Script to create minimal iptables and store them via iptables-persistent

create_iptables.sh

#!/bin/sh
# This script sets iptables rules vor IPv4 and IPv6. Currently IPv6 just has a drop anything policy.
# ToDo: Drop outgoing packages with spoofed source address - add local address as src in output rules.

###################
# RESET ALL RULES #
###################
iptables --flush
ip6tables --flush

#################
# SET NEW RULES #
#################
# Allow all  established
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Allow HTTP nginx, outgoing also needed for for apt-get
iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
iptables -A INPUT -p udp -m multiport --dports 80,443 -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
iptables -A OUTPUT -p udp -m multiport --dports 80,443 -j ACCEPT

# Allow loopback (needed for nginx reverse proxying)
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# SSH
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -A OUTPUT -p tcp --dport ssh -j ACCEPT # (Needed for git)

# Allow Outgoing DNS
iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

# Ignore invalid packets
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP


####################
# SET NEW POLICIES #
####################
iptables --policy INPUT DROP;
iptables --policy OUTPUT DROP;
iptables --policy FORWARD DROP;


#########
# IP v6 #
#########
ip6tables --policy INPUT DROP;
ip6tables --policy FORWARD DROP;
ip6tables --policy OUTPUT DROP;


###############
# STORE RULES #
###############
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6