Skip to content

Instantly share code, notes, and snippets.

@tzengerink
Last active December 16, 2015 23:58
Show Gist options
  • Save tzengerink/5517072 to your computer and use it in GitHub Desktop.
Save tzengerink/5517072 to your computer and use it in GitHub Desktop.
Bash script for setting up your firewall. It supports whitelisting and blacklisting.
#!/bin/bash -e
#
# IPTABLES FIREWALL
# -----------------
# Script for setting your iptables firewall. Configure the variables to your
# liking and start the firewall. Copy the file to `/usr/local/sbin` or the
# directory of your choice.
#
# Usage: `./firewall.sh [restart|start|stop|status]`
#
# Copyright (c) 2013 T. Zengerink
# Licensed under MIT License.
# See: https://gist.github.com/raw/3151357/6806e68cb9cc0042b265f25be9bc25dd39f75267/LICENSE.md
## IP/SUBNET CONFIGURATION
#
BROADCAST=( 255.255.255.255 )
## WHITE-/BLACKLISTING
#
WHITELIST=( 192.168.1.0/24 )
BLACKLIST=()
## PORT CONFIGURATION
#
WHITELIST_OPEN_TCP=()
WHITELIST_OPEN_UDP=()
OPEN_TCP=()
OPEN_UDP=()
## IP TABLES CONFIGURATION
#
IPT="$(which iptables)"
RULES="/etc/iptables/iptables.rules"
## FLUSH FIREWALL SETTINGS
#
flush_firewall(){
$IPT -F
$IPT -X
}
## SAVE FIREWALL SETTINGS
# Your Linux distribution might handle these commands differently.
#
save_firewall(){
iptables-save > $RULES
systemctl reload iptables
}
## SHOW FIREWALL STATUS
#
status_firewall(){
$IPT -vnL
}
## STOP FIREWALL
#
stop_firewall(){
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
}
## START FIREWALL
#
start_firewall(){
$IPT -N LOGDROP
$IPT -N TCP
$IPT -N UDP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
$IPT -P INPUT DROP
# Logdrop
$IPT -A LOGDROP -m limit --limit 5/m --limit-burst 10 -j LOG
$IPT -A LOGDROP -j DROP
# Initial setup
$IPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -m conntrack --ctstate INVALID -j LOGDROP
$IPT -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
# Block all broadcast packets
for SRC in "${BROADCAST[@]}"; do
$IPT -A INPUT -s $SRC -j DROP
$IPT -A INPUT -d $SRC -j DROP
done
# Log and drop all traffic from blacklisted sources
for SRC in "${BLACKLIST[@]}"; do
$IPT -A INPUT -s $SRC -j LOGDROP
$IPT -A INPUT -d $SRC -j LOGDROP
done
# Send new TCP / UDP connections through their own chain
$IPT -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
$IPT -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
# Accept all traffic from whitelisted sources
for SRC in "${WHITELIST[@]}"; do
for PORT in "${WHITELIST_OPEN_TCP[@]}"; do
$IPT -A TCP -p tcp -s $SRC --dport $PORT -j ACCEPT
done
for PORT in $WHITELIST_OPEN_UDP; do
$IPT -A UDP -p udp -s $SRC --dport $PORT -j ACCEPT
done
done
# Accept all traffic on open ports
for PORT in "${OPEN_TCP[@]}"; do
$IPT -A TCP -p tcp --dport $PORT -j ACCEPT
done
for PORT in "${OPEN_UDP[@]}"; do
$IPT -A UDP -p udp --dport $PORT -j ACCEPT
done
}
## EXECUTE SCRIPT
#
case "$1" in
start|restart)
flush_firewall
start_firewall
save_firewall
;;
status)
status_firewall
;;
stop)
flush_firewall
stop_firewall
save_firewall
;;
*)
echo -e "Usage $0 [restart|start|stop|status]"
exit 1
esac
exit 0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment