maxd · September 26, 2013 05:48
diff --git a/db-server-iptables.sh b/db-server-iptables.sh
 # http://www.thegeekstuff.com/2011/03/iptables-inbound-and-outbound-rules/

 DB_SERVER=X.X.X.X
 HOME_SERVER=X.X.X.X
 SRV1_SERVER=X.X.X.X
 SRV2_SERVER=X.X.X.X
 SRV3_SERVER=X.X.X.X

 # Delete all existing rules
 iptables -F

 # Change the default chain policy to DROP
 iptables -P INPUT DROP
 iptables -P OUTPUT DROP
 iptables -P FORWARD DROP

 # Allow incoming SSH
 iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
 iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

 # home to db
 iptables -A INPUT -p tcp -s $HOME_SERVER --sport 1024:65535 -d $DB_SERVER --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
 iptables -A OUTPUT -p tcp -s $DB_SERVER --sport 3306 -d $HOME_SERVER --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

 # web-0-1 to db
 iptables -A INPUT -p tcp -s $SRV1_SERVER --sport 1024:65535 -d $DB_SERVER --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
 iptables -A OUTPUT -p tcp -s $DB_SERVER --sport 3306 -d $SRV1_SERVER --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

 # web-0-2 to db
 # iptables -A INPUT -p tcp -s $SRV2_SERVER --sport 1024:65535 -d $DB_SERVER --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
 # iptables -A OUTPUT -p tcp -s $DB_SERVER --sport 3306 -d $SRV2_SERVER --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

 # api-0-1 to db
 iptables -A INPUT -p tcp -s $SRV3_SERVER --sport 1024:65535 -d $DB_SERVER --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
 iptables -A OUTPUT -p tcp -s $DB_SERVER --sport 3306 -d $SRV3_SERVER --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

 # Allowing DNS
 iptables -A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 iptables -A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

 iptables -A INPUT -p tcp -m tcp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 iptables -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

 # Allowing Ubuntu apt-get update
 iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
 iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
	# http://www.thegeekstuff.com/2011/03/iptables-inbound-and-outbound-rules/

	DB_SERVER=X.X.X.X
	HOME_SERVER=X.X.X.X
	SRV1_SERVER=X.X.X.X
	SRV2_SERVER=X.X.X.X
	SRV3_SERVER=X.X.X.X

	# Delete all existing rules
	iptables -F

	# Change the default chain policy to DROP
	iptables -P INPUT DROP
	iptables -P OUTPUT DROP
	iptables -P FORWARD DROP

	# Allow incoming SSH
	iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

	# home to db
	iptables -A INPUT -p tcp -s $HOME_SERVER --sport 1024:65535 -d $DB_SERVER --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -A OUTPUT -p tcp -s $DB_SERVER --sport 3306 -d $HOME_SERVER --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

	# web-0-1 to db
	iptables -A INPUT -p tcp -s $SRV1_SERVER --sport 1024:65535 -d $DB_SERVER --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -A OUTPUT -p tcp -s $DB_SERVER --sport 3306 -d $SRV1_SERVER --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

	# web-0-2 to db
	# iptables -A INPUT -p tcp -s $SRV2_SERVER --sport 1024:65535 -d $DB_SERVER --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
	# iptables -A OUTPUT -p tcp -s $DB_SERVER --sport 3306 -d $SRV2_SERVER --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

	# api-0-1 to db
	iptables -A INPUT -p tcp -s $SRV3_SERVER --sport 1024:65535 -d $DB_SERVER --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -A OUTPUT -p tcp -s $DB_SERVER --sport 3306 -d $SRV3_SERVER --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

	# Allowing DNS
	iptables -A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
	iptables -A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

	iptables -A INPUT -p tcp -m tcp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
	iptables -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

	# Allowing Ubuntu apt-get update
	iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT