Created
March 19, 2009 23:35
-
-
Save parabuzzle/82130 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# | |
### BEGIN INIT INFO | |
# Provides: iptables-config | |
# Default-Start: 2 3 4 5 | |
# Default-Stop: 0 1 6 | |
# Short-Description: load and unload iptables config | |
# Description: loads the firewall.config file in to iptables and flushs iptables | |
### END INIT INFO | |
conf="/etc/firewall.config" | |
case "${1:-''}" in | |
'start') | |
sh $conf | |
;; | |
'stop') | |
iptables -P INPUT ACCEPT | |
iptables -P FORWARD ACCEPT | |
iptables -P OUTPUT ACCEPT | |
iptables -F | |
;; | |
'flush') | |
iptables -P INPUT ACCEPT | |
iptables -P FORWARD ACCEPT | |
iptables -P OUTPUT ACCEPT | |
iptables -F | |
;; | |
'reload') | |
iptables -F | |
sh $conf | |
;; | |
'restart') | |
iptables -F | |
sh $conf | |
;; | |
*) | |
echo "Usage: start|stop|flush|reload|restart" | |
exit 1 | |
;; | |
esac |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Change policy to drop for input and forward | |
iptables -P INPUT DROP | |
iptables -P FORWARD DROP | |
iptables -P OUTPUT ACCEPT | |
#Flush the current chains | |
iptables -F INPUT | |
iptables -F OUTPUT | |
iptables -F FORWARD | |
iptables -F -t nat | |
#Keep established connections (don't lock your ass out of the box when you screw up) | |
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
#If a request on the external interface comes from an internal ip, it is malicious so we drop those | |
iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j DROP | |
iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP | |
#ssh | |
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 22 -j ACCEPT | |
#web traffic | |
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 443 -j ACCEPT #ssl | |
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 80 -j ACCEPT #standard | |
#mail traffic | |
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 25 -j ACCEPT #smtp | |
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 587 -j ACCEPT #smtp submissions | |
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 465 -j ACCEPT #smtp over ssl | |
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 110 -j ACCEPT #pop3 | |
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 995 -j ACCEPT #pop3 over ssl | |
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 143 -j ACCEPT #imap | |
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 993 -j ACCEPT #imap over ssl | |
#snmp | |
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 161 -j ACCEPT #tcp | |
iptables -A INPUT -p udp -s 0/0 -d 0/0 --destination-port 161 -j ACCEPT #udp | |
#allow ping to the host for monitoring | |
iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d 0/0 -j ACCEPT | |
#Ensure a drop of all packets on the input | |
iptables -A INPUT -s 0/0 -d 0/0 -p udp -j DROP | |
iptables -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j DROP |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment