Advertisement
hujuice

iptables and ip6tables

Nov 16th, 2015
165
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 6.91 KB | None | 0 0
  1. #!/bin/bash
  2. # /------------------------------------------------------------\
  3. # |                                                            |
  4. # |                Iptables configuration script               |
  5. # |                                                            |
  6. # \------------------------------------------------------------/
  7.  
  8. # ==============================================================================
  9. #
  10. # This script manage the accesses to a public host, with no public services,
  11. # except administrave access.
  12. #
  13. # Sergio Vaccaro <hujuice@inservibile.org>
  14. # ==============================================================================
  15.  
  16.  
  17. # ==============================================================
  18. # Configuration
  19. # ==============================================================
  20.  
  21. # Iptables command
  22. ipt="/sbin/iptables"
  23. ip6t="/sbin/ip6tables"
  24.  
  25. # Loopback device
  26. LO="lo"
  27.  
  28. # Internet interface
  29. IF0="eth0"
  30.  
  31. # LAN interface
  32. IF1="eth1"
  33.  
  34. # Trusted IPs
  35. TRUSTED="78.134.3.33,193.204.90.67"
  36. TRUSTED6="fe80::/10,2a02:2770:9:0:1ac2:720c:ab76:7d80"
  37.  
  38.  
  39. # ==============================================================
  40. # Bootstrap
  41. # ==============================================================
  42.  
  43. # Reset
  44. $ipt -F
  45. $ipt -t nat -F
  46. $ipt -t mangle -F
  47. $ipt -X
  48. $ipt -t nat -X
  49. $ipt -t mangle -X
  50.  
  51. $ip6t -F
  52. $ip6t -t nat -F
  53. $ip6t -t mangle -F
  54. $ip6t -X
  55. $ip6t -t nat -X
  56. $ip6t -t mangle -X
  57.  
  58. # Policies
  59. $ipt -P INPUT DROP
  60. $ipt -P OUTPUT ACCEPT
  61. $ipt -P FORWARD DROP
  62. $ipt -t nat -P OUTPUT ACCEPT
  63. $ipt -t nat -P PREROUTING ACCEPT
  64. $ipt -t nat -P POSTROUTING ACCEPT
  65. $ipt -t mangle -P PREROUTING ACCEPT
  66. $ipt -t mangle -P POSTROUTING ACCEPT
  67.  
  68. $ip6t -P INPUT DROP
  69. $ip6t -P OUTPUT ACCEPT
  70. $ip6t -P FORWARD DROP
  71.  
  72.  
  73. # ==============================================================
  74. # Chains
  75. # ==============================================================
  76.  
  77. # Log and accept chain
  78. # See http://forum.debianizzati.org/viewtopic.php?f=36&t=40198 for limit
  79. $ipt -N LogAccept
  80. $ipt -A LogAccept -m limit --limit 10/minute --limit-burst 30 -j LOG --log-level info --log-prefix "Iptables Target ACCEPT "
  81. $ipt -A LogAccept -j ACCEPT
  82.  
  83. $ip6t -N LogAccept
  84. $ip6t -A LogAccept -m limit --limit 10/minute --limit-burst 30 -j LOG --log-level info --log-prefix "Iptables Target ACCEPT "
  85. $ip6t -A LogAccept -j ACCEPT
  86.  
  87. # Log and refuse chain
  88. # See http://www.achab.it/blog/index.cfm/2013/9/drop-vs-reject-qual--la-differenza.htm for DROP/REJECT discussion
  89. # See http://forum.debianizzati.org/viewtopic.php?f=36&t=40198 for limit
  90. $ipt -N LogRefuse
  91. $ipt -A LogRefuse -m limit --limit 10/minute --limit-burst 30 -j LOG --log-level warning --log-prefix "Iptables Target DROP "
  92. #$ipt -A LogRefuse -j DROP
  93. $ipt -A LogRefuse -j REJECT --reject-with icmp-port-unreachable
  94.  
  95. $ip6t -N LogRefuse
  96. $ip6t -A LogRefuse -m limit --limit 10/minute --limit-burst 30 -j LOG --log-level warning --log-prefix "Iptables Target DROP "
  97. #$ip6t -A LogRefuse -j DROP
  98. $ip6t -A LogRefuse -j REJECT --reject-with icmp6-port-unreachable
  99.  
  100. # General TCP accept chain
  101. $ipt -N TcpAccept
  102. $ipt -A TcpAccept -p tcp --syn --sport 1024:65535 -j LogAccept
  103.  
  104. $ip6t -N TcpAccept
  105. $ip6t -A TcpAccept -p tcp --syn --sport 1024:65535 -j LogAccept
  106.  
  107. # Trusted TCP accept chain
  108. $ipt -N TrustedTcpAccept
  109. $ipt -A TrustedTcpAccept -s ${TRUSTED} -p tcp --syn --sport 1024:65535 -j LogAccept
  110.  
  111. $ip6t -N TrustedTcpAccept
  112. $ip6t -A TrustedTcpAccept -s ${TRUSTED6} -p tcp --syn --sport 1024:65535 -j LogAccept
  113.  
  114. # Limited accept chain
  115. $ipt -N LimitAccept
  116. $ipt -A LimitAccept -m limit --limit 1/second --limit-burst 5 -j ACCEPT
  117.  
  118. $ip6t -N LimitAccept
  119. $ip6t -A LimitAccept -m limit --limit 1/second --limit-burst 5 -j ACCEPT
  120.  
  121. # ==============================================================
  122. # General INPUT rules
  123. # ==============================================================
  124.  
  125. # --------------------------------------------------------------
  126. # Loopback
  127. # --------------------------------------------------------------
  128. # The loopback is always allowed
  129. $ipt -A INPUT -i ${LO} -j ACCEPT
  130. $ip6t -A INPUT -i ${LO} -j ACCEPT
  131.  
  132. # --------------------------------------------------------------
  133. # LAN
  134. # --------------------------------------------------------------
  135. # The local area is always allowed (should I strenghten here?)
  136. $ipt -A INPUT -i ${IF1} -j ACCEPT
  137. $ip6t -A INPUT -i ${IF1} -j ACCEPT
  138.  
  139. # --------------------------------------------------------------
  140. # Invalid packets
  141. # --------------------------------------------------------------
  142. $ipt -A INPUT -m state --state INVALID -j LogRefuse
  143. $ip6t -A INPUT -m state --state INVALID -j LogRefuse
  144.  
  145. # --------------------------------------------------------------
  146. # Active connections
  147. # --------------------------------------------------------------
  148. # the active connectoins are always allowed
  149. # The former rule (-m conntrack) is a more complete form.
  150. # The latter rule (-m state) is a subset of the first one.
  151. # The former rule has not been tested.
  152. # See man iptables-extensions
  153. #$ipt -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  154. $ipt -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  155. #$ip6t -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  156. $ip6t -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  157.  
  158. # --------------------------------------------------------------
  159. # Allowed ICMP packets
  160. # --------------------------------------------------------------
  161. $ipt -A INPUT -p icmp -m icmp --icmp-type echo-request -j LimitAccept
  162. $ipt -A INPUT -p icmp -m icmp --icmp-type time-exceeded -j LimitAccept
  163. $ipt -A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j LimitAccept
  164.  
  165. $ip6t -A INPUT -p icmpv6 -m icmpv6 --icmpv6-type echo-request -j LimitAccept
  166. $ip6t -A INPUT -p icmpv6 -m icmpv6 --icmpv6-type time-exceeded -j LimitAccept
  167. $ip6t -A INPUT -p icmpv6 -m icmpv6 --icmpv6-type destination-unreachable -j LimitAccept
  168.  
  169.  
  170. # ==============================================================
  171. # Service related rules
  172. # ==============================================================
  173.  
  174. # --------------------------------------------------------------
  175. # SSHD
  176. # --------------------------------------------------------------
  177. $ipt -A INPUT -d ${IF0_IP4} -p tcp --dport 22 -j TcpAccept
  178. $ip6t -A INPUT -d ${IF0_IP4} -p tcp --dport 22 -j TcpAccept
  179.  
  180. # --------------------------------------------------------------
  181. # Monit
  182. # --------------------------------------------------------------
  183. $ipt -A INPUT -i ${IF0} -p tcp --dport 2812 -j TrustedTcpAccept
  184. $ip6t -A INPUT -i ${IF0} -p tcp --dport 2812 -j TrustedTcpAccept
  185.  
  186.  
  187. # ==============================================================
  188. # Last: refuse as fallback
  189. # ==============================================================
  190.  
  191. # --------------------------------------------------------------
  192. # log and refuse everything not matching previous rules
  193. # --------------------------------------------------------------
  194. $ipt -A INPUT -j LogRefuse
  195. $ip6t -A INPUT -j LogRefuse
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement