Use this bash script to automate the configuration of the iptables firewall and persist rules over restarts.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 |
#!/bin/sh # script written by aalmutareb #make sure to include the repeatoffeners list from fail2ban / make it persist a restart BLACKLIST=/etc/fail2ban/blocklists/ip.blocklist.repeatoffender # list the needed ports IN_ALLOWED_TCP="20 21 22 25 53 80 143 443 587 993 995" OUT_ALLOWED_TCP="20 21 22 25 53 80 123 143 443 587 993 995" IN_ALLOWED_UDP="53" OUT_ALLOWED_UDP="53" LOCAL_ALLOWED_TCP=" " IN_ALLOWED_ICMP=" " OUT_ALLOWED_IMCP=" " case "$1" in start) # Stopping IP trap /etc/init.d/fail2ban stop echo "Stopping fail2ban IP trap ..." # Clear /sbin/iptables /sbin/iptables -F #Defaults /sbin/iptables -P INPUT DROP /sbin/iptables -P OUTPUT DROP /sbin/iptables -P FORWARD DROP /sbin/ip6tables -P INPUT DROP /sbin/ip6tables -P OUTPUT DROP /sbin/ip6tables -P FORWARD DROP # loopback communication /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A OUTPUT -o lo -j ACCEPT # persist on connections /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Ban blacklisted IPs for x in `grep -v ^# $BLACKLIST | awk '{print $1}'`; do echo "Blocking $x..." /sbin/iptables -A INPUT -t filter -s $x -j DROP done # TCP rules in local for port in $LOCAL_ALLOWED_TCP; do echo "Accepting TCP port $port" /sbin/iptables -A INPUT -t filter -p tcp -s localhost --dport $port -j ACCEPT done # TCP rules in for port in $IN_ALLOWED_TCP; do echo "Accepting TCP port $port" /sbin/iptables -A INPUT -t filter -p tcp --dport $port -j ACCEPT done # TCP rules out for port in $OUT_ALLOWED_TCP; do echo "Allowing sending over TCP port $port" /sbin/iptables -A OUTPUT -t filter -p tcp --dport $port -j ACCEPT done # UDP rules in for port in $IN_ALLOWED_UDP; do echo "Accepting UDP port $port" /sbin/iptables -A INPUT -t filter -p udp --dport $port -j ACCEPT done #/sbin/iptables -A INPUT -t filter -p udp -m udp --dport 1024:65535 --sport 6277 -j ACCEPT # UDP rules out for port in $OUT_ALLOWED_UDP; do echo "Allowing sending over UDP port $port" /sbin/iptables -A OUTPUT -t filter -p udp --dport $port -j ACCEPT done #/sbin/iptables -A OUTPUT -t filter -p udp -m udp --sport 6277 --dport 1023 -j ACCEPT # ICMP rules in for port in $IN_ALLOWED_ICMP; do echo "Accepting ICMP port $port" /sbin/iptables -A INPUT -t filter -p icmp --dport $port -j ACCEPT done /sbin/iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT /sbin/iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -i eth0 -j ACCEPT /sbin/iptables -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT # ICMP rules out for port in $OUT_ALLOWED_ICMP; do echo "Allowing sending over ICMP port $port" /sbin/iptables -A OUTPUT -t filter -p icmp --dport $port -j ACCEPT done /sbin/iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT /sbin/iptables -A OUTPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT /sbin/iptables -A OUTPUT -p tcp --syn -m limit --limit 5/s -j ACCEPT # Dropping startup requests /sbin/iptables -A INPUT -t filter -p tcp --syn -j DROP # Restarting IP trap /etc/init.d/fail2ban start echo "Fire up IP trap again ..." ;; stop) /etc/init.d/fail2ban stop /sbin/iptables -F /sbin/iptables -P INPUT ACCEPT /sbin/iptables -P OUTPUT ACCEPT echo "Warning! Firewall is stopped, server is unprotected now!" ;; restart) $0 stop sleep 1 $0 start ;; status) icmp_rule=$(/sbin/iptables-save | grep "icmp-port-unreachable") f2b_rule=$(/sbin/iptables-save | grep f2b ) if [ ! -z "$icmp_rule" ]; then echo "custom iptables rules are set" else echo "custom iptables rules missing!!" # echo "/etc/init.d/firewall start" fi if [ ! -z "$f2b_rule" ]; then echo "f2b rules are set" else echo "f2b rules missing!!" # echo "/etc/init.d/firewall start" fi ;; *) echo "Usage $0 {start|stop|restart|status}" ;; esac |