Use this bash script to automate the configuration of the iptables firewall and persist rules over restarts.
#!/bin/sh
# script written by aalmutareb
#make sure to include the repeatoffeners list from fail2ban / make it persist a restart
BLACKLIST=/etc/fail2ban/blocklists/ip.blocklist.repeatoffender
# list the needed ports
IN_ALLOWED_TCP="20 21 22 25 53 80 143 443 587 993 995"
OUT_ALLOWED_TCP="20 21 22 25 53 80 123 143 443 587 993 995"
IN_ALLOWED_UDP="53"
OUT_ALLOWED_UDP="53"
LOCAL_ALLOWED_TCP=" "
IN_ALLOWED_ICMP=" "
OUT_ALLOWED_IMCP=" "
case "$1" in
start)
# Stopping IP trap
/etc/init.d/fail2ban stop
echo "Stopping fail2ban IP trap ..."
# Clear /sbin/iptables
/sbin/iptables -F
#Defaults
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/ip6tables -P INPUT DROP
/sbin/ip6tables -P OUTPUT DROP
/sbin/ip6tables -P FORWARD DROP
# loopback communication
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
# persist on connections
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Ban blacklisted IPs
for x in grep -v ^# $BLACKLIST | awk '{print $1}'; do
echo "Blocking $x..."
/sbin/iptables -A INPUT -t filter -s $x -j DROP
done
# TCP rules in local
for port in $LOCAL_ALLOWED_TCP; do
echo "Accepting TCP port $port"
/sbin/iptables -A INPUT -t filter -p tcp -s localhost --dport $port -j ACCEPT
done
# TCP rules in
for port in $IN_ALLOWED_TCP; do
echo "Accepting TCP port $port"
/sbin/iptables -A INPUT -t filter -p tcp --dport $port -j ACCEPT
done
# TCP rules out
for port in $OUT_ALLOWED_TCP; do
echo "Allowing sending over TCP port $port"
/sbin/iptables -A OUTPUT -t filter -p tcp --dport $port -j ACCEPT
done
# UDP rules in
for port in $IN_ALLOWED_UDP; do
echo "Accepting UDP port $port"
/sbin/iptables -A INPUT -t filter -p udp --dport $port -j ACCEPT
done
#/sbin/iptables -A INPUT -t filter -p udp -m udp --dport 1024:65535 --sport 6277 -j ACCEPT
# UDP rules out
for port in $OUT_ALLOWED_UDP; do
echo "Allowing sending over UDP port $port"
/sbin/iptables -A OUTPUT -t filter -p udp --dport $port -j ACCEPT
done
#/sbin/iptables -A OUTPUT -t filter -p udp -m udp --sport 6277 --dport 1023 -j ACCEPT
# ICMP rules in
for port in $IN_ALLOWED_ICMP; do
echo "Accepting ICMP port $port"
/sbin/iptables -A INPUT -t filter -p icmp --dport $port -j ACCEPT
done
/sbin/iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT
# ICMP rules out
for port in $OUT_ALLOWED_ICMP; do
echo "Allowing sending over ICMP port $port"
/sbin/iptables -A OUTPUT -t filter -p icmp --dport $port -j ACCEPT
done
/sbin/iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
/sbin/iptables -A OUTPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --syn -m limit --limit 5/s -j ACCEPT
# Dropping startup requests
/sbin/iptables -A INPUT -t filter -p tcp --syn -j DROP
# Restarting IP trap
/etc/init.d/fail2ban start
echo "Fire up IP trap again ..."
;;
stop)
/etc/init.d/fail2ban stop
/sbin/iptables -F
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
echo "Warning! Firewall is stopped, server is unprotected now!"
;;
restart)
$0 stop
sleep 1
$0 start
;;
status)
icmp_rule=$(/sbin/iptables-save | grep "icmp-port-unreachable")
f2b_rule=$(/sbin/iptables-save | grep f2b )
if [ ! -z "$icmp_rule" ]; then
echo "custom iptables rules are set"
else
echo "custom iptables rules missing!!"
# echo "/etc/init.d/firewall start"
fi
if [ ! -z "$f2b_rule" ]; then
echo "f2b rules are set"
else
echo "f2b rules missing!!"
# echo "/etc/init.d/firewall start"
fi
;;
*)
echo "Usage $0 {start|stop|restart|status}"
;;
esac