richardsonlima · January 27, 2016 01:22
diff --git a/fw-rules-websrv-02 b/fw-rules-websrv-02
 #!/bin/bash
 # set -x
 # save the script in /usr/local/bin/fw-rules-websrv-02 and make it executable
 # chmod +x /usr/local/bin/fw-rules-websrv-02
 # run --> fw-rules-websrv-02

 IPTABLES=/sbin/iptables
 IFACE_EXT="eth0"
 IFACE_INT="eth1"
 WEBSRV_01_INT_ADDR=""
 WEBSRV_01_EXT_ADDR=""
 WEBSRV_02_INT_ADDR=""
 WEBSRV_02_EXT_ADDR=""
 LBSRV_01_INT_ADDR=""
 LBSRV_01_EXT_ADDR=""
 ALL="0.0.0.0/0"

 echo " * flushing old rules"
 ${IPTABLES} --flush
 ${IPTABLES} --delete-chain
 ${IPTABLES} --table nat --flush
 ${IPTABLES} --table nat --delete-chain

 echo " * setting default policies"
 ${IPTABLES} -P INPUT DROP
 ${IPTABLES} -P FORWARD DROP
 ${IPTABLES} -P OUTPUT ACCEPT

 echo " * allowing loopback devices"
 ${IPTABLES} -A INPUT -i lo -j ACCEPT
 ${IPTABLES} -A OUTPUT -o lo -j ACCEPT

 echo " * allowing internal devices"
 ${IPTABLES} -A INPUT -i ${IFACE_INT} -j ACCEPT
 ${IPTABLES} -A OUTPUT -o ${IFACE_INT} -j ACCEPT

 ${IPTABLES} -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
 ${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

 ## BLOCK ABUSING IPs HERE ##
 #echo " * BLACKLIST"
 #${IPTABLES} -A INPUT -s _ABUSIVE_IP_ -j DROP
 #${IPTABLES} -A INPUT -s _ABUSIVE_IP2_ -j DROP

 echo " * allowing ssh on port 22"
 ${IPTABLES} -A INPUT -i ${IFACE_EXT} -p tcp --dport 22  -m state --state NEW -j ACCEPT

 echo " * allowing monit on port 2812"
 ${IPTABLES} -A INPUT -i ${IFACE_EXT} -p tcp --dport 2812  -m state --state NEW -j ACCEPT

 echo " * allowing all traffic to LoadBalancer Internal Network Interface"
 ${IPTABLES} -A INPUT -i ${IFACE_EXT} -s ${LBSRV_01_INT_ADDR} -j ACCEPT

 echo " * allowing all traffic to Web Server 01 Internal Network Interface"
 ${IPTABLES} -A INPUT -i ${IFACE_EXT} -s ${WEBSRV_01_INT_ADDR} -j ACCEPT

 echo " * allowing ftp passive on port 20,21,[49152 - 65534]"
 ${IPTABLES} -A INPUT -i ${IFACE_EXT} -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
 ${IPTABLES} -A INPUT -i ${IFACE_EXT} -p tcp -m tcp --dport 20 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
 ${IPTABLES} -A INPUT -i ${IFACE_EXT} -p tcp -m tcp --sport 49152:65534 --dport 20:65535 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
 ${IPTABLES} -A INPUT -i ${IFACE_EXT} -p tcp -m state --state ESTABLISHED -j ACCEPT
 ${IPTABLES} -A INPUT -i ${IFACE_EXT} -j REJECT --reject-with icmp-port-unreachable
 ${IPTABLES} -A OUTPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
 ${IPTABLES} -A OUTPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
 ${IPTABLES} -A OUTPUT -p tcp -m tcp --sport 49152:65534 --dport 20:65535 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

 echo " * droping http on port 80 to external users"
 ${IPTABLES} -A INPUT -i ${IFACE_EXT}  -s ${ALL} -p tcp --dport 80  -m state --state NEW -j DROP

 echo " * droping https on port 443 to external users"
 ${IPTABLES} -A INPUT -i ${IFACE_EXT}  -s ${ALL} -p tcp --dport 443 -m state --state NEW -j DROP

 # DROP everything else and Log it
 ${IPTABLES} -A INPUT -j LOG
 ${IPTABLES} -A INPUT -j DROP

 #
 # Save settings
 #
 echo " * SAVING RULES"

 if [[ -d /etc/network/if-pre-up.d ]]; then
    if [[ ! -f /etc/network/if-pre-up.d/iptables ]]; then
        echo -e "#!/bin/bash" > /etc/network/if-pre-up.d/iptables
        echo -e "test -e /etc/iptables.rules && iptables-restore -c /etc/iptables.rules" >> /etc/network/if-pre-up.d/iptables
        chmod +x /etc/network/if-pre-up.d/iptables
    fi
 fi

 iptables-save > /etc/fw-rules-websrv-02.rules
 iptables-restore -c /etc/fw-rules-websrv-02.rules
	#!/bin/bash
	# set -x
	# save the script in /usr/local/bin/fw-rules-websrv-02 and make it executable
	# chmod +x /usr/local/bin/fw-rules-websrv-02
	# run --> fw-rules-websrv-02

	IPTABLES=/sbin/iptables
	IFACE_EXT="eth0"
	IFACE_INT="eth1"
	WEBSRV_01_INT_ADDR=""
	WEBSRV_01_EXT_ADDR=""
	WEBSRV_02_INT_ADDR=""
	WEBSRV_02_EXT_ADDR=""
	LBSRV_01_INT_ADDR=""
	LBSRV_01_EXT_ADDR=""
	ALL="0.0.0.0/0"

	echo " * flushing old rules"
	${IPTABLES} --flush
	${IPTABLES} --delete-chain
	${IPTABLES} --table nat --flush
	${IPTABLES} --table nat --delete-chain

	echo " * setting default policies"
	${IPTABLES} -P INPUT DROP
	${IPTABLES} -P FORWARD DROP
	${IPTABLES} -P OUTPUT ACCEPT

	echo " * allowing loopback devices"
	${IPTABLES} -A INPUT -i lo -j ACCEPT
	${IPTABLES} -A OUTPUT -o lo -j ACCEPT

	echo " * allowing internal devices"
	${IPTABLES} -A INPUT -i ${IFACE_INT} -j ACCEPT
	${IPTABLES} -A OUTPUT -o ${IFACE_INT} -j ACCEPT

	${IPTABLES} -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
	${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

	## BLOCK ABUSING IPs HERE ##
	#echo " * BLACKLIST"
	#${IPTABLES} -A INPUT -s _ABUSIVE_IP_ -j DROP
	#${IPTABLES} -A INPUT -s _ABUSIVE_IP2_ -j DROP

	echo " * allowing ssh on port 22"
	${IPTABLES} -A INPUT -i ${IFACE_EXT} -p tcp --dport 22 -m state --state NEW -j ACCEPT

	echo " * allowing monit on port 2812"
	${IPTABLES} -A INPUT -i ${IFACE_EXT} -p tcp --dport 2812 -m state --state NEW -j ACCEPT

	echo " * allowing all traffic to LoadBalancer Internal Network Interface"
	${IPTABLES} -A INPUT -i ${IFACE_EXT} -s ${LBSRV_01_INT_ADDR} -j ACCEPT

	echo " * allowing all traffic to Web Server 01 Internal Network Interface"
	${IPTABLES} -A INPUT -i ${IFACE_EXT} -s ${WEBSRV_01_INT_ADDR} -j ACCEPT

	echo " * allowing ftp passive on port 20,21,[49152 - 65534]"
	${IPTABLES} -A INPUT -i ${IFACE_EXT} -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
	${IPTABLES} -A INPUT -i ${IFACE_EXT} -p tcp -m tcp --dport 20 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
	${IPTABLES} -A INPUT -i ${IFACE_EXT} -p tcp -m tcp --sport 49152:65534 --dport 20:65535 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
	${IPTABLES} -A INPUT -i ${IFACE_EXT} -p tcp -m state --state ESTABLISHED -j ACCEPT
	${IPTABLES} -A INPUT -i ${IFACE_EXT} -j REJECT --reject-with icmp-port-unreachable
	${IPTABLES} -A OUTPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
	${IPTABLES} -A OUTPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
	${IPTABLES} -A OUTPUT -p tcp -m tcp --sport 49152:65534 --dport 20:65535 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

	echo " * droping http on port 80 to external users"
	${IPTABLES} -A INPUT -i ${IFACE_EXT} -s ${ALL} -p tcp --dport 80 -m state --state NEW -j DROP

	echo " * droping https on port 443 to external users"
	${IPTABLES} -A INPUT -i ${IFACE_EXT} -s ${ALL} -p tcp --dport 443 -m state --state NEW -j DROP

	# DROP everything else and Log it
	${IPTABLES} -A INPUT -j LOG
	${IPTABLES} -A INPUT -j DROP

	#
	# Save settings
	#
	echo " * SAVING RULES"

	if [[ -d /etc/network/if-pre-up.d ]]; then
	if [[ ! -f /etc/network/if-pre-up.d/iptables ]]; then
	echo -e "#!/bin/bash" > /etc/network/if-pre-up.d/iptables
	echo -e "test -e /etc/iptables.rules && iptables-restore -c /etc/iptables.rules" >> /etc/network/if-pre-up.d/iptables
	chmod +x /etc/network/if-pre-up.d/iptables
	fi
	fi

	iptables-save > /etc/fw-rules-websrv-02.rules
	iptables-restore -c /etc/fw-rules-websrv-02.rules