Skip to content

Instantly share code, notes, and snippets.

@ymauray

ymauray/firewall.sh

Created March 3, 2017 20:04
Show Gist options
  • Save ymauray/223ec757d6e1cbb57bbaacc7226771c4 to your computer and use it in GitHub Desktop.
Save ymauray/223ec757d6e1cbb57bbaacc7226771c4 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
firewall.sh
#!/bin/sh
### BEGIN INIT INFO
# Provides: firewall
# Required-Start: $network
# Required-Stop: $network
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Sets/unsets iptables rules
# Description: Sets/unsets iptables rules.
# This script will set/unset iptables rules.
### END INIT INFO
case "$1" in
start)
# Ne pas casser les connexions etablies
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
echo - Ne pas casser les connexions établies : [OK]
# Autoriser loopback
/sbin/iptables -t filter -A INPUT -i lo -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -o lo -j ACCEPT
echo - Autoriser loopback : [OK]
# Blacklist
/sbin/iptables -A INPUT -s 1.93.34.13 -j DROP
/sbin/iptables -A INPUT -s 1.93.34.219 -j DROP
/sbin/iptables -A INPUT -s 5.135.161.162 -j DROP
/sbin/iptables -A INPUT -s 14.141.13.34 -j DROP
/sbin/iptables -A INPUT -s 14.207.48.137 -j DROP
/sbin/iptables -A INPUT -s 23.20.37.80 -j DROP
# And so on, and so one
echo - Blacklist : [OK]
# Autoriser SSH
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 --source cache.ovh.net -j ACCEPT
/sbin/iptables -t filter -A INPUT -p tcp --dport 1223 -j ACCEPT
/sbin/iptables -t filter -A INPUT -p tcp --dport 1022 -j ACCEPT
echo - Autoriser SSH : [OK]
# Autoriser NoMachine
/sbin/iptables -t filter -A INPUT -p tcp --dport 4000 -j ACCEPT
echo - Autoriser NoMachine : [OK]
# Autoriser les requetes SSH, DNS, FTP, HTTP, NTP, NNTP, OCO
/sbin/iptables -t filter -A OUTPUT -p tcp --dport 21 -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -p tcp --dport 79 -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -p tcp --dport 8081 -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -p tcp --dport 8210 -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -p tcp --dport 119 -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -p udp --dport 9004 -j ACCEPT
echo - Autoriser les requetes SSH, DNS, FTP, HTTP, NTP, NNTP, OCO : [OK]
# HTTP
/sbin/iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
/sbin/iptables -t filter -A INPUT -p tcp --dport 7474 -j ACCEPT
/sbin/iptables -t filter -A INPUT -p tcp --dport 7473 -j ACCEPT
echo - Autoriser serveur Apache : [OK]
/sbin/iptables -t filter -A INPUT -p tcp --dport 4242 -j ACCEPT
echo - Autoriser Quassel : [OK]
# SHOUTCAST
# -- Invités
/sbin/iptables -t filter -A INPUT -p tcp --dport 8890 -j ACCEPT
/sbin/iptables -t filter -A INPUT -p tcp --dport 8891 -j ACCEPT
# -- Euterpia Radio
/sbin/iptables -t filter -A INPUT -p tcp --dport 8888 -j ACCEPT
/sbin/iptables -t filter -A INPUT -p tcp --dport 8889 -j ACCEPT
# -- Nephie
/sbin/iptables -t filter -A INPUT -p tcp --dport 8765 -j ACCEPT
/sbin/iptables -t filter -A INPUT -p tcp --dport 8766 -j ACCEPT
# -- Le Village
/sbin/iptables -t filter -A INPUT -p tcp --dport 8900 -j ACCEPT
/sbin/iptables -t filter -A INPUT -p tcp --dport 8901 -j ACCEPT
# -- Bluu
/sbin/iptables -t filter -A INPUT -p tcp --dport 8902 -j ACCEPT
/sbin/iptables -t filter -A INPUT -p tcp --dport 8903 -j ACCEPT
# -- Linoa / Karen
/sbin/iptables -t filter -A INPUT -p tcp --dport 8904 -j ACCEPT
/sbin/iptables -t filter -A INPUT -p tcp --dport 8905 -j ACCEPT
# -- Batty
/sbin/iptables -t filter -A INPUT -p tcp --dport 8906 -j ACCEPT
/sbin/iptables -t filter -A INPUT -p tcp --dport 8907 -j ACCEPT
echo - Autoriser serveur Shoutcast : [OK]
# ICECAST
/sbin/iptables -t filter -A INPUT -p tcp --dport 8000 -j ACCEPT
/sbin/iptables -t filter -A INPUT -p tcp --dport 8001 -j ACCEPT
echo - Autoriser serveur IceCast : [OK]
# TEAMSPEAK
/sbin/iptables -A INPUT -p udp --dport 8767 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 8768 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 8765 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 14534 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 51234 -j ACCEPT
echo - Autoriser TeamSpeak : [OK]
# TEAMSPEAK 3
/sbin/iptables -A INPUT -p udp --dport 9987 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 9988 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 9989 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 30033 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 10011 -j ACCEPT
echo - Autoriser TeamSpeak 3 : [OK]
# MURMUR
/sbin/iptables -A INPUT -p udp --dport 64738 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 64738 -j ACCEPT
echo - Autoriser Mumble : [OK]
# OCO
/sbin/iptables -t filter -A INPUT -p tcp --dport 79 -j ACCEPT
echo - Autoriser serveur OCO : [OK]
# DNS
/sbin/iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
/sbin/iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
echo - Autoriser serveur DNS : [OK]
# FTP
/sbin/iptables -t filter -A INPUT -p tcp --dport 20 -j ACCEPT
/sbin/iptables -t filter -A INPUT -p tcp --dport 21 -j ACCEPT
/sbin/iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
/sbin/iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo - Autoriser serveur FTP : [OK]
# Mail
# Allows SMTP access
/sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 465 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 587 -j ACCEPT
# Allows imap and imaps connections
/sbin/iptables -A INPUT -p tcp --dport 143 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 993 -j ACCEPT
echo - Autoriser serveur Mail : [OK]
# RTM
/sbin/iptables -t filter -A OUTPUT -p udp --dport 6100:6200 -j ACCEPT
echo - Autoriser monitoring RTM : [OK]
#Ping OVH
/sbin/iptables -A INPUT -i eth0 -p icmp --source proxy.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source proxy.p19.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source proxy.rbx.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source ping.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source 91.121.88.250 -j ACCEPT # IP = aaa.bbb.ccc obtenue selon la règle precedente
/sbin/iptables -A INPUT -i eth0+ -p icmp --icmp-type echo-request -m limit --limit 3/s -j ACCEPT
echo - Ping OVH : [OK]
#Git
/sbin/iptables -t filter -A OUTPUT -p udp --dport 9418 -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -p tcp --dport 9418 -j ACCEPT
echo - GIT : [OK]
#GOGS
/sbin/iptables -t filter -A INPUT -p tcp --dport 3000 -j ACCEPT
#MQTT
/sbin/iptables -t filter -A INPUT -p tcp --dport 1883 -j ACCEPT
/sbin/iptables -t filter -A INPUT -p tcp --dport 1884 -j ACCEPT
# on refuse tout le reste
/sbin/iptables -A INPUT -j REJECT
/sbin/iptables -A OUTPUT -j REJECT
/sbin/iptables -A FORWARD -j REJECT
exit 0
;;
stop)
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
exit 0
;;
status)
/sbin/iptables -L -n | grep DROP > /dev/null
if [ "$?" -eq "0" ]
then
echo "Firewall is up"
exit 0
else
echo "Firewall is down"
exit 3
fi
;;
*)
echo "Usage: /etc/init.d/firewall {start|stop}"
exit 1
;;
esac
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment