parabuzzle/firewall-init

## firewall-init
#!/bin/bash
#
### BEGIN INIT INFO
# Provides:          iptables-config
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: load and unload iptables config
# Description:       loads the firewall.config file in to iptables and flushs iptables
### END INIT INFO

conf="/etc/firewall.config"

case "${1:-''}" in
	'start')
		sh $conf
		;;
	'stop')
		iptables -P INPUT ACCEPT
		iptables -P FORWARD ACCEPT
		iptables -P OUTPUT ACCEPT
		iptables -F
		;;
	'flush')
		iptables -P INPUT ACCEPT
		iptables -P FORWARD ACCEPT
		iptables -P OUTPUT ACCEPT
		iptables -F
		;;
	'reload')
		iptables -F
		sh $conf
		;;
	'restart')
		iptables -F
		sh $conf
		;;
	*)
		echo "Usage: start|stop|flush|reload|restart"
		exit 1
		;;
esac

## firewall.config
#Change policy to drop for input and forward
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

#Flush the current chains
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t nat

#Keep established connections (don't lock your ass out of the box when you screw up)
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

#If a request on the external interface comes from an internal ip, it is malicious so we drop those
iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j DROP
iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP

#ssh
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 22 -j ACCEPT

#web traffic
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 443 -j ACCEPT 	#ssl
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 80 -j ACCEPT		#standard

#mail traffic
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 25 -j ACCEPT 		#smtp
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 587 -j ACCEPT		#smtp submissions
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 465 -j ACCEPT		#smtp over ssl
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 110 -j ACCEPT		#pop3
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 995 -j ACCEPT		#pop3 over ssl
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 143 -j ACCEPT		#imap
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 993 -j ACCEPT		#imap over ssl

#snmp
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 161 -j ACCEPT		#tcp
iptables -A INPUT -p udp -s 0/0 -d 0/0 --destination-port 161 -j ACCEPT		#udp

#allow ping to the host for monitoring
iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d 0/0 -j ACCEPT


#Ensure a drop of all packets on the input
iptables -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
iptables -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j DROP
	#!/bin/bash
	#
	### BEGIN INIT INFO
	# Provides: iptables-config
	# Default-Start: 2 3 4 5
	# Default-Stop: 0 1 6
	# Short-Description: load and unload iptables config
	# Description: loads the firewall.config file in to iptables and flushs iptables
	### END INIT INFO

	conf="/etc/firewall.config"

	case "${1:-''}" in
	'start')
	sh $conf
	;;
	'stop')
	iptables -P INPUT ACCEPT
	iptables -P FORWARD ACCEPT
	iptables -P OUTPUT ACCEPT
	iptables -F
	;;
	'flush')
	iptables -P INPUT ACCEPT
	iptables -P FORWARD ACCEPT
	iptables -P OUTPUT ACCEPT
	iptables -F
	;;
	'reload')
	iptables -F
	sh $conf
	;;
	'restart')
	iptables -F
	sh $conf
	;;
	*)
	echo "Usage: start\|stop\|flush\|reload\|restart"
	exit 1
	;;
	esac
	#Change policy to drop for input and forward
	iptables -P INPUT DROP
	iptables -P FORWARD DROP
	iptables -P OUTPUT ACCEPT

	#Flush the current chains
	iptables -F INPUT
	iptables -F OUTPUT
	iptables -F FORWARD
	iptables -F -t nat

	#Keep established connections (don't lock your ass out of the box when you screw up)
	iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
	iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

	#If a request on the external interface comes from an internal ip, it is malicious so we drop those
	iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j DROP
	iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP

	#ssh
	iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 22 -j ACCEPT

	#web traffic
	iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 443 -j ACCEPT #ssl
	iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 80 -j ACCEPT #standard

	#mail traffic
	iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 25 -j ACCEPT #smtp
	iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 587 -j ACCEPT #smtp submissions
	iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 465 -j ACCEPT #smtp over ssl
	iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 110 -j ACCEPT #pop3
	iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 995 -j ACCEPT #pop3 over ssl
	iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 143 -j ACCEPT #imap
	iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 993 -j ACCEPT #imap over ssl

	#snmp
	iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 161 -j ACCEPT #tcp
	iptables -A INPUT -p udp -s 0/0 -d 0/0 --destination-port 161 -j ACCEPT #udp

	#allow ping to the host for monitoring
	iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d 0/0 -j ACCEPT


	#Ensure a drop of all packets on the input
	iptables -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
	iptables -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j DROP