rigred/easy-secure-iptables

## easy-secure-iptables
#!/bin/bash
IPT="/sbin/iptables"

# Server IP
SERVER_IP="$(ip addr show eth0 | grep 'inet ' | cut -f2 | awk '{ print $2}')"

# Your DNS servers you use: cat /etc/resolv.conf
DNS_SERVER="8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220"

# Allow connections to this package servers
PACKAGE_SERVER="ftp.us.debian.org security.debian.org archive.ubuntu.com security.ubuntu.com ppa.launchpad.net"

echo "flush iptable rules"
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X

echo "Set default policy to 'DROP'"
$IPT -P INPUT   DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT  DROP

echo "Set local DHCP"
$IPT -A INPUT -i eth0 -p udp -m udp --sport 67:68 --dport 67:78 -j ACCEPT

## This should be one of the first rules.
## so dns lookups are already allowed for your other rules
for ip in $DNS_SERVER
do
	echo "Allowing DNS lookups (tcp, udp port 53) to server '$ip'"
	$IPT -A OUTPUT -p udp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPT -A INPUT  -p udp -s $ip --sport 53 -m state --state ESTABLISHED     -j ACCEPT
	$IPT -A OUTPUT -p tcp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPT -A INPUT  -p tcp -s $ip --sport 53 -m state --state ESTABLISHED     -j ACCEPT
done

echo "allow all and everything on localhost"
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

for ip in $PACKAGE_SERVER
do
	echo "Allow connection to '$ip' on port 21"
	$IPT -A OUTPUT -p tcp -m tcp  -d "$ip" --dport 21  -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPT -A INPUT  -p tcp -m tcp  -s "$ip" --sport 21  -m state --state ESTABLISHED     -j ACCEPT

	echo "Allow connection to '$ip' on port 80"
	$IPT -A OUTPUT -p tcp -m tcp  -d "$ip" --dport 80  -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPT -A INPUT  -p tcp -m tcp  -s "$ip" --sport 80  -m state --state ESTABLISHED     -j ACCEPT

	echo "Allow connection to '$ip' on port 443"
	$IPT -A OUTPUT -p tcp -m tcp -d "$ip" --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPT -A INPUT  -p tcp -m tcp  -s "$ip" --sport 443 -m state --state ESTABLISHED     -j ACCEPT
done


#######################################################################################################
## Global iptable rules. Not IP specific

echo "Allowing new and established incoming connections to port 21, 80, 443"
$IPT -A INPUT  -p tcp -m multiport --dports 21,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp -m multiport --sports 21,80,443 -m state --state ESTABLISHED     -j ACCEPT

echo "Allowing new and established OpenVPN connections to port 1194 udp"
$IPT -A INPUT -p udp -m udp --dport 1194 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT  -p udp -m udp --sport 1194 -m state --state ESTABLISHED     -j ACCEPT

echo "Allow incomming ssh connections to port 22"
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED     -j ACCEPT

echo "Allow outgoing icmp connections (pings,...)"
$IPT -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT  -p icmp -m state --state ESTABLISHED,RELATED     -j ACCEPT

echo "Allow outgoing connections to port 123 (ntp syncs)"
$IPT -A OUTPUT -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT  -p udp --sport 123 -m state --state ESTABLISHED     -j ACCEPT

#Enabling Tunnelbears
echo "Allow traffic on the TUN interface"
$IPT -A INPUT -i tun0 -j ACCEPT
$IPT -A FORWARD -i tun0 -j ACCEPT
$IPT -A OUTPUT -o tun0 -j ACCEPT

#Only Forward traffic from the VPN
# Allow forwarding traffic only from the VPN.
$IPT -A FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log before dropping
$IPT -A FORWARD -j LOG  -m limit --limit 12/min --log-level 4 --log-prefix "IP FORWARD drop: "
$IPT -A FORWARD -j DROP

$IPT -A INPUT  -j LOG  -m limit --limit 12/min --log-level 4 --log-prefix 'IP INPUT drop: '
$IPT -A INPUT  -j DROP

$IPT -A OUTPUT -j LOG  -m limit --limit 12/min --log-level 4 --log-prefix 'IP OUTPUT drop: '
$IPT -A OUTPUT -j DROP

exit 0
	#!/bin/bash
	IPT="/sbin/iptables"

