scorredoira · May 10, 2020 15:18
diff --git a/gistfile1.txt b/gistfile1.txt
 # flush iptable rules
 iptables -F

 # Allowing DNS lookups (tcp, udp port 53)
 iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
 iptables -A INPUT  -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
 iptables -A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
 iptables -A INPUT  -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

 # Allow web traffic
 iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
 iptables -A INPUT  -p tcp -m multiport --sports 80,443 -m state --state ESTABLISHED     -j ACCEPT

 # Allow smtp traffic
 iptables -A OUTPUT -p tcp -m multiport --dports 25,465,587,2525  -m state --state NEW,ESTABLISHED -j ACCEPT
 iptables -A INPUT  -p tcp -m multiport --sports 25,465,587,2525  -m state --state ESTABLISHED     -j ACCEPT

 # Allow outgoing icmp connections (pings,...)
 iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT
 iptables -A INPUT  -p icmp -m state --state ESTABLISHED,RELATED     -j ACCEPT

 # Allow outgoing connections to port 123 (ntp syncs)
 iptables -A OUTPUT -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
 iptables -A INPUT  -p udp --sport 123 -m state --state ESTABLISHED     -j ACCEPT

 # allow everything on localhost
 iptables -A OUTPUT -o lo -j ACCEPT
 iptables -A INPUT  -i lo -j ACCEPT

 # allow everything from my IP <% if(model.allIP) { %>
    iptables -A INPUT -s <%= model.allIP %> -j ACCEPT
 <% } %>

 # allow SSH AND RSYNC from this IP's <% 
 for(let host of model.allowed) { %>
    iptables -A OUTPUT -p tcp -s <%= host.ip %> -m multiport --dports <%= host.ports %> -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A INPUT  -p tcp -s <%= host.ip %> -m multiport --dports <%= host.ports %> -m state --state ESTABLISHED     -j ACCEPT
 <% } %>

 # Set default policy to 'DROP'
 iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A OUTPUT -j DROP
 iptables -A INPUT -m conntrack -j ACCEPT --ctstate RELATED,ESTABLISHED
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A INPUT -j DROP
 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A FORWARD -j DROP
	# flush iptable rules
	iptables -F

	# Allowing DNS lookups (tcp, udp port 53)
	iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -A INPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -A INPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

	# Allow web traffic
	iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -A INPUT -p tcp -m multiport --sports 80,443 -m state --state ESTABLISHED -j ACCEPT

	# Allow smtp traffic
	iptables -A OUTPUT -p tcp -m multiport --dports 25,465,587,2525 -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -A INPUT -p tcp -m multiport --sports 25,465,587,2525 -m state --state ESTABLISHED -j ACCEPT

	# Allow outgoing icmp connections (pings,...)
	iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT
	iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT

	# Allow outgoing connections to port 123 (ntp syncs)
	iptables -A OUTPUT -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -A INPUT -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT

	# allow everything on localhost
	iptables -A OUTPUT -o lo -j ACCEPT
	iptables -A INPUT -i lo -j ACCEPT

	# allow everything from my IP <% if(model.allIP) { %>
	iptables -A INPUT -s <%= model.allIP %> -j ACCEPT
	<% } %>

	# allow SSH AND RSYNC from this IP's <%
	for(let host of model.allowed) { %>
	iptables -A OUTPUT -p tcp -s <%= host.ip %> -m multiport --dports <%= host.ports %> -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -A INPUT -p tcp -s <%= host.ip %> -m multiport --dports <%= host.ports %> -m state --state ESTABLISHED -j ACCEPT
	<% } %>

	# Set default policy to 'DROP'
	iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
	iptables -A OUTPUT -j DROP
	iptables -A INPUT -m conntrack -j ACCEPT --ctstate RELATED,ESTABLISHED
	iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
	iptables -A INPUT -j DROP
	iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
	iptables -A FORWARD -j DROP