API tools faq
paste
Advertisement
Sweetening

Untitled

Sweetening
Mar 23rd, 2024
33
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.94 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/bash
  2.  
  3. # Flush current nftables configuration
  4. nft flush ruleset
  5.  
  6. # Define table and chains
  7. nft add table inet filter
  8. nft add chain inet filter input { type filter hook input priority 0 \; }
  9. nft add chain inet filter forward { type filter hook forward priority 0 \; }
  10. nft add chain inet filter output { type filter hook output priority 0 \; policy drop \; }
  11.  
  12. # Allow all loopback traffic
  13. nft add rule inet filter output oifname "lo" accept
  14.  
  15. # Essential outbound traffic
  16. # DNS - restrict to your DNS server's IP
  17. nft add rule inet filter output ip daddr x.x.x.x udp dport 53 accept
  18. nft add rule inet filter output ip daddr x.x.x.x tcp dport 53 accept
  19.  
  20. # HTTP and HTTPS
  21. nft add rule inet filter output tcp dport { 80, 443 } accept
  22.  
  23. # SMTP - consider limiting to specific mail server IPs
  24. nft add rule inet filter output tcp dport 25 accept
  25.  
  26. # Allow ICMP (ping)
  27. nft add rule inet filter output icmp type echo-request accept
  28.  
  29. # Anti-spoofing: block outgoing packets with non-allocated source IP
  30. nft add rule inet filter output oifname "eth0" ip saddr != YOUR.PUBLIC.IP.RANGE counter drop
  31.  
  32. # Allow outgoing traffic from public IP range (Modify or remove according to your network policy)
  33. nft add rule inet filter output oifname "eth0" ip saddr YOUR.PUBLIC.IP.RANGE accept
  34.  
  35. # Log other outbound traffic (for auditing purposes)
  36. nft add rule inet filter output log prefix "Dropped Outbound: " drop
  37.  
  38. echo "Egress filtering rules with nftables applied."
  39.  
  40. # Define the network interface connected to the Internet
  41. INTERNET_IFACE="eth0"
  42.  
  43. # Define your public IP range (replace with your actual IP range)
  44. YOUR_PUBLIC_IP_RANGE="YOUR.PUBLIC.IP.RANGE"
  45.  
  46. # Flush current iptables rules
  47. iptables -F
  48. iptables -t nat -F
  49. iptables -t mangle -F
  50.  
  51. # Default policies
  52. iptables -P INPUT ACCEPT
  53. iptables -P FORWARD ACCEPT
  54. iptables -P OUTPUT DROP # Default deny for outbound traffic
  55.  
  56. # Allow essential outbound traffic for specific services by enabling the necessary ports
  57. # Update or add rules as per your organizational needs
  58.  
  59. # DNS (Allow only to known DNS servers, replace x.x.x.x with your DNS server IP)
  60. iptables -A OUTPUT -p udp --dport 53 -d x.x.x.x -j ACCEPT
  61. iptables -A OUTPUT -p tcp --dport 53 -d x.x.x.x -j ACCEPT
  62.  
  63. # HTTP and HTTPS (Consider restricting to known IPs if possible)
  64. iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
  65. iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
  66.  
  67. # SMTP (Consider limiting to mail server IPs)
  68. iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
  69.  
  70. # Allow outbound ICMP (ping)
  71. iptables -A OUTPUT -p icmp -j ACCEPT
  72.  
  73. # Anti-spoofing rule: Block outgoing packets with non-allocated source IP
  74. iptables -A OUTPUT -o $INTERNET_IFACE ! -s $YOUR_PUBLIC_IP_RANGE -j DROP
  75.  
  76. # Allow all traffic on the loopback interface
  77. iptables -A OUTPUT -o lo -j ACCEPT
  78.  
  79. # Log and drop other outbound traffic for auditing
  80. iptables -A OUTPUT -j LOG --log-prefix "Dropped Outbound: "
  81. iptables -A OUTPUT -j DROP
  82.  
  83. echo "Egress filtering rules applied."
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!