Created
April 2, 2016 20:50
-
-
Save MTco/1972a311fa3dc02120e63571f8d9420f to your computer and use it in GitHub Desktop.
Basic security with iptables (IPv4 only)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| FW="/sbin/iptables" | |
| SSH_PORTS="22" | |
| WEB_PORTS="80 443" | |
| DNS_NAMESERVERS="8.8.8.8 8.8.4.4" | |
| NTP_NAMESERVERS="" | |
| PKG_NAMESERVERS="ftp.debian.org security.debian.org" | |
| # flush default rules | |
| ${FW} -t filter -F | |
| ${FW} -t nat -F | |
| ${FW} -t mangle -F | |
| # delete user-defined chains | |
| ${FW} -t filter -X | |
| ${FW} -t nat -X | |
| ${FW} -t mangle -X | |
| # set default policy to DROP | |
| ${FW} -t filter -P INPUT DROP | |
| ${FW} -t filter -P FORWARD DROP | |
| ${FW} -t filter -P OUTPUT DROP | |
| # ssh, http and https | |
| # allow from outside to inside | |
| for port in ${SSH_PORTS} ${WEB_PORTS}; do | |
| ${FW} -t filter -A INPUT -p tcp --dport ${port} -m state --state NEW,ESTABLISHED -j ACCEPT | |
| ${FW} -t filter -A OUTPUT -p tcp --sport ${port} -m state --state ESTABLISHED -j ACCEPT | |
| done | |
| # dns | |
| # allow from inside to outside | |
| if [ -z "${DNS_NAMESERVERS}" ] | |
| then | |
| ${FW} -t filter -A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT | |
| ${FW} -t filter -A INPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT | |
| else | |
| for nameserver in ${DNS_NAMESERVERS}; do | |
| ${FW} -t filter -A OUTPUT -d ${nameserver} -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT | |
| ${FW} -t filter -A INPUT -s ${nameserver} -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT | |
| done | |
| fi | |
| # ntp | |
| # allow from inside to outside | |
| if [ -n "${NTP_NAMESERVERS}" ] | |
| then | |
| for nameserver in ${NTP_NAMESERVERS}; do | |
| ${FW} -t filter -A OUTPUT -d ${nameserver} -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT | |
| ${FW} -t filter -A INPUT -s ${nameserver} -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT | |
| done | |
| fi | |
| # icmp | |
| # allow ping from inside to outside | |
| ${FW} -t filter -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT | |
| ${FW} -t filter -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT | |
| # allow ping from outside to inside | |
| ${FW} -t filter -A INPUT -p icmp --icmp-type echo-request -j ACCEPT | |
| ${FW} -t filter -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT | |
| # package update or upgrade | |
| # allow from inside to outside | |
| if [ -n "${PKG_NAMESERVERS}" ] | |
| then | |
| for nameserver in ${PKG_NAMESERVERS}; do | |
| ${FW} -A OUTPUT -d ${nameserver} -p tcp -m multiport --dport 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT | |
| ${FW} -A INPUT -s ${nameserver} -p tcp -m multiport --sport 80,443 -m state --state ESTABLISHED -j ACCEPT | |
| done | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment