Last active
December 14, 2015 13:48
-
-
Save ivarprudnikov/5095766 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /bin/bash | |
| #chkconfig: 2345 95 20 | |
| #description: iptables rules to prevent communication on unused ports. | |
| IPT=/sbin/iptables | |
| #Reset all rules (F) and chains (X), necessary if have already defined iptables rules | |
| $IPT -F | |
| #Start by blocking all traffic, this will allow secured, fine grained filtering | |
| $IPT -P INPUT DROP | |
| $IPT -P FORWARD DROP | |
| $IPT -P OUTPUT ACCEPT | |
| $IPT -t nat -P OUTPUT ACCEPT | |
| $IPT -t nat -P PREROUTING ACCEPT | |
| $IPT -t nat -P POSTROUTING ACCEPT | |
| $IPT -N SERVICES | |
| #drop spoofed packets | |
| $IPT -A INPUT --in-interface ! lo --source 127.0.0.0/8 -j DROP | |
| #limit ping requests | |
| $IPT -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT | |
| #drop bogus packets | |
| iptables -A INPUT -m state --state INVALID -j DROP | |
| iptables -A FORWARD -m state --state INVALID -j DROP | |
| iptables -A OUTPUT -m state --state INVALID -j DROP | |
| $IPT -t filter -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP | |
| $IPT -t filter -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP | |
| $IPT -t filter -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP | |
| $IPT -t filter -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP | |
| $IPT -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP | |
| $IPT -t filter -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP | |
| $IPT -t filter -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP | |
| #allowed inputs | |
| $IPT -A INPUT --in-interface lo -j ACCEPT | |
| $IPT -A INPUT -j SERVICES | |
| #Keep established connexions | |
| $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| #HTTP | |
| #$IPT -A SERVICES -p tcp --dport 80 -j ACCEPT | |
| #HTTPS | |
| $IPT -A SERVICES -p tcp --dport 443 -j ACCEPT | |
| #TOMCAT | |
| $IPT -A SERVICES -p tcp --dport 8080 -j ACCEPT | |
| $IPT -A SERVICES -p tcp --dport 8009 -j ACCEPT | |
| $IPT -A SERVICES -p tcp --dport 8443 -j ACCEPT | |
| $IPT -A SERVICES -p tcp --dport 8005 -j ACCEPT | |
| #FTP | |
| $IPT -A SERVICES -p tcp --dport 20:21 -j ACCEPT | |
| #SMTP | |
| $IPT -A SERVICES -p tcp --dport 25 -j ACCEPT | |
| #POP3 | |
| $IPT -A SERVICES -p tcp --dport 110 -j ACCEPT | |
| #IMAP | |
| $IPT -A SERVICES -p tcp --dport 143 -j ACCEPT | |
| #ICMP | |
| $IPT -A SERVICES -p icmp -j ACCEPT | |
| #SSH | |
| $IPT -A SERVICES -p tcp --dport 22 -j ACCEPT | |
| #DNS | |
| $IPT -A SERVICES -p tcp --dport 53 -j ACCEPT | |
| $IPT -A SERVICES -p udp --dport 53 -j ACCEPT | |
| #FORWARD TO TOMCAT | |
| $IPT -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080 | |
| $IPT -A FORWARD -p tcp --dport 8080 -j ACCEPT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment