ryanthegiantlion/createfirewallrules_restrictive.sh

## createfirewallrules_restrictive.sh
# flush existing rules
iptables -F
ip6tables -F

# ssh rule. always add this first !
# TODO: Consider rate limiting? (e.g http://www.digitalsanctuary.com/tech-blog/debian/using-iptables-to-prevent-ssh-brute-force-attacks.html)
# Still need to read up on implications...
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -A OUTPUT -p tcp --sport ssh -j ACCEPT

# allow elasticsearch traffic from these hosts
iptables -A INPUT -s 10.x.x.x -p tcp --dport 9200:9300 -j ACCEPT
iptables -A INPUT -s 10.x.x.x -p tcp --dport 9200:9300 -j ACCEPT
iptables -A INPUT -s 10.x.x.x -p tcp --dport 9200:9300 -j ACCEPT
iptables -A OUTPUT -d 10.x.x.x -p tcp --sport 9200:9300 -j ACCEPT
iptables -A OUTPUT -d 10.x.x.x -p tcp --sport 9200:9300 -j ACCEPT
iptables -A OUTPUT -d 10.x.x.x -p tcp --sport 9200:9300 -j ACCEPT

# allow all on localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# allow host to be pinged
iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# outgoing dns rules
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT

# new relic monitoring
sudo iptables -A OUTPUT -d 162.247.240.0/22 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -d 50.31.164.0/24 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -s 162.247.240.0/22 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -s 50.31.164.0/24 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -d 162.247.240.0/22 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -d 50.31.164.0/24 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -s 162.247.240.0/22 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -s 50.31.164.0/24 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

# drop all other packets
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j DROP

# drop all ipv6
ip6tables -A INPUT -j DROP
ip6tables -A OUTPUT -j DROP
ip6tables -A FORWARD -j DROP

# persist firewall rules
iptables-save > /etc/iptables.conf
echo "iptables-restore < /etc/iptables.conf" > /etc/rc.local
	# flush existing rules
	iptables -F
	ip6tables -F

	# ssh rule. always add this first !
	# TODO: Consider rate limiting? (e.g http://www.digitalsanctuary.com/tech-blog/debian/using-iptables-to-prevent-ssh-brute-force-attacks.html)
	# Still need to read up on implications...
	iptables -A INPUT -p tcp --dport ssh -j ACCEPT
	iptables -A OUTPUT -p tcp --sport ssh -j ACCEPT

	# allow elasticsearch traffic from these hosts
	iptables -A INPUT -s 10.x.x.x -p tcp --dport 9200:9300 -j ACCEPT
	iptables -A INPUT -s 10.x.x.x -p tcp --dport 9200:9300 -j ACCEPT
	iptables -A INPUT -s 10.x.x.x -p tcp --dport 9200:9300 -j ACCEPT
	iptables -A OUTPUT -d 10.x.x.x -p tcp --sport 9200:9300 -j ACCEPT
	iptables -A OUTPUT -d 10.x.x.x -p tcp --sport 9200:9300 -j ACCEPT
	iptables -A OUTPUT -d 10.x.x.x -p tcp --sport 9200:9300 -j ACCEPT

	# allow all on localhost
	iptables -A INPUT -i lo -j ACCEPT
	iptables -A OUTPUT -o lo -j ACCEPT

	# allow host to be pinged
	iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
	iptables -A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT

	# outgoing dns rules
	iptables -A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
	iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -A INPUT -p tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT

	# new relic monitoring
	sudo iptables -A OUTPUT -d 162.247.240.0/22 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
	sudo iptables -A OUTPUT -d 50.31.164.0/24 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
	sudo iptables -A INPUT -s 162.247.240.0/22 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
	sudo iptables -A INPUT -s 50.31.164.0/24 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
	sudo iptables -A OUTPUT -d 162.247.240.0/22 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
	sudo iptables -A OUTPUT -d 50.31.164.0/24 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
	sudo iptables -A INPUT -s 162.247.240.0/22 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
	sudo iptables -A INPUT -s 50.31.164.0/24 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

	# drop all other packets
	iptables -A INPUT -j DROP
	iptables -A OUTPUT -j DROP
	iptables -A FORWARD -j DROP

	# drop all ipv6
	ip6tables -A INPUT -j DROP
	ip6tables -A OUTPUT -j DROP
	ip6tables -A FORWARD -j DROP

	# persist firewall rules
	iptables-save > /etc/iptables.conf
	echo "iptables-restore < /etc/iptables.conf" > /etc/rc.local