gardner · August 11, 2017 10:45
diff --git a/iptables.sh b/iptables.sh
 #!/bin/bash

 apt-get install ipset netfilter-persistent -y

 iptables-save > /tmp/iptables.backup
 iptables -F

 if ipset create cf hash:net; then
  for x in $(curl https://www.cloudflare.com/ips-v4); do ipset add cf $x; done
 fi

 if ipset create mx hash:net; then
  for x in $(curl http://www.ipdeny.com/ipblocks/data/aggregated/mx-aggregated.zone); do ipset add mx $x; done
 fi

 if ipset create nz hash:net; then
  for x in $(curl http://www.ipdeny.com/ipblocks/data/aggregated/nz-aggregated.zone); do ipset add nz $x; done
 fi
 ipset save | grep -iv "f2b" > /etc/iptables/rules.ipset

 # Allow loopback
 iptables -A INPUT -i lo -j ACCEPT
 iptables -A OUTPUT -o lo -j ACCEPT

 # Allow established and related connections
 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
 iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

 # Allow CloudFlare
 iptables -A INPUT -m set --match-set cf src -p tcp -m multiport --dports http,https -j ACCEPT

 # Allow port 1935 from Mexico or New Zealand
 iptables -A INPUT -m set --match-set mx src -p tcp --dport 1935 -j ACCEPT
 iptables -A INPUT -m set --match-set nz src -p tcp --dport 1935 -j ACCEPT

 # Allow NTP lookups
 iptables -A INPUT -p udp --dport 123 -j ACCEPT
 iptables -A OUTPUT -p udp --sport 123 -j ACCEPT

 # Allow DNS lookups
 iptables -A OUTPUT -o eth0 -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

 # Allow nbd volumes (Scaleway)
 NBDS=$(oc-metadata --cached | grep VOLUMES_._EXPORT_URI | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}')
 for ip in $NBDS; do
  iptables -I INPUT -i eth0 -s $ip -j ACCEPT
 done

 # Allow local interfaces to talk to each other
 iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
 iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

 # Allow docker to talk to eth0
 iptables -A FORWARD -i docker0 -o eth0 -j ACCEPT
 iptables -A FORWARD -i eth0 -o docker0 -j ACCEPT

 # Apt
 iptables -A OUTPUT -o eth0 -d ftp.fr.debian.org -p tcp --dport 80 -j ACCEPT
 iptables -A OUTPUT -o eth0 -d security.debian.org -p tcp --dport 80 -j ACCEPT
 iptables -A OUTPUT -o eth0 -d ftp.debian.org -p tcp --dport 80 -j ACCEPT

 # Drop everything else
 iptables -A INPUT -j DROP

 iptables-save > /etc/iptables/rules.v4

 # Add ipset plugin to netfilter-persisten
 curl "https://raw.githubusercontent.com/jordanrinke/ipsets-persistent/master/10-ipset" > /usr/share/netfilter-persistent/plugins.d/10-ipset
 chmod +x /usr/share/netfilter-persistent/plugins.d/10-ipset

 #iptables -A OUTPUT -j DROP
	#!/bin/bash

	apt-get install ipset netfilter-persistent -y

	iptables-save > /tmp/iptables.backup
	iptables -F

	if ipset create cf hash:net; then
	for x in $(curl https://www.cloudflare.com/ips-v4); do ipset add cf $x; done
	fi

	if ipset create mx hash:net; then
	for x in $(curl http://www.ipdeny.com/ipblocks/data/aggregated/mx-aggregated.zone); do ipset add mx $x; done
	fi

	if ipset create nz hash:net; then
	for x in $(curl http://www.ipdeny.com/ipblocks/data/aggregated/nz-aggregated.zone); do ipset add nz $x; done
	fi
	ipset save \| grep -iv "f2b" > /etc/iptables/rules.ipset

	# Allow loopback
	iptables -A INPUT -i lo -j ACCEPT
	iptables -A OUTPUT -o lo -j ACCEPT

	# Allow established and related connections
	iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
	iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
	iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

	# Allow CloudFlare
	iptables -A INPUT -m set --match-set cf src -p tcp -m multiport --dports http,https -j ACCEPT

	# Allow port 1935 from Mexico or New Zealand
	iptables -A INPUT -m set --match-set mx src -p tcp --dport 1935 -j ACCEPT
	iptables -A INPUT -m set --match-set nz src -p tcp --dport 1935 -j ACCEPT

	# Allow NTP lookups
	iptables -A INPUT -p udp --dport 123 -j ACCEPT
	iptables -A OUTPUT -p udp --sport 123 -j ACCEPT

	# Allow DNS lookups
	iptables -A OUTPUT -o eth0 -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

	# Allow nbd volumes (Scaleway)
	NBDS=$(oc-metadata --cached \| grep VOLUMES_._EXPORT_URI \| grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}')
	for ip in $NBDS; do
	iptables -I INPUT -i eth0 -s $ip -j ACCEPT
	done

	# Allow local interfaces to talk to each other
	iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
	iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

	# Allow docker to talk to eth0
	iptables -A FORWARD -i docker0 -o eth0 -j ACCEPT
	iptables -A FORWARD -i eth0 -o docker0 -j ACCEPT

	# Apt
	iptables -A OUTPUT -o eth0 -d ftp.fr.debian.org -p tcp --dport 80 -j ACCEPT
	iptables -A OUTPUT -o eth0 -d security.debian.org -p tcp --dport 80 -j ACCEPT
	iptables -A OUTPUT -o eth0 -d ftp.debian.org -p tcp --dport 80 -j ACCEPT

	# Drop everything else
	iptables -A INPUT -j DROP

	iptables-save > /etc/iptables/rules.v4

	# Add ipset plugin to netfilter-persisten
	curl "https://raw.githubusercontent.com/jordanrinke/ipsets-persistent/master/10-ipset" > /usr/share/netfilter-persistent/plugins.d/10-ipset
	chmod +x /usr/share/netfilter-persistent/plugins.d/10-ipset

	#iptables -A OUTPUT -j DROP