Last active
December 24, 2021 08:39
-
-
Save trevorparker/5971903 to your computer and use it in GitHub Desktop.
A basic starting template for iptables firewall rules.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| ### | |
| # IPv4 | |
| ### | |
| # Flush and remove chains | |
| /sbin/iptables -F | |
| /sbin/iptables -X | |
| # Set default policies | |
| /sbin/iptables --policy INPUT DROP | |
| /sbin/iptables --policy OUTPUT ACCEPT | |
| /sbin/iptables --policy FORWARD DROP | |
| # Allow existing connections | |
| /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| # Allow local loopback interface traffic | |
| /sbin/iptables -A INPUT -i lo -j ACCEPT | |
| /sbin/iptables -A OUTPUT -o lo -j ACCEPT | |
| # Allow ICMP | |
| /sbin/iptables -A INPUT -p icmp -j ACCEPT | |
| # Goodies and baddies chains | |
| /sbin/iptables -N GOODIES | |
| /sbin/iptables -N BADDIES | |
| # Filter through GOODIES whitelist | |
| /sbin/iptables -A INPUT -j GOODIES | |
| # Filter through BADDIES blacklist | |
| /sbin/iptables -A INPUT -j BADDIES | |
| # Ratelimit SSH to 3 per minute | |
| /sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP | |
| /sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set | |
| /sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT | |
| # Web server | |
| # /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT | |
| # /sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT | |
| # NTP server | |
| # /sbin/iptables -A INPUT -p udp --dport 123 -j ACCEPT | |
| # Mosh | |
| # /sbin/iptables -A INPUT -p udp --dport 60000:61000 -j ACCEPT | |
| ### | |
| # IPv6 | |
| ### | |
| # Flush and remove chains | |
| /sbin/ip6tables -F | |
| /sbin/ip6tables -X | |
| # Set default policies | |
| /sbin/ip6tables --policy INPUT DROP | |
| /sbin/ip6tables --policy OUTPUT ACCEPT | |
| /sbin/ip6tables --policy FORWARD DROP | |
| # Allow existing connections | |
| /sbin/ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| # Allow local loopback interface traffic | |
| /sbin/ip6tables -A INPUT -i lo -j ACCEPT | |
| /sbin/ip6tables -A OUTPUT -o lo -j ACCEPT | |
| # Allow ICMP | |
| /sbin/ip6tables -A INPUT -p icmpv6 -j ACCEPT | |
| # Goodies and baddies chains | |
| /sbin/ip6tables -N GOODIES | |
| /sbin/ip6tables -N BADDIES | |
| # Filter through GOODIES whitelist | |
| /sbin/ip6tables -A INPUT -j GOODIES | |
| # Filter through BADDIES blacklist | |
| /sbin/ip6tables -A INPUT -j BADDIES | |
| # Ratelimit SSH to 3 per minute | |
| /sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP | |
| /sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set | |
| /sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT | |
| # Web server | |
| # /sbin/ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT | |
| # /sbin/ip6tables -A INPUT -p tcp --dport 443 -j ACCEPT | |
| # NTP server | |
| # /sbin/ip6tables -A INPUT -p udp --dport 123 -j ACCEPT | |
| # Mosh | |
| # /sbin/ip6tables -A INPUT -p udp --dport 60000:61000 -j ACCEPT | |
| /sbin/iptables-save > /etc/iptables.up.rules | |
| /sbin/ip6tables-save > /etc/ip6tables.up.rules | |
| cat <<EOF > /etc/network/if-pre-up.d/iptables | |
| #!/bin/sh | |
| /sbin/iptables-restore < /etc/iptables.up.rules | |
| /sbin/ip6tables-restore < /etc/ip6tables.up.rules | |
| EOF | |
| chmod +x /etc/network/if-pre-up.d/iptables | |
| cat <<EOF > /etc/network/if-post-down.d/iptables | |
| #!/bin/sh | |
| /sbin/iptables-save > /etc/iptables.up.rules | |
| /sbin/ip6tables-save > /etc/ip6tables.up.rules | |
| EOF | |
| chmod +x /etc/network/if-post-down.d/iptables |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment