Last active
June 28, 2023 01:12
-
-
Save rigred/cfa7c7772116eb3548e1f6e45b0fb71f to your computer and use it in GitHub Desktop.
A Simple script to lock down your ubuntu/other server using iptables firewall. This script makes use of outbound rules so be sure to configure any services you need access to. Also setup your preferred ssh port.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| IPT="/sbin/iptables" | |
| # Server IP | |
| SERVER_IP="$(ip addr show eth0 | grep 'inet ' | cut -f2 | awk '{ print $2}')" | |
| # Your DNS servers you use: cat /etc/resolv.conf | |
| DNS_SERVER="8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220" | |
| # Allow connections to this package servers | |
| PACKAGE_SERVER="ftp.us.debian.org security.debian.org archive.ubuntu.com security.ubuntu.com ppa.launchpad.net" | |
| echo "flush iptable rules" | |
| $IPT -F | |
| $IPT -X | |
| $IPT -t nat -F | |
| $IPT -t nat -X | |
| $IPT -t mangle -F | |
| $IPT -t mangle -X | |
| echo "Set default policy to 'DROP'" | |
| $IPT -P INPUT DROP | |
| $IPT -P FORWARD DROP | |
| $IPT -P OUTPUT DROP | |
| echo "Set local DHCP" | |
| $IPT -A INPUT -i eth0 -p udp -m udp --sport 67:68 --dport 67:78 -j ACCEPT | |
| ## This should be one of the first rules. | |
| ## so dns lookups are already allowed for your other rules | |
| for ip in $DNS_SERVER | |
| do | |
| echo "Allowing DNS lookups (tcp, udp port 53) to server '$ip'" | |
| $IPT -A OUTPUT -p udp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT | |
| $IPT -A INPUT -p udp -s $ip --sport 53 -m state --state ESTABLISHED -j ACCEPT | |
| $IPT -A OUTPUT -p tcp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT | |
| $IPT -A INPUT -p tcp -s $ip --sport 53 -m state --state ESTABLISHED -j ACCEPT | |
| done | |
| echo "allow all and everything on localhost" | |
| $IPT -A INPUT -i lo -j ACCEPT | |
| $IPT -A OUTPUT -o lo -j ACCEPT | |
| for ip in $PACKAGE_SERVER | |
| do | |
| echo "Allow connection to '$ip' on port 21" | |
| $IPT -A OUTPUT -p tcp -m tcp -d "$ip" --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT | |
| $IPT -A INPUT -p tcp -m tcp -s "$ip" --sport 21 -m state --state ESTABLISHED -j ACCEPT | |
| echo "Allow connection to '$ip' on port 80" | |
| $IPT -A OUTPUT -p tcp -m tcp -d "$ip" --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT | |
| $IPT -A INPUT -p tcp -m tcp -s "$ip" --sport 80 -m state --state ESTABLISHED -j ACCEPT | |
| echo "Allow connection to '$ip' on port 443" | |
| $IPT -A OUTPUT -p tcp -m tcp -d "$ip" --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT | |
| $IPT -A INPUT -p tcp -m tcp -s "$ip" --sport 443 -m state --state ESTABLISHED -j ACCEPT | |
| done | |
| ####################################################################################################### | |
| ## Global iptable rules. Not IP specific | |
| echo "Allowing new and established incoming connections to port 21, 80, 443" | |
| $IPT -A INPUT -p tcp -m multiport --dports 21,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT | |
| $IPT -A OUTPUT -p tcp -m multiport --sports 21,80,443 -m state --state ESTABLISHED -j ACCEPT | |
| echo "Allowing new and established OpenVPN connections to port 1194 udp" | |
| $IPT -A INPUT -p udp -m udp --dport 1194 -m state --state NEW,ESTABLISHED -j ACCEPT | |
| $IPT -A OUTPUT -p udp -m udp --sport 1194 -m state --state ESTABLISHED -j ACCEPT | |
| echo "Allow incomming ssh connections to port 22" | |
| $IPT -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT | |
| $IPT -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT | |
| echo "Allow outgoing icmp connections (pings,...)" | |
| $IPT -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | |
| $IPT -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| echo "Allow outgoing connections to port 123 (ntp syncs)" | |
| $IPT -A OUTPUT -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT | |
| $IPT -A INPUT -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT | |
| #Enabling Tunnelbears | |
| echo "Allow traffic on the TUN interface" | |
| $IPT -A INPUT -i tun0 -j ACCEPT | |
| $IPT -A FORWARD -i tun0 -j ACCEPT | |
| $IPT -A OUTPUT -o tun0 -j ACCEPT | |
| #Only Forward traffic from the VPN | |
| # Allow forwarding traffic only from the VPN. | |
| $IPT -A FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -j ACCEPT | |
| $IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| # Log before dropping | |
| $IPT -A FORWARD -j LOG -m limit --limit 12/min --log-level 4 --log-prefix "IP FORWARD drop: " | |
| $IPT -A FORWARD -j DROP | |
| $IPT -A INPUT -j LOG -m limit --limit 12/min --log-level 4 --log-prefix 'IP INPUT drop: ' | |
| $IPT -A INPUT -j DROP | |
| $IPT -A OUTPUT -j LOG -m limit --limit 12/min --log-level 4 --log-prefix 'IP OUTPUT drop: ' | |
| $IPT -A OUTPUT -j DROP | |
| exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment