paranoidjk/setup-iptables-on-centos6.sh

## setup-iptables-on-centos6.sh
#!/bin/bash
#
# Step 1: Determine the services and ports used on your server
# I assume that this server will only host a WordPress blog, and it will not be used as a router or provide other services (for example, mail, FTP, IRC, etc.).

# Here, we need the following services:

# HTTP (TCP on port 80)
# HTTPS (TCP on port 443)
# SSH (TCP on port 22 by default, can be changed for security purposes)
# NTP (UDP on port 123)
# DNS (TCP and UDP on port 53)
# ping (ICMP)
# All other unnecessary ports will be blocked.
# Read more at: https://www.vultr.com/docs/setup-iptables-firewall-on-centos-6

#Step 2: Configure iptables rules
# Check the existing rules:
iptables -L -n

#Flush all existing rules:
iptables -F; iptables -X; iptables -Z

#Since changes to iptables configuration will take effect immediately, if you misconfigure the iptables rules, you may become blocked out of your server. You can prevent accidental blockouts with the following command. Remember to replace [Your-IP-Address] with your own public IP address or IP address range (for example, 201.55.119.43 or 201.55.119.0/24).
#iptables -A INPUT -s [Your-IP-Address] -p tcp --dport 22 -j ACCEPT

#Allow all loopback (lo) traffic and drop all traffic to 127.0.0.0/8 other than lo:

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -d 127.0.0.0/8 -j REJECT

#Block some common attacks:
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

#Accept all established inbound connections:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#Allow HTTP and HTTPS inbound traffic:
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

#Allow SSH connections:
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

#Allow NTP connections:
iptables -A INPUT -p udp --dport 123 -j ACCEPT

#Allow DNS queries:
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT

#Allow ping:
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#At last, set the default policies:
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

#Step 3: Save the configurations
#Each of the changes that we made above have taken effect, but they are not permanent. If we don't save them to hard disk, they will be lost once the system reboots.
#Save the iptables configuration with the following command:
service iptables save

#Our changes will be saved in the file /etc/sysconfig/iptables. You can review or modify the rules by editing that file.
#Read more at: https://www.vultr.com/docs/setup-iptables-firewall-on-centos-6
	#!/bin/bash
	#
	# Step 1: Determine the services and ports used on your server
	# I assume that this server will only host a WordPress blog, and it will not be used as a router or provide other services (for example, mail, FTP, IRC, etc.).

	# Here, we need the following services:

	# HTTP (TCP on port 80)
	# HTTPS (TCP on port 443)
	# SSH (TCP on port 22 by default, can be changed for security purposes)
	# NTP (UDP on port 123)
	# DNS (TCP and UDP on port 53)
	# ping (ICMP)
	# All other unnecessary ports will be blocked.
	# Read more at: https://www.vultr.com/docs/setup-iptables-firewall-on-centos-6

	#Step 2: Configure iptables rules
	# Check the existing rules:
	iptables -L -n

	#Flush all existing rules:
	iptables -F; iptables -X; iptables -Z

	#Since changes to iptables configuration will take effect immediately, if you misconfigure the iptables rules, you may become blocked out of your server. You can prevent accidental blockouts with the following command. Remember to replace [Your-IP-Address] with your own public IP address or IP address range (for example, 201.55.119.43 or 201.55.119.0/24).
	#iptables -A INPUT -s [Your-IP-Address] -p tcp --dport 22 -j ACCEPT

	#Allow all loopback (lo) traffic and drop all traffic to 127.0.0.0/8 other than lo:

	iptables -A INPUT -i lo -j ACCEPT
	iptables -A INPUT -d 127.0.0.0/8 -j REJECT

	#Block some common attacks:
	iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
	iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
	iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

	#Accept all established inbound connections:
	iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

	#Allow HTTP and HTTPS inbound traffic:
	iptables -A INPUT -p tcp --dport 80 -j ACCEPT
	iptables -A INPUT -p tcp --dport 443 -j ACCEPT

	#Allow SSH connections:
	iptables -A INPUT -p tcp --dport 22 -j ACCEPT

	#Allow NTP connections:
	iptables -A INPUT -p udp --dport 123 -j ACCEPT

	#Allow DNS queries:
	iptables -A INPUT -p udp --dport 53 -j ACCEPT
	iptables -A INPUT -p tcp --dport 53 -j ACCEPT

	#Allow ping:
	iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

	#At last, set the default policies:
	iptables -P INPUT DROP
	iptables -P OUTPUT ACCEPT
	iptables -P FORWARD DROP

	#Step 3: Save the configurations
	#Each of the changes that we made above have taken effect, but they are not permanent. If we don't save them to hard disk, they will be lost once the system reboots.
	#Save the iptables configuration with the following command:
	service iptables save

	#Our changes will be saved in the file /etc/sysconfig/iptables. You can review or modify the rules by editing that file.
	#Read more at: https://www.vultr.com/docs/setup-iptables-firewall-on-centos-6