	# Server IP
	SERVER_IP="$(ip addr show eth0 \| grep 'inet ' \| cut -f2 \| awk '{ print $2}')"

	# Your DNS servers you use: cat /etc/resolv.conf
	DNS_SERVER="8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220"

	# Allow connections to this package servers
	PACKAGE_SERVER="ftp.us.debian.org security.debian.org archive.ubuntu.com security.ubuntu.com ppa.launchpad.net"

	echo "flush iptable rules"
	$IPT -F
	$IPT -X
	$IPT -t nat -F
	$IPT -t nat -X
	$IPT -t mangle -F
	$IPT -t mangle -X

	echo "Set default policy to 'DROP'"
	$IPT -P INPUT DROP
	$IPT -P FORWARD DROP
	$IPT -P OUTPUT DROP

	echo "Set local DHCP"
	$IPT -A INPUT -i eth0 -p udp -m udp --sport 67:68 --dport 67:78 -j ACCEPT

	## This should be one of the first rules.
	## so dns lookups are already allowed for your other rules
	for ip in $DNS_SERVER
	do
	echo "Allowing DNS lookups (tcp, udp port 53) to server '$ip'"
	$IPT -A OUTPUT -p udp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPT -A INPUT -p udp -s $ip --sport 53 -m state --state ESTABLISHED -j ACCEPT
	$IPT -A OUTPUT -p tcp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPT -A INPUT -p tcp -s $ip --sport 53 -m state --state ESTABLISHED -j ACCEPT
	done

	echo "allow all and everything on localhost"
	$IPT -A INPUT -i lo -j ACCEPT
	$IPT -A OUTPUT -o lo -j ACCEPT

	for ip in $PACKAGE_SERVER
	do
	echo "Allow connection to '$ip' on port 21"
	$IPT -A OUTPUT -p tcp -m tcp -d "$ip" --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPT -A INPUT -p tcp -m tcp -s "$ip" --sport 21 -m state --state ESTABLISHED -j ACCEPT

	echo "Allow connection to '$ip' on port 80"
	$IPT -A OUTPUT -p tcp -m tcp -d "$ip" --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPT -A INPUT -p tcp -m tcp -s "$ip" --sport 80 -m state --state ESTABLISHED -j ACCEPT

	echo "Allow connection to '$ip' on port 443"
	$IPT -A OUTPUT -p tcp -m tcp -d "$ip" --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPT -A INPUT -p tcp -m tcp -s "$ip" --sport 443 -m state --state ESTABLISHED -j ACCEPT
	done


	#######################################################################################################
	## Global iptable rules. Not IP specific

	echo "Allowing new and established incoming connections to port 21, 80, 443"
	$IPT -A INPUT -p tcp -m multiport --dports 21,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPT -A OUTPUT -p tcp -m multiport --sports 21,80,443 -m state --state ESTABLISHED -j ACCEPT

	echo "Allowing new and established OpenVPN connections to port 1194 udp"
	$IPT -A INPUT -p udp -m udp --dport 1194 -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPT -A OUTPUT -p udp -m udp --sport 1194 -m state --state ESTABLISHED -j ACCEPT

	echo "Allow incomming ssh connections to port 22"
	$IPT -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPT -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

	echo "Allow outgoing icmp connections (pings,...)"
	$IPT -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
	$IPT -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT

	echo "Allow outgoing connections to port 123 (ntp syncs)"
	$IPT -A OUTPUT -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPT -A INPUT -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT

	#Enabling Tunnelbears
	echo "Allow traffic on the TUN interface"
	$IPT -A INPUT -i tun0 -j ACCEPT
	$IPT -A FORWARD -i tun0 -j ACCEPT
	$IPT -A OUTPUT -o tun0 -j ACCEPT

	#Only Forward traffic from the VPN
	# Allow forwarding traffic only from the VPN.
	$IPT -A FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -j ACCEPT
	$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

	# Log before dropping
	$IPT -A FORWARD -j LOG -m limit --limit 12/min --log-level 4 --log-prefix "IP FORWARD drop: "
	$IPT -A FORWARD -j DROP

	$IPT -A INPUT -j LOG -m limit --limit 12/min --log-level 4 --log-prefix 'IP INPUT drop: '
	$IPT -A INPUT -j DROP

	$IPT -A OUTPUT -j LOG -m limit --limit 12/min --log-level 4 --log-prefix 'IP OUTPUT drop: '
	$IPT -A OUTPUT -j DROP

	exit 0