Netfilter rules by feature script

v4-features.sh

#!/bin/sh

# Extremely-basic Netfilter conditional rule loading example.
# This uses a pipeline to iptables-restore(8) for atomic loading.

# In particular, only the filter table is adjusted.

# Available under the BSD 3-clause license in the hopes this may be a useful
# example or template.
# http://opensource.org/licenses/BSD-3-Clause


# Start a compound shell statement that will feed output to the
# iptables-restore(8) command at the bottom of this script:
{

# First, set up some "operational" switches. 0=OFF, 1=ON
SVR_HTTP=0
SVR_HTTPS=0
SVR_DNS=0
ALLOW_PING=1

##
## Set up the filter table

# Table + default policies:
echo '*filter'
echo ':INPUT DROP'
echo ':FORWARD DROP'
echo ':OUTPUT ACCEPT'

# Act as a stateful firewall, allowing traffic that is established or related
# to things we've already accepted to pass:
echo '-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT'

# Then, conditionally allow more based on program-settings:
[ "$SVR_HTTP" -eq 1 ] && echo '-A INPUT -p tcp --dport 80 -j ACCEPT'
[ "$SVR_HTTPS" -eq 1 ] && echo '-A INPUT -p tcp --dport 443 -j ACCEPT'
if [ "$SVR_DNS" -eq 1 ]; then
	echo '-A INPUT -p udp --dport 53 -j ACCEPT'
	echo '-A INPUT -p tcp --dport 53 -j ACCEPT'
fi
[ "$ALLOW_PING" -eq 1 ] && echo '-A INPUT -p icmp --icmp-type echo-request -j ACCEPT'

# End the filter table definition:
echo 'COMMIT'

# Finally, close the compound statement and feed the pipeline into
# iptables-restore(8) for atomic processing.
} | iptables-restore