#!/bin/sh # # iptables script for server. # # # Global configuration. # IPTABLES="/usr/sbin/iptables" MODPROBE="/sbin/modprobe" start() { # # 1. Configuration options. # # 1.1 Local Area Network configuration. # LAN_IP="10.10.20.10" LAN_IFACE="eth0" LAN_BROADCAST="10.10.20.255" # # 1.2 Loopback configuration. # LO_IP="127.0.0.1" LO_IFACE="lo" # # 2. Module loading. # # 2.1 Required modules. # $MODPROBE ip_conntrack_ftp # # 2.2 Non-Required modules. # #$MODPROBE ip_conntrack_tftp #$MODPROBE ip_conntrack_irc # # 3. Filter table. # # 3.1 Set default policies. # $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # # 3.2 Drop all fragment packets. # #$IPTABLES -A INPUT -f -j LOG --log-prefix "iptables[fragment]:" $IPTABLES -A INPUT -f -j DROP # # 3.3 Loopback rules(allow all lookback packets). # $IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT $IPTABLES -A OUTPUT -o $LO_IFACE -j ACCEPT # # 3.4 Input rules. # # 3.4.1 Allow all established and related packets. $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # # 3.4.2 Allow ftp(21). # #$IPTABLES -A INPUT -p tcp --dport ftp --syn -m state --state NEW -j ACCEPT # # 3.4.3 Allow ssh(22). # #$IPTABLES -A INPUT -p tcp --dport ssh --syn -m state --state NEW -j ACCEPT # # 3.4.4 Allow smtp(25). # #$IPTABLES -A INPUT -p tcp --dport smtp --syn -m state --state NEW -j ACCEPT # # 3.4.5 Allow dns request(53). # #$IPTABLES -A INPUT -p udp --dport domain -m state --state NEW -j ACCEPT # # 3.4.6 Allow dhcp request(67). # #$IPTABLES -A INPUT -p udp --dport bootps -m state --state NEW -j ACCEPT # # 3.4.7 Allow http(80). # #$IPTABLES -A INPUT -p tcp --dport http --syn -m state --state NEW -j ACCEPT # # 3.4.8 Allow https(443). # #$IPTABLES -A INPUT -p tcp --dport https --syn -m state --state NEW -j ACCEPT # # 3.4.9 Allow ping. # #$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # # 3.4.10 In Microsoft Networks you will be swamped by broadcast. These lines # will prevent them from showing up in the logs. # #$IPTABLES -A INPUT -d $LAN_BROADCAST -p udp --dport 135:139 -j DROP # # 3.4.11 If we get dhcp request from the outside of our network, our logs # will be swamped as well. This rule will block them from getting logged. # #$IPTABLES -A INPUT -d 255.255.255.255 -p udp --dport 67:68 -j DROP # # 3.4.12 If you have a Microsoft Network on the outside of your firewall, # you may also get flooded by Multicast. We drop them so we do not get # flooded by logs. # #$IPTABLES -A INPUT -d 224.0.0.0/8 -j DROP # # 3.4.13 Log rules. # #$IPTABLES -A INPUT -j LOG --log-prefix "iptables[input]:" # # 3.5 Output rules. # # 3.5.1 Allow all established and related packets. # $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # # 3.5.2 Log rules. # #$IPTABLES -A OUTPUT -j LOG --log-prefix "iptables[output]:" # # 3.6 Forward rules. # # # 4. Nat table. # # # 5. Mangle table. # } resume_all() { # # Reset the default policies in the filter table. # $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT # # Reset the default policies in the nat table. # $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t nat -P POSTROUTING ACCEPT $IPTABLES -t nat -P OUTPUT ACCEPT # # Reset the default policies in the mangle table. # $IPTABLES -t mangle -P PREROUTING ACCEPT $IPTABLES -t mangle -P POSTROUTING ACCEPT $IPTABLES -t mangle -P INPUT ACCEPT $IPTABLES -t mangle -P OUTPUT ACCEPT $IPTABLES -t mangle -P FORWARD ACCEPT } stop() { # # Flush all the rules in the filter table. # $IPTABLES -F # # Erase all chains that's not default in filter table. # $IPTABLES -X # # Flush all the rules in the nat table. # $IPTABLES -t nat -F # # Erase all chains that's not default in nat table. # $IPTABLES -t nat -X # # Flush all the rules in the mangle table. # $IPTABLES -t mangle -F # # Erase all chains that's not default in mangle table. # $IPTABLES -t mangle -X } case "$1" in 'start') start ;; 'stop') stop resume_all ;; 'restart') stop start ;; *) echo "usage $0 start|stop|restart" esac