Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- # /------------------------------------------------------------\
- # | |
- # | Iptables configuration script |
- # | |
- # \------------------------------------------------------------/
- # ==============================================================================
- #
- # This script manage the accesses to a public host, with no public services,
- # except administrave access.
- #
- # Sergio Vaccaro <hujuice@inservibile.org>
- # ==============================================================================
- # ==============================================================
- # Configuration
- # ==============================================================
- # Iptables command
- ipt="/sbin/iptables"
- ip6t="/sbin/ip6tables"
- # Loopback device
- LO="lo"
- # Internet interface
- IF0="eth0"
- # LAN interface
- IF1="eth1"
- # Trusted IPs
- TRUSTED="78.134.3.33,193.204.90.67"
- TRUSTED6="fe80::/10,2a02:2770:9:0:1ac2:720c:ab76:7d80"
- # ==============================================================
- # Bootstrap
- # ==============================================================
- # Reset
- $ipt -F
- $ipt -t nat -F
- $ipt -t mangle -F
- $ipt -X
- $ipt -t nat -X
- $ipt -t mangle -X
- $ip6t -F
- $ip6t -t nat -F
- $ip6t -t mangle -F
- $ip6t -X
- $ip6t -t nat -X
- $ip6t -t mangle -X
- # Policies
- $ipt -P INPUT DROP
- $ipt -P OUTPUT ACCEPT
- $ipt -P FORWARD DROP
- $ipt -t nat -P OUTPUT ACCEPT
- $ipt -t nat -P PREROUTING ACCEPT
- $ipt -t nat -P POSTROUTING ACCEPT
- $ipt -t mangle -P PREROUTING ACCEPT
- $ipt -t mangle -P POSTROUTING ACCEPT
- $ip6t -P INPUT DROP
- $ip6t -P OUTPUT ACCEPT
- $ip6t -P FORWARD DROP
- # ==============================================================
- # Chains
- # ==============================================================
- # Log and accept chain
- # See http://forum.debianizzati.org/viewtopic.php?f=36&t=40198 for limit
- $ipt -N LogAccept
- $ipt -A LogAccept -m limit --limit 10/minute --limit-burst 30 -j LOG --log-level info --log-prefix "Iptables Target ACCEPT "
- $ipt -A LogAccept -j ACCEPT
- $ip6t -N LogAccept
- $ip6t -A LogAccept -m limit --limit 10/minute --limit-burst 30 -j LOG --log-level info --log-prefix "Iptables Target ACCEPT "
- $ip6t -A LogAccept -j ACCEPT
- # Log and refuse chain
- # See http://www.achab.it/blog/index.cfm/2013/9/drop-vs-reject-qual--la-differenza.htm for DROP/REJECT discussion
- # See http://forum.debianizzati.org/viewtopic.php?f=36&t=40198 for limit
- $ipt -N LogRefuse
- $ipt -A LogRefuse -m limit --limit 10/minute --limit-burst 30 -j LOG --log-level warning --log-prefix "Iptables Target DROP "
- #$ipt -A LogRefuse -j DROP
- $ipt -A LogRefuse -j REJECT --reject-with icmp-port-unreachable
- $ip6t -N LogRefuse
- $ip6t -A LogRefuse -m limit --limit 10/minute --limit-burst 30 -j LOG --log-level warning --log-prefix "Iptables Target DROP "
- #$ip6t -A LogRefuse -j DROP
- $ip6t -A LogRefuse -j REJECT --reject-with icmp6-port-unreachable
- # General TCP accept chain
- $ipt -N TcpAccept
- $ipt -A TcpAccept -p tcp --syn --sport 1024:65535 -j LogAccept
- $ip6t -N TcpAccept
- $ip6t -A TcpAccept -p tcp --syn --sport 1024:65535 -j LogAccept
- # Trusted TCP accept chain
- $ipt -N TrustedTcpAccept
- $ipt -A TrustedTcpAccept -s ${TRUSTED} -p tcp --syn --sport 1024:65535 -j LogAccept
- $ip6t -N TrustedTcpAccept
- $ip6t -A TrustedTcpAccept -s ${TRUSTED6} -p tcp --syn --sport 1024:65535 -j LogAccept
- # Limited accept chain
- $ipt -N LimitAccept
- $ipt -A LimitAccept -m limit --limit 1/second --limit-burst 5 -j ACCEPT
- $ip6t -N LimitAccept
- $ip6t -A LimitAccept -m limit --limit 1/second --limit-burst 5 -j ACCEPT
- # ==============================================================
- # General INPUT rules
- # ==============================================================
- # --------------------------------------------------------------
- # Loopback
- # --------------------------------------------------------------
- # The loopback is always allowed
- $ipt -A INPUT -i ${LO} -j ACCEPT
- $ip6t -A INPUT -i ${LO} -j ACCEPT
- # --------------------------------------------------------------
- # LAN
- # --------------------------------------------------------------
- # The local area is always allowed (should I strenghten here?)
- $ipt -A INPUT -i ${IF1} -j ACCEPT
- $ip6t -A INPUT -i ${IF1} -j ACCEPT
- # --------------------------------------------------------------
- # Invalid packets
- # --------------------------------------------------------------
- $ipt -A INPUT -m state --state INVALID -j LogRefuse
- $ip6t -A INPUT -m state --state INVALID -j LogRefuse
- # --------------------------------------------------------------
- # Active connections
- # --------------------------------------------------------------
- # the active connectoins are always allowed
- # The former rule (-m conntrack) is a more complete form.
- # The latter rule (-m state) is a subset of the first one.
- # The former rule has not been tested.
- # See man iptables-extensions
- #$ipt -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- $ipt -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- #$ip6t -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- $ip6t -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- # --------------------------------------------------------------
- # Allowed ICMP packets
- # --------------------------------------------------------------
- $ipt -A INPUT -p icmp -m icmp --icmp-type echo-request -j LimitAccept
- $ipt -A INPUT -p icmp -m icmp --icmp-type time-exceeded -j LimitAccept
- $ipt -A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j LimitAccept
- $ip6t -A INPUT -p icmpv6 -m icmpv6 --icmpv6-type echo-request -j LimitAccept
- $ip6t -A INPUT -p icmpv6 -m icmpv6 --icmpv6-type time-exceeded -j LimitAccept
- $ip6t -A INPUT -p icmpv6 -m icmpv6 --icmpv6-type destination-unreachable -j LimitAccept
- # ==============================================================
- # Service related rules
- # ==============================================================
- # --------------------------------------------------------------
- # SSHD
- # --------------------------------------------------------------
- $ipt -A INPUT -d ${IF0_IP4} -p tcp --dport 22 -j TcpAccept
- $ip6t -A INPUT -d ${IF0_IP4} -p tcp --dport 22 -j TcpAccept
- # --------------------------------------------------------------
- # Monit
- # --------------------------------------------------------------
- $ipt -A INPUT -i ${IF0} -p tcp --dport 2812 -j TrustedTcpAccept
- $ip6t -A INPUT -i ${IF0} -p tcp --dport 2812 -j TrustedTcpAccept
- # ==============================================================
- # Last: refuse as fallback
- # ==============================================================
- # --------------------------------------------------------------
- # log and refuse everything not matching previous rules
- # --------------------------------------------------------------
- $ipt -A INPUT -j LogRefuse
- $ip6t -A INPUT -j LogRefuse
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement