Created
September 27, 2012 03:01
-
-
Save mbohun/3791917 to your computer and use it in GitHub Desktop.
iptables firewall
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # | |
| IPT="/usr/local/sbin/iptables" | |
| SSH_HOSTS_ALLOWED="55.16.23.13/24 222.111.77.0/16 213.123.88.123/24 213.32.99.102/16" | |
| case "$1" in | |
| start) | |
| #/sbin/sysctl -w net.ipv4.ip_forward=1 | |
| # flushing all rules | |
| ${IPT} -F | |
| ${IPT} -F -t nat | |
| ${IPT} -X | |
| # setting default filter policy | |
| ${IPT} -P INPUT DROP | |
| ${IPT} -P OUTPUT ACCEPT | |
| ${IPT} -P FORWARD DROP | |
| # allow unlimited traffic on loopback | |
| ${IPT} -A INPUT -i lo -j ACCEPT | |
| # allow local subnet 192.168.0.x connections (all = tcp & udp) | |
| ${IPT} -A INPUT -i eth0 -s 192.168.0.0/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | |
| ${IPT} -A INPUT -i eth1 -s 192.168.0.0/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | |
| # allow incoming ssh from chosen IPs | |
| for s in $SSH_HOSTS_ALLOWED; | |
| do | |
| ${IPT} -A INPUT -p tcp -i eth0 -s $s --dport 22 --syn -m state --state NEW -j ACCEPT | |
| done | |
| # forward port 443 to 22 - so we can connect from a remote IP going out on port 443 | |
| # if they block outgoing traffic on 22 | |
| ${IPT} -t nat -A PREROUTING -p tcp -i eth0 --dport 443 -j REDIRECT --to-ports 22 | |
| # 80 -> 8000 | |
| ${IPT} -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j REDIRECT --to-ports 8000 | |
| # allow all packets ESTABLISHED,RELATED | |
| ${IPT} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| # allow ICMP ping (or would be bteer to restrict it to the local net?) | |
| ${IPT} -A INPUT -p icmp --icmp-type echo-request -j ACCEPT | |
| ${IPT} -A INPUT -d 255.255.255.255/0.0.0.255 -j DROP | |
| ${IPT} -A INPUT -d 224.0.0.1 -j DROP | |
| ${IPT} -A INPUT -m limit --limit 5/min -j LOG #log is good/handy for 'debugging' | |
| # ${IPT} -A INPUT -m limit --limit 5/min -j ULOG #log is good/handy for 'debugging' | |
| ${IPT} -A INPUT -j DROP #or REJECT/DROP | |
| ;; | |
| stop) | |
| #/sbin/sysctl -w net.ipv4.ip_forward=0 | |
| # flushing all rules | |
| ${IPT} -F | |
| ${IPT} -F -t nat | |
| ${IPT} -X | |
| # setting default filter policy | |
| ${IPT} -P INPUT ACCEPT | |
| ${IPT} -P OUTPUT ACCEPT | |
| ${IPT} -P FORWARD ACCEPT | |
| ;; | |
| *) | |
| $0 start | |
| ;; | |
| esac | |
| exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment