w2ak/iptables.rules

## iptables.rules
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
# Input requests setup
## Accept every local input (packets comming to the loopback interface)
-A INPUT -i lo -j ACCEPT
## Keep accepting already established connections
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
## Reject invalid packets
-A INPUT -m conntrack --ctstate INVALID -j REJECT --reject-with icmp-host-unreachable
## Accept ping (useful to test that your server is reachable with 'ping')
-A INPUT -p icmp -j ACCEPT
## Accept SSH, i.e., new TCP connections on port 22
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
## Log every denied input but limit the number of messages
## You can read these logs with the command 'dmesg -w'
-A INPUT -m limit --limit 30/min -j LOG --log-prefix "iptables INPUT denied: " --log-level 7
# Right now every forward request will be denied
## Log every denied forward but limit the number of messages
-A FORWARD -m limit --limit 30/min -j LOG --log-prefix "iptables FORWARD denied: " --log-level 7
COMMIT

## restore.sh
#!/bin/sh
CURRENTSCRIPT=$(readlink -f $0)
CURRENTPATH=$(dirname $CURRENTSCRIPT)
OKFILE=/tmp/root_firewall_restore_sh.ok

# if iptables already restored since last boot, don't touch
if [ -f $OKFILE ]; then
    exit 0
else
    touch $OKFILE
fi

# restore iptables
set -e
echo "$(date) WAS CALLED 0:$CURRENTSCRIPT CURRENTPATH:$CURRENTPATH" >> /root/call.log
iptables-restore < $CURRENTPATH/iptables.rules
# enabling forwarding is necessary if you have a VPN
# sysctl -w net.ipv4.conf.all.forwarding=1 >/dev/null 2>/dev/null
# do not forget ipv6 firewall if your server is ipv6 enabled
# ip6tables-restore < $CURRENTPATH/ip6tables.rules
set +e
	*filter
	:INPUT DROP
	:FORWARD DROP
	:OUTPUT ACCEPT
	# Input requests setup
	## Accept every local input (packets comming to the loopback interface)
	-A INPUT -i lo -j ACCEPT
	## Keep accepting already established connections
	-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	## Reject invalid packets
	-A INPUT -m conntrack --ctstate INVALID -j REJECT --reject-with icmp-host-unreachable
	## Accept ping (useful to test that your server is reachable with 'ping')
	-A INPUT -p icmp -j ACCEPT
	## Accept SSH, i.e., new TCP connections on port 22
	-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
	## Log every denied input but limit the number of messages
	## You can read these logs with the command 'dmesg -w'
	-A INPUT -m limit --limit 30/min -j LOG --log-prefix "iptables INPUT denied: " --log-level 7
	# Right now every forward request will be denied
	## Log every denied forward but limit the number of messages
	-A FORWARD -m limit --limit 30/min -j LOG --log-prefix "iptables FORWARD denied: " --log-level 7
	COMMIT
	#!/bin/sh
	CURRENTSCRIPT=$(readlink -f $0)
	CURRENTPATH=$(dirname $CURRENTSCRIPT)
	OKFILE=/tmp/root_firewall_restore_sh.ok

	# if iptables already restored since last boot, don't touch
	if [ -f $OKFILE ]; then
	exit 0
	else
	touch $OKFILE
	fi

	# restore iptables
	set -e
	echo "$(date) WAS CALLED 0:$CURRENTSCRIPT CURRENTPATH:$CURRENTPATH" >> /root/call.log
	iptables-restore < $CURRENTPATH/iptables.rules
	# enabling forwarding is necessary if you have a VPN
	# sysctl -w net.ipv4.conf.all.forwarding=1 >/dev/null 2>/dev/null
	# do not forget ipv6 firewall if your server is ipv6 enabled
	# ip6tables-restore < $CURRENTPATH/ip6tables.rules
	set +e