Last active
January 27, 2017 13:33
-
-
Save chmodx/b53d738f39e45c064e7a to your computer and use it in GitHub Desktop.
iptables rules (bash script)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| echo "@b4ut4 | Writing firewall rules..." | |
| IPT="/sbin/iptables" | |
| echo "0" > /proc/sys/net/ipv4/ip_forward | |
| echo "1" > /proc/sys/net/ipv4/tcp_syncookies | |
| echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts | |
| echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses | |
| #Tcp tuning | |
| echo 7 > /proc/sys/net/ipv4/tcp_fin_timeout | |
| echo 1 > /proc/sys/net/ipv4/tcp_orphan_retries | |
| echo 2 > /proc/sys/net/ipv4/tcp_synack_retries | |
| echo 60 > /proc/sys/net/ipv4/tcp_keepalive_time | |
| echo 4096 > /proc/sys/net/ipv4/tcp_max_syn_backlog | |
| echo 10 > /proc/sys/net/ipv4/tcp_keepalive_intvl | |
| echo 5 > /proc/sys/net/ipv4/tcp_keepalive_probes | |
| echo "4096 65536 16777216" > /proc/sys/net/ipv4/tcp_wmem | |
| echo "4096 65536 16777216" > /proc/sys/net/ipv4/tcp_rmem | |
| #For ftp | |
| /sbin/modprobe ip_conntrack_ftp | |
| #Flush all rules | |
| $IPT -F | |
| $IPT -F -t nat | |
| $IPT -F -t mangle | |
| $IPT -X | |
| $IPT -X -t nat | |
| $IPT -X -t mangle | |
| echo "Old Rules Flushed" | |
| #Set Default-Drop Policy | |
| $IPT -P INPUT DROP | |
| $IPT -P OUTPUT DROP | |
| #Create New Chain Called BAD_PACKETS | |
| $IPT -N BAD_PACKETS | |
| #Allow The Loopback (lo - 127.0.0.1) | |
| $IPT -A INPUT -i lo -j ACCEPT | |
| #Jump To BAD_PACKETS | |
| $IPT -A INPUT -j BAD_PACKETS | |
| #Allow Established Connections | |
| $IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| #Allow DHCP | |
| #$IPT -A INPUT -p UDP --dport 68 --sport 67 -j ACCEPT | |
| #Allow SSH | |
| $IPT -A INPUT -m state --state NEW,ESTABLISHED,RELATED --source 10.10.10.10 -p TCP -i eth0 -m multiport --dport "21,22,3306" -j ACCEPT | |
| #Allow HTTP | |
| $IPT -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT | |
| #Allow net print | |
| #$IPT -A INPUT -p UDP -i eth0 --dport 631 -j ACCEPT | |
| #Allow webmin | |
| #$IPT -A INPUT -p TCP -i eth0 --dport 10000 -j ACCEPT | |
| #Allow avahi-daemon | |
| #$IPT -A INPUT -p TCP -i eth0 --dport 5353 -j ACCEPT | |
| #Allow input torrents-client | |
| #$IPT -A INPUT -p TCP -i eth0 --dport 51413 -j ACCEPT | |
| #$IPT -A INPUT -p UDP -i eth0 --dport 51413 -j ACCEPT | |
| #$IPT -A INPUT -p TCP -i eth0 --dport 6881 -j ACCEPT | |
| #$IPT -A INPUT -p UDP -i eth0 --dport 6881 -j ACCEPT | |
| #Allow Samba From Specified Hosts | |
| #$IPT -A INPUT -p TCP -i eth0 --dport 137:139 -j ACCEPT | |
| #$IPT -A INPUT -p UDP -i eth0 --dport 137:139 -j ACCEPT | |
| #$IPT -A INPUT -p TCP -i eth0 --sport 137:139 -j ACCEPT | |
| #$IPT -A INPUT -p UDP -i eth0 --sport 137:139 -j ACCEPT | |
| #Allow ICMP Replies From Specified Hosts (Ping) | |
| $IPT -A INPUT -p ICMP -i eth0 --icmp-type 8 -j ACCEPT | |
| $IPT -A INPUT -p ICMP -i eth0 --icmp-type 8 -j ACCEPT | |
| #Allow input mail on 465 port | |
| $IPT -A INPUT -p tcp --dport 465 -j ACCEPT | |
| #Log | |
| $IPT -A INPUT -j LOG --log-prefix "INPUT DROP: " | |
| #Accept Loopback On OUTPUT | |
| $IPT -A OUTPUT -o lo -j ACCEPT | |
| #Allow Established Connections | |
| $IPT -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| #Allow HTTP,FTP,DNS,SSH, SMTP & Port 443 Outbound | |
| $IPT -A OUTPUT -p TCP -o eth0 --dport 443 -j ACCEPT | |
| $IPT -A OUTPUT -p TCP -o eth0 --dport 80 -j ACCEPT | |
| $IPT -A OUTPUT -p TCP -o eth0 --dport 53 -j ACCEPT | |
| $IPT -A OUTPUT -p UDP -o eth0 --dport 53 -j ACCEPT | |
| $IPT -A OUTPUT -p TCP -o eth0 --dport 25 -j ACCEPT | |
| $IPT -A OUTPUT -p TCP -o eth0 --dport 22 -j ACCEPT | |
| $IPT -A OUTPUT -p TCP -o eth0 --dport 21 -j ACCEPT | |
| #Allow POP, IMAP | |
| #$IPT -A OUTPUT -p TCP -o eth0 --dport 110 -j ACCEPT | |
| #$IPT -A OUTPUT -p TCP -o eth0 --dport 143 -j ACCEPT | |
| #Allow IMAPS | |
| #$IPT -A OUTPUT -p TCP -o eth0 --dport 993 -j ACCEPT | |
| #Allow output IRC | |
| #$IPT -A OUTPUT -p TCP -o eth0 --dport 6667 -j ACCEPT | |
| #$IPT -A OUTPUT -p TCP -o eth0 --dport 6668 -j ACCEPT | |
| #$IPT -A OUTPUT -p TCP -o eth0 --dport 6669 -j ACCEPT | |
| #$IPT -A OUTPUT -p TCP -o eth0 --dport 8001 -j ACCEPT | |
| #Allow output Google talk | |
| #$IPT -A OUTPUT -p TCP -o eth0 --dport 5222 -j ACCEPT | |
| #Allow output CUPS (for printers in net) | |
| #$IPT -A OUTPUT -p UDP -o eth0 --dport 631 -j ACCEPT | |
| #Allow output teamviewer | |
| #$IPT -A OUTPUT -p UDP -o eth0 --dport 5938 -j ACCEPT | |
| #Allow output NTP (for ntpdate) | |
| #$IPT -A OUTPUT -p UDP -o eth0 --dport 123 -j ACCEPT | |
| #Allow output Urban Terror | |
| #$IPT -A OUTPUT -p UDP -o eth0 --dport 27960 -j ACCEPT | |
| #Allow specify ports | |
| #$IPT -A OUTPUT -p TCP -o eth0 --dport 2046 -j ACCEPT | |
| #$IPT -A OUTPUT -p TCP -o eth0 --dport 2050 -j ACCEPT | |
| #Drop | |
| $IPT -A OUTPUT -j LOG --log-prefix "OUTPUT DROP: " | |
| $IPT -A BAD_PACKETS -p TCP ! --syn -m state --state NEW -j DROP | |
| $IPT -A BAD_PACKETS -p TCP --tcp-flags ALL ALL -j DROP | |
| $IPT -A BAD_PACKETS -p TCP --tcp-flags ALL NONE -j DROP | |
| $IPT -A BAD_PACKETS -p TCP --tcp-flags ALL SYN \-m state --state ESTABLISHED -j DROP | |
| $IPT -A BAD_PACKETS -p ICMP --fragment -j DROP | |
| $IPT -A BAD_PACKETS -m state --state INVALID -j DROP | |
| $IPT -A BAD_PACKETS -d 255.255.255.255 -j DROP | |
| $IPT -A BAD_PACKETS -j RETURN | |
| echo "Writing success" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment