Saturday, August 17, 2013

VERY basic iptables rules in a shell script.

I'm just putting this here for future reference. 
#!/bin/sh

DEVICE=eth0

# Flush current rules.
iptables -F

# Set default policy to DROP for input, forward, and output.

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Allow all incoming SSH connections.
iptables -A INPUT -i $DEVICE -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $DEVICE -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# Allow all incoming traffic for port 80(HTTP)
iptables -A INPUT -i $DEVICE -p tcp --dports 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $DEVICE -p tcp --sports 80 -m state --state ESTABLISHED -j ACCEPT

# Allow all incoming traffic for port 443 (HTTPS)
iptables -A INPUT -i $DEVICE -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $DEVICE -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

# Allow all outgoing traffic over HTTP, HTTPS, FTP, MySQL
iptables -A OUTPUT -o $DEVICE -p tcp --dports 21,80,443,3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $DEVICE -p tcp --sport 21,80,443,3306 -m state --state ESTABLISHED -j ACCEPT

# Allow outgoing ping
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

# Allow incoming ping
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow outbound DNS connections.
iptables -A OUTPUT -p udp -o $DEVICE --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i $DEVICE --sport 53 -j ACCEPT

# Allow mail traffic (port 25)
#iptables -A INPUT -i $DEVICE -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o $DEVICE -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT

# Log dropped packets
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 500/min -j LOG --log-prefix "Packet Dropped: " --log-level 7
iptables -A LOGGING -j DROP

Reference: http://www.thegeekstuff.com/2011/06/iptables-rules-examples/

Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)