Last active
December 18, 2015 00:49
-
-
Save tlongren/5699518 to your computer and use it in GitHub Desktop.
iptables firewall for VPS on Debian Squeeze
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# This file will reset the firewall to allow everything. | |
# | |
# Set the default policy | |
# | |
/sbin/iptables -P INPUT ACCEPT | |
/sbin/iptables -P FORWARD ACCEPT | |
/sbin/iptables -P OUTPUT ACCEPT | |
# | |
# Set the default policy for the NAT table | |
# | |
/sbin/iptables -t nat -P PREROUTING ACCEPT | |
/sbin/iptables -t nat -P POSTROUTING ACCEPT | |
/sbin/iptables -t nat -P OUTPUT ACCEPT | |
# | |
# Delete all rules | |
# | |
/sbin/iptables -F | |
/sbin/iptables -t nat -F | |
# | |
# Delete all chains | |
# | |
/sbin/iptables -X | |
/sbin/iptables -t nat -X | |
# End message |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
*filter | |
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 | |
-A INPUT -i lo -j ACCEPT | |
-A INPUT -d 127.0.0.0/8 -j REJECT | |
# Accept all established inbound connections | |
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
# Allow all outbound traffic - you can modify this to only allow certain traffic | |
-A OUTPUT -j ACCEPT | |
# Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL). | |
-A INPUT -p tcp --dport 80 -j ACCEPT | |
-A INPUT -p tcp --dport 443 -j ACCEPT | |
# Allow SSH connections | |
# | |
# The -dport number should be the same port number you set in sshd_config | |
# | |
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT | |
# Allow ping | |
-A INPUT -p icmp -j ACCEPT | |
# Log iptables denied calls | |
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 | |
# Drop all other inbound - default deny unless explicitly allowed policy | |
-A INPUT -j DROP | |
-A FORWARD -j DROP | |
COMMIT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I dropped iptables.firewall.rules into /etc/ and then ran:
Also set it up to start at boot.
flush-iptables.sh just sits in my home directory for usage when troubleshooting something.