Skip to content

Instantly share code, notes, and snippets.

@soerenmartius

soerenmartius/iptabeles.sh

Created June 26, 2014 22:33
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save soerenmartius/b7272fa46be683611d63 to your computer and use it in GitHub Desktop.
Save soerenmartius/b7272fa46be683611d63 to your computer and use it in GitHub Desktop.
Download ZIP
iptables example
Raw
iptabeles.sh
#!/bin/sh
#
# Basic rules for iptables, IPv4 and IPv6
#
# INPUT
# ACCEPT all for local loopback device
# ACCEPT ssh for everyone (max. 3 connections per minute per IP address)
# ACCEPT domain for nameservers defined in /etc/resolv.conf
# LOG and DROP everything else
#
# OUTPUT
# ACCEPT http for everyone
# ACCEPT https for everyone
# ACCEPT ssh for everyone
# ACCEPT imaps for everyone
# LOG and DROP everything else
#
# FORWARD
# LOG and DROP everything
iptables="/sbin/iptables"
# Default rules for chains
$iptables -F
$iptables -P INPUT DROP
$iptables -P OUTPUT DROP
$iptables -P FORWARD DROP
# Local loopback device
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT
# DHCP
$iptables -A OUTPUT -p udp --dport bootps -m state --state NEW,ESTABLISHED -j ACCEPT
# Resolvers
file="/etc/resolv.conf"
pattern="/nameserver (\d*\.\d*\.\d*\.\d*)/i"
nameservers=`perl -nle "$pattern && (\\$1=~/^127/ || print \\$1)" $file`
for nameserver in $nameservers; do
$iptables -A INPUT -p udp --sport domain -m state --state ESTABLISHED -s $nameserver -j ACCEPT
$iptables -A OUTPUT -p udp --dport domain -m state --state NEW,ESTABLISHED -d $nameserver -j ACCEPT
done
# Incoming SSH
# $iptables -A INPUT -p tcp --dport ssh -m state --state ESTABLISHED,RELATED -j ACCEPT
# $iptables -A INPUT -p tcp --dport ssh -m state --state NEW -j ACCEPT \
# -m limit --limit 3/min --limit-burst 3
# $iptables -A INPUT -p tcp --dport ssh -j DROP
# $iptables -A OUTPUT -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT
# Outgoing SSH
$iptables -A INPUT -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT
$iptables -A OUTPUT -p tcp --dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT
# Outgoing NTP
$iptables -A INPUT -p udp --dport ntp -m state \
--state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -p udp --sport ntp --dport ntp -m state \
--state NEW,ESTABLISHED -j ACCEPT
# Outgoing IMAPS
$iptables -A INPUT -p tcp --sport imaps -m state --state ESTABLISHED -j ACCEPT
$iptables -A OUTPUT -p tcp --dport imaps -m state --state NEW,ESTABLISHED -j ACCEPT
# Outgoing SSMTP
$iptables -A INPUT -p tcp --sport ssmtp -m state --state ESTABLISHED -j ACCEPT
$iptables -A OUTPUT -p tcp --dport ssmtp -m state --state NEW,ESTABLISHED -j ACCEPT
# Outgoing HKP (OpenPGP HTTP Keyserver)
$iptables -A INPUT -p tcp --sport hkp -m state --state ESTABLISHED -j ACCEPT
$iptables -A OUTPUT -p tcp --dport hkp -m state --state NEW,ESTABLISHED -j ACCEPT
# Outgoing git
$iptables -A INPUT -p tcp --sport git -m state --state ESTABLISHED -j ACCEPT
$iptables -A OUTPUT -p tcp --dport git -m state --state NEW,ESTABLISHED -j ACCEPT
# Outgoing whois
$iptables -A INPUT -p tcp --sport whois -m state --state ESTABLISHED -j ACCEPT
$iptables -A OUTPUT -p tcp --dport whois -m state --state NEW,ESTABLISHED -j ACCEPT
# Outgoing HTTP/HTTPS
$iptables -A INPUT -p tcp --sport http -m state --state ESTABLISHED -j ACCEPT
$iptables -A OUTPUT -p tcp --dport http -m state --state NEW,ESTABLISHED -j ACCEPT
$iptables -A INPUT -p tcp --sport https -m state --state ESTABLISHED -j ACCEPT
$iptables -A OUTPUT -p tcp --dport https -m state --state NEW,ESTABLISHED -j ACCEPT
$iptables -A INPUT -p tcp --sport 22222 -m state --state ESTABLISHED -j ACCEPT
$iptables -A OUTPUT -p tcp --dport 22222 -m state --state NEW,ESTABLISHED -j ACCEPT
# Logging
$iptables -A INPUT -j LOG --log-level info
$iptables -A OUTPUT -j LOG --log-level info
$iptables -A FORWARD -j LOG --log-level info
# IPv6 support
if [ -f "/proc/net/if_inet6" ]; then
iptables="/sbin/ip6tables"
# Default rules for chains
$iptables -F
$iptables -P INPUT DROP
$iptables -P OUTPUT DROP
$iptables -P FORWARD DROP
# Local loopback device
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT
# DHCP
$iptables -A OUTPUT -p udp --dport bootps -m state --state NEW,ESTABLISHED -j ACCEPT
# Resolvers
file="/etc/resolv.conf"
pattern="/nameserver \[*(....:[a-z0-9:]+)\]*/i"
nameservers=`perl -nle "$pattern && (\\$1=~/^127/ || print \\$1)" $file`
for nameserver in $nameservers; do
$iptables -A INPUT -p udp --sport domain -m state --state ESTABLISHED -s $nameserver -j ACCEPT
$iptables -A OUTPUT -p udp --dport domain -m state --state NEW,ESTABLISHED -d $nameserver -j ACCEPT
done
# Incoming SSH
# $iptables -A INPUT -p tcp --dport ssh -m state --state ESTABLISHED,RELATED -j ACCEPT
# $iptables -A INPUT -p tcp --dport ssh -m state --state NEW -j ACCEPT \
# -m limit --limit 3/min --limit-burst 3
# $iptables -A INPUT -p tcp --dport ssh -j DROP
# Outgoing SSH
$iptables -A INPUT -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT
$iptables -A OUTPUT -p tcp --dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT
# Outgoing NTP
$iptables -A INPUT -p udp --dport ntp -m state \
--state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -p udp --sport ntp --dport ntp -m state \
--state NEW,ESTABLISHED -j ACCEPT
# Outgoing HTTP/HTTPS
$iptables -A INPUT -p tcp --sport http -m state --state ESTABLISHED -j ACCEPT
$iptables -A OUTPUT -p tcp --dport http -m state --state NEW,ESTABLISHED -j ACCEPT
$iptables -A INPUT -p tcp --sport https -m state --state ESTABLISHED -j ACCEPT
$iptables -A OUTPUT -p tcp --dport https -m state --state NEW,ESTABLISHED -j ACCEPT
$iptables -A INPUT -p tcp --sport 22222 -m state --state ESTABLISHED -j ACCEPT
$iptables -A OUTPUT -p tcp --dport 22222 -m state --state NEW,ESTABLISHED -j ACCEPT
# Outgoing IMAPS
$iptables -A INPUT -p tcp --sport imaps -m state --state ESTABLISHED -j ACCEPT
$iptables -A OUTPUT -p tcp --dport imaps -m state --state NEW,ESTABLISHED -j ACCEPT
# Outgoing SSMTP
$iptables -A INPUT -p tcp --sport ssmtp -m state --state ESTABLISHED -j ACCEPT
$iptables -A OUTPUT -p tcp --dport ssmtp -m state --state NEW,ESTABLISHED -j ACCEPT
# Outgoing HKP (OpenPGP HTTP Keyserver)
$iptables -A INPUT -p tcp --sport hkp -m state --state ESTABLISHED -j ACCEPT
$iptables -A OUTPUT -p tcp --dport hkp -m state --state NEW,ESTABLISHED -j ACCEPT
# Outgoing git
$iptables -A INPUT -p tcp --sport git -m state --state ESTABLISHED -j ACCEPT
$iptables -A OUTPUT -p tcp --dport git -m state --state NEW,ESTABLISHED -j ACCEPT
# Outgoing whois
$iptables -A INPUT -p tcp --sport whois -m state --state ESTABLISHED -j ACCEPT
$iptables -A OUTPUT -p tcp --dport whois -m state --state NEW,ESTABLISHED -j ACCEPT
# Logging
$iptables -A INPUT -j LOG --log-level info
$iptables -A OUTPUT -j LOG --log-level info
$iptables -A FORWARD -j LOG --log-level info
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment