 41000:41100 -m state --state ESTABLISHED -j FTP_OUT" | |
| ########################### | |
| ###### SMTP | |
| ########################### | |
| ALL[${#ALL[@]}]='-N SMTP' | |
| ALL[${#ALL[@]}]="-A SMTP -m state --state NEW -j ACCEPT" | |
| ALL[${#ALL[@]}]="-A INPUT -m tcp -p tcp --dport 25 -j SMTP" | |
| ALL[${#ALL[@]}]='-N SNMP_OUT' | |
| ALL[${#ALL[@]}]="-A OUTPUT -p tcp -m tcp --sport 25 -m state --state ESTABLISHED -j SNMP_OUT" | |
| ########################### | |
| ###### IMAP/POP3 | |
| ########################### | |
| ALL[${#ALL[@]}]='-N MAIL' | |
| ALL[${#ALL[@]}]="-A MAIL -m state --state NEW -j ACCEPT" | |
| ALL[${#ALL[@]}]="-A INPUT -m tcp -p tcp --dport 110 -j MAIL" | |
| ALL[${#ALL[@]}]="-A INPUT -m tcp -p tcp --dport 143 -j MAIL" | |
| ALL[${#ALL[@]}]="-A INPUT -m tcp -p tcp --dport 993 -j MAIL" | |
| ALL[${#ALL[@]}]="-A INPUT -m tcp -p tcp --dport 995 -j MAIL" | |
| ALL[${#ALL[@]}]='-N MAIL_OUT' | |
| ALL[${#ALL[@]}]="-A OUTPUT -m tcp -p tcp --sport 110 -m state --state ESTABLISHED -j MAIL_OUT" | |
| ALL[${#ALL[@]}]="-A OUTPUT -m tcp -p tcp --sport 143 -m state --state ESTABLISHED -j MAIL_OUT" | |
| ALL[${#ALL[@]}]="-A OUTPUT -m tcp -p tcp --sport 993 -m state --state ESTABLISHED -j MAIL_OUT" | |
| ALL[${#ALL[@]}]="-A OUTPUT -m tcp -p tcp --sport 995 -m state --state ESTABLISHED -j MAIL_OUT" | |
| ########################### | |
| ###### HTTP | |
| ########################### | |
| ALL[${#ALL[@]}]='-N HTTP' | |
| ALL[${#ALL[@]}]="-A HTTP -m state --state NEW -j ACCEPT" | |
| ALL[${#ALL[@]}]="-A INPUT -p tcp -m tcp --dport 80 -j HTTP" | |
| ALL[${#ALL[@]}]="-A INPUT -p tcp -m tcp --dport 443 -j HTTP" | |
| ALL[${#ALL[@]}]='-N HTTP_OUT' | |
| ALL[${#ALL[@]}]="-A OUTPUT -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j HTTP_OUT" | |
| ALL[${#ALL[@]}]="-A OUTPUT -p tcp -m tcp --sport 443 -m state --state ESTABLISHED -j HTTP_OUT" | |
| ########################### | |
| ###### SNMP | |
| ########################### | |
| ALL[${#ALL[@]}]='-N SNMP' | |
| ALL[${#ALL[@]}]="-A SNMP -m state --state NEW -j ssh_restrict" | |
| ALL[${#ALL[@]}]="-A INPUT -p tcp -m tcp --dport 161 -j SNMP" | |
| ALL[${#ALL[@]}]="-A INPUT -p udp -m udp --dport 161 -j SNMP" | |
| ALL[${#ALL[@]}]='-N SNMP_OUT' | |
| ALL[${#ALL[@]}]="-A OUTPUT -p tcp -m tcp --sport 161 -m state --state ESTABLISHED -j SNMP_OUT" | |
| ALL[${#ALL[@]}]="-A OUTPUT -p udp -m udp --sport 161 -m state --state ESTABLISHED -j SNMP_OUT" | |
| ########################### | |
| ###### MySQL | |
| ########################### | |
| ALL[${#ALL[@]}]='-N MySQL' | |
| ALL[${#ALL[@]}]="-A MySQL -m state --state NEW -j ssh_restrict" | |
| ALL[${#ALL[@]}]="-A INPUT -p tcp -m tcp --dport 3306 -j MySQL" | |
| ALL[${#ALL[@]}]='-N MySQL_OUT' | |
| ALL[${#ALL[@]}]="-A OUTPUT -p tcp -m tcp --sport 3306 -m state --state ESTABLISHED -j MySQL_OUT" | |
| ########################### | |
| ###### CORE | |
| ########################### | |
| ALL[${#ALL[@]}]="-A INPUT -p icmp -m state --state NEW -j ACCEPT" | |
| ALL[${#ALL[@]}]="-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT" | |
| ALL[${#ALL[@]}]='-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7' | |
| ALL[${#ALL[@]}]="-A INPUT -j DROP" | |
| echo "#!/bin/bash" > ./iptables.run.bash | |
| for rule in "${ALL[@]}"; do | |
| echo $IPTABLES $rule >> ./iptables.run.bash | |
| echo $IP6TABLES $rule >> ./iptables.run.bash | |
| done | |
| for rule in "${V4[@]}"; do | |
| echo $IPTABLES $rule >> ./iptables.run.bash | |
| done | |
| for rule in "${V6[@]}"; do | |
| echo $IP6TABLES $rule >> ./iptables.run.bash | |
| done | |
| echo >> ./iptables.run.bash | |
| chmod u+x ./iptables.run.bash |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment