Basic IPTABLES Firewall Script
3/09/2010 01:56:00 PM
Here is a basic firewall script for servers running HTTP and FTP. The script is commented so its easy to put in additional rules. Also note that you have to put your own DNS server in $dnsIP variable. Additional ports (tcp or udp) to be opened may placed in allow_tcp and allow_udp variables. Before using the script make sure to do chmod +x iptables.sh first.
Usage:
./iptables.sh start
or
./iptables.sh stop
and now the script:
#!/bin/sh # John Homer H Alvero # [email protected] # March 9, 2010 set -e iptables="/sbin/iptables" modprobe="/sbin/modprobe" dnsIP="8.8.8.8" #IP Address of DNS server allow_tcp="80 22" #This will allow SSH and HTTP, add more ports as needed allow_udp="" load () { echo "Loading Kernel modules" $modprobe ip_tables $modprobe ip_conntrack $modprobe iptable_filter $modprobe ipt_state echo "Kernel modules loaded." echo "Loading rules" #Set Default policy $iptables -P FORWARD DROP $iptables -P INPUT DROP $iptables -P OUTPUT DROP #Allow RELATED and ESTABLISHED connections $iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #Allow traffic to localhost $iptables -A INPUT -s 127.0.0.1 -j ACCEPT #Allow DNS Queries to DNS Server $iptables -A INPUT -p udp -s $dnsIP/32 --source-port 53 -d 0/0 --destination-port 1024:65535 -j ACCEPT $iptables -A OUTPUT -p udp --destination $dnsIP --dport 53 -j ACCEPT if [ -n "$allow_tcp" ]; then for i in $allow_tcp do $iptables -A INPUT -p tcp -m tcp --destination-port $i -j ACCEPT done fi if [ -n "$allow_udp" ]; then for i in $allow_udp do $iptables -A INPUT -p udp --destination-port $i -j ACCEPT done fi #Add additional rules here. echo "Rules loaded." } flush () { echo "Flushing rules..." $iptables -P FORWARD ACCEPT $iptables -P OUTPUT ACCEPT $iptables -P INPUT ACCEPT $iptables -F echo "Rules flushed." } case "$1" in start|restart) flush load ;; stop) flush ;; *) echo "usage: start|stop|restart" ;; esac exit 0
Subscribe to:
Post Comments (Atom)
Post a Comment