Created
November 23, 2008 12:52
-
-
Save benhoskings/28107 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| iptables="iptables" | |
| # network settings | |
| iface_main="eth0" | |
| iface_vhosts="eth0:0" | |
| ip_main=`ifconfig $iface_main | grep "inet addr" | cut -d: -f2 | cut -d" " -f1` | |
| ip_vhosts=`ifconfig $iface_vhosts | grep "inet addr" | cut -d: -f2 | cut -d" " -f1` | |
| # custom ports | |
| ftp="ftp 16000:16031" | |
| # clear everything. | |
| for table in filter nat mangle; do | |
| $iptables -t $table --flush | |
| done | |
| # by default, block everything. | |
| for chain in INPUT FORWARD OUTPUT; do | |
| $iptables --policy $chain DROP | |
| done | |
| # open the loopback interface. | |
| $iptables -A INPUT -i lo -j ACCEPT | |
| $iptables -A OUTPUT -o lo -j ACCEPT | |
| # Allow all established / related traffic. | |
| for chain in INPUT FORWARD; do | |
| $iptables -A $chain -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| done | |
| # Allow the server to send anything | |
| $iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | |
| # allow PINGs and PONGs | |
| $iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT | |
| $iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT | |
| # Incoming connections to the server. | |
| for ip in $ip_main $ip_vhosts; do | |
| for port in ssh http https $ftp; do | |
| $iptables -A INPUT --dst $ip -p tcp --dport $port -m state --state NEW -j ACCEPT | |
| done | |
| done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment