daveloyall · September 22, 2017 21:22
diff --git a/iptables.sh b/iptables.sh
 #!/bin/bash
 IPT="/sbin/iptables"

 # Server IP
 SERVER_IP="$(ip addr show venet0 | grep 'inet .*scope global' | cut -f2 | awk '{ print $2}')"

 # Your DNS servers you use: cat /etc/resolv.conf
 DNS_SERVER="8.8.4.4 8.8.8.8"

 # Allow connections to this package servers
 PACKAGE_SERVER="ftp.nl.debian.org security.debian.org"

 echo "flush iptable rules"
 $IPT -F
 $IPT -X
 $IPT -t nat -F
 $IPT -t nat -X
 $IPT -t mangle -F
 $IPT -t mangle -X

 echo "Set default policy to 'REJECT'"
 $IPT -P INPUT   REJECT
 $IPT -P FORWARD REJECT
 $IPT -P OUTPUT  REJECT

 ## This should be one of the first rules.
 ## so dns lookups are already allowed for your other rules
 for ip in $DNS_SERVER
 do
 	echo "Allowing DNS lookups (tcp, udp port 53) to server '$ip'"
 	$IPT -A OUTPUT -p udp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
 	$IPT -A INPUT  -p udp -s $ip --sport 53 -m state --state ESTABLISHED     -j ACCEPT
 	$IPT -A OUTPUT -p tcp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
 	$IPT -A INPUT  -p tcp -s $ip --sport 53 -m state --state ESTABLISHED     -j ACCEPT
 done

 echo "allow all and everything on localhost"
 $IPT -A INPUT -i lo -j ACCEPT
 $IPT -A OUTPUT -o lo -j ACCEPT

 for ip in $PACKAGE_SERVER
 do
 	echo "Allow connection to '$ip' on port 80"
 	$IPT -A OUTPUT -p tcp -d "$ip" --dport 80  -m state --state NEW,ESTABLISHED -j ACCEPT
 	$IPT -A INPUT  -p tcp -s "$ip" --sport 80  -m state --state ESTABLISHED     -j ACCEPT
 done


 #######################################################################################################
 ## Global iptable rules. Not IP specific

 echo "Allow all outgoing connections to port 22"
 $IPT -A OUTPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
 $IPT -A INPUT  -p tcp --sport 22 -m state --state ESTABLISHED     -j ACCEPT

 echo "Allow outgoing icmp connections (pings,...)"
 $IPT -A OUTPUT -p icmp --icmp-type 8 -s $SERVER_IP -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 $IPT -A INPUT  -p icmp --icmp-type 0 -s 0/0 -d $SERVER_IP -m state --state ESTABLISHED,RELATED -j ACCEPT

 $IPT -A INPUT  -p icmp --icmp-type 8 -s 0/0 -d $SERVER_IP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 $IPT -A OUTPUT -p icmp --icmp-type 0 -s $SERVER_IP -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT

 # Log before rejecting
 $IPT -A INPUT  -j LOG  -m limit --limit 12/min --log-level 4 --log-prefix 'IP INPUT reject: '
 $IPT -A INPUT  -j REJECT

 $IPT -A OUTPUT -j LOG  -m limit --limit 12/min --log-level 4 --log-prefix 'IP OUTPUT reject: '
 $IPT -A OUTPUT -j REJECT

 exit 0
	#!/bin/bash
	IPT="/sbin/iptables"

	# Server IP
	SERVER_IP="$(ip addr show venet0 \| grep 'inet .*scope global' \| cut -f2 \| awk '{ print $2}')"

	# Your DNS servers you use: cat /etc/resolv.conf
	DNS_SERVER="8.8.4.4 8.8.8.8"

	# Allow connections to this package servers
	PACKAGE_SERVER="ftp.nl.debian.org security.debian.org"

	echo "flush iptable rules"
	$IPT -F
	$IPT -X
	$IPT -t nat -F
	$IPT -t nat -X
	$IPT -t mangle -F
	$IPT -t mangle -X

	echo "Set default policy to 'REJECT'"
	$IPT -P INPUT REJECT
	$IPT -P FORWARD REJECT
	$IPT -P OUTPUT REJECT

	## This should be one of the first rules.
	## so dns lookups are already allowed for your other rules
	for ip in $DNS_SERVER
	do
	echo "Allowing DNS lookups (tcp, udp port 53) to server '$ip'"
	$IPT -A OUTPUT -p udp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPT -A INPUT -p udp -s $ip --sport 53 -m state --state ESTABLISHED -j ACCEPT
	$IPT -A OUTPUT -p tcp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPT -A INPUT -p tcp -s $ip --sport 53 -m state --state ESTABLISHED -j ACCEPT
	done

	echo "allow all and everything on localhost"
	$IPT -A INPUT -i lo -j ACCEPT
	$IPT -A OUTPUT -o lo -j ACCEPT

	for ip in $PACKAGE_SERVER
	do
	echo "Allow connection to '$ip' on port 80"
	$IPT -A OUTPUT -p tcp -d "$ip" --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPT -A INPUT -p tcp -s "$ip" --sport 80 -m state --state ESTABLISHED -j ACCEPT
	done


	#######################################################################################################
	## Global iptable rules. Not IP specific

	echo "Allow all outgoing connections to port 22"
	$IPT -A OUTPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPT -A INPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

	echo "Allow outgoing icmp connections (pings,...)"
	$IPT -A OUTPUT -p icmp --icmp-type 8 -s $SERVER_IP -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
	$IPT -A INPUT -p icmp --icmp-type 0 -s 0/0 -d $SERVER_IP -m state --state ESTABLISHED,RELATED -j ACCEPT

	$IPT -A INPUT -p icmp --icmp-type 8 -s 0/0 -d $SERVER_IP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
	$IPT -A OUTPUT -p icmp --icmp-type 0 -s $SERVER_IP -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT

	# Log before rejecting
	$IPT -A INPUT -j LOG -m limit --limit 12/min --log-level 4 --log-prefix 'IP INPUT reject: '
	$IPT -A INPUT -j REJECT

	$IPT -A OUTPUT -j LOG -m limit --limit 12/min --log-level 4 --log-prefix 'IP OUTPUT reject: '
	$IPT -A OUTPUT -j REJECT

	exit 0