iptables and ip6tables

1. #!/bin/bash
2. # /------------------------------------------------------------\
3. # |                                                            |
4. # |                Iptables configuration script               |
5. # |                                                            |
6. # \------------------------------------------------------------/
7.  
8. # ==============================================================================
9. #
10. # This script manage the accesses to a public host, with no public services,
11. # except administrave access.
12. #
13. # Sergio Vaccaro <hujuice@inservibile.org>
14. # ==============================================================================
15.  
16.  
17. # ==============================================================
18. # Configuration
19. # ==============================================================
20.  
21. # Iptables command
22. ipt="/sbin/iptables"
23. ip6t="/sbin/ip6tables"
24.  
25. # Loopback device
26. LO="lo"
27.  
28. # Internet interface
29. IF0="eth0"
30.  
31. # LAN interface
32. IF1="eth1"
33.  
34. # Trusted IPs
35. TRUSTED="78.134.3.33,193.204.90.67"
36. TRUSTED6="fe80::/10,2a02:2770:9:0:1ac2:720c:ab76:7d80"
37.  
38.  
39. # ==============================================================
40. # Bootstrap
41. # ==============================================================
42.  
43. # Reset
44. $ipt -F
45. $ipt -t nat -F
46. $ipt -t mangle -F
47. $ipt -X
48. $ipt -t nat -X
49. $ipt -t mangle -X
50.  
51. $ip6t -F
52. $ip6t -t nat -F
53. $ip6t -t mangle -F
54. $ip6t -X
55. $ip6t -t nat -X
56. $ip6t -t mangle -X
57.  
58. # Policies
59. $ipt -P INPUT DROP
60. $ipt -P OUTPUT ACCEPT
61. $ipt -P FORWARD DROP
62. $ipt -t nat -P OUTPUT ACCEPT
63. $ipt -t nat -P PREROUTING ACCEPT
64. $ipt -t nat -P POSTROUTING ACCEPT
65. $ipt -t mangle -P PREROUTING ACCEPT
66. $ipt -t mangle -P POSTROUTING ACCEPT
67.  
68. $ip6t -P INPUT DROP
69. $ip6t -P OUTPUT ACCEPT
70. $ip6t -P FORWARD DROP
71.  
72.  
73. # ==============================================================
74. # Chains
75. # ==============================================================
76.  
77. # Log and accept chain
78. # See http://forum.debianizzati.org/viewtopic.php?f=36&t=40198 for limit
79. $ipt -N LogAccept
80. $ipt -A LogAccept -m limit --limit 10/minute --limit-burst 30 -j LOG --log-level info --log-prefix "Iptables Target ACCEPT "
81. $ipt -A LogAccept -j ACCEPT
82.  
83. $ip6t -N LogAccept
84. $ip6t -A LogAccept -m limit --limit 10/minute --limit-burst 30 -j LOG --log-level info --log-prefix "Iptables Target ACCEPT "
85. $ip6t -A LogAccept -j ACCEPT
86.  
87. # Log and refuse chain
88. # See http://www.achab.it/blog/index.cfm/2013/9/drop-vs-reject-qual--la-differenza.htm for DROP/REJECT discussion
89. # See http://forum.debianizzati.org/viewtopic.php?f=36&t=40198 for limit
90. $ipt -N LogRefuse
91. $ipt -A LogRefuse -m limit --limit 10/minute --limit-burst 30 -j LOG --log-level warning --log-prefix "Iptables Target DROP "
92. #$ipt -A LogRefuse -j DROP
93. $ipt -A LogRefuse -j REJECT --reject-with icmp-port-unreachable
94.  
95. $ip6t -N LogRefuse
96. $ip6t -A LogRefuse -m limit --limit 10/minute --limit-burst 30 -j LOG --log-level warning --log-prefix "Iptables Target DROP "
97. #$ip6t -A LogRefuse -j DROP
98. $ip6t -A LogRefuse -j REJECT --reject-with icmp6-port-unreachable
99.  
100. # General TCP accept chain
101. $ipt -N TcpAccept
102. $ipt -A TcpAccept -p tcp --syn --sport 1024:65535 -j LogAccept
103.  
104. $ip6t -N TcpAccept
105. $ip6t -A TcpAccept -p tcp --syn --sport 1024:65535 -j LogAccept
106.  
107. # Trusted TCP accept chain
108. $ipt -N TrustedTcpAccept
109. $ipt -A TrustedTcpAccept -s ${TRUSTED} -p tcp --syn --sport 1024:65535 -j LogAccept
110.  
111. $ip6t -N TrustedTcpAccept
112. $ip6t -A TrustedTcpAccept -s ${TRUSTED6} -p tcp --syn --sport 1024:65535 -j LogAccept
113.  
114. # Limited accept chain
115. $ipt -N LimitAccept
116. $ipt -A LimitAccept -m limit --limit 1/second --limit-burst 5 -j ACCEPT
117.  
118. $ip6t -N LimitAccept
119. $ip6t -A LimitAccept -m limit --limit 1/second --limit-burst 5 -j ACCEPT
120.  
121. # ==============================================================
122. # General INPUT rules
123. # ==============================================================
124.  
125. # --------------------------------------------------------------
126. # Loopback
127. # --------------------------------------------------------------
128. # The loopback is always allowed
129. $ipt -A INPUT -i ${LO} -j ACCEPT
130. $ip6t -A INPUT -i ${LO} -j ACCEPT
131.  
132. # --------------------------------------------------------------
133. # LAN
134. # --------------------------------------------------------------
135. # The local area is always allowed (should I strenghten here?)
136. $ipt -A INPUT -i ${IF1} -j ACCEPT
137. $ip6t -A INPUT -i ${IF1} -j ACCEPT
138.  
139. # --------------------------------------------------------------
140. # Invalid packets
141. # --------------------------------------------------------------
142. $ipt -A INPUT -m state --state INVALID -j LogRefuse
143. $ip6t -A INPUT -m state --state INVALID -j LogRefuse
144.  
145. # --------------------------------------------------------------
146. # Active connections
147. # --------------------------------------------------------------
148. # the active connectoins are always allowed
149. # The former rule (-m conntrack) is a more complete form.
150. # The latter rule (-m state) is a subset of the first one.
151. # The former rule has not been tested.
152. # See man iptables-extensions
153. #$ipt -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
154. $ipt -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
155. #$ip6t -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
156. $ip6t -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
157.  
158. # --------------------------------------------------------------
159. # Allowed ICMP packets
160. # --------------------------------------------------------------
161. $ipt -A INPUT -p icmp -m icmp --icmp-type echo-request -j LimitAccept
162. $ipt -A INPUT -p icmp -m icmp --icmp-type time-exceeded -j LimitAccept
163. $ipt -A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j LimitAccept
164.  
165. $ip6t -A INPUT -p icmpv6 -m icmpv6 --icmpv6-type echo-request -j LimitAccept
166. $ip6t -A INPUT -p icmpv6 -m icmpv6 --icmpv6-type time-exceeded -j LimitAccept
167. $ip6t -A INPUT -p icmpv6 -m icmpv6 --icmpv6-type destination-unreachable -j LimitAccept
168.  
169.  
170. # ==============================================================
171. # Service related rules
172. # ==============================================================
173.  
174. # --------------------------------------------------------------
175. # SSHD
176. # --------------------------------------------------------------
177. $ipt -A INPUT -d ${IF0_IP4} -p tcp --dport 22 -j TcpAccept
178. $ip6t -A INPUT -d ${IF0_IP4} -p tcp --dport 22 -j TcpAccept
179.  
180. # --------------------------------------------------------------
181. # Monit
182. # --------------------------------------------------------------
183. $ipt -A INPUT -i ${IF0} -p tcp --dport 2812 -j TrustedTcpAccept
184. $ip6t -A INPUT -i ${IF0} -p tcp --dport 2812 -j TrustedTcpAccept
185.  
186.  
187. # ==============================================================
188. # Last: refuse as fallback
189. # ==============================================================
190.  
191. # --------------------------------------------------------------
192. # log and refuse everything not matching previous rules
193. # --------------------------------------------------------------
194. $ipt -A INPUT -j LogRefuse
195. $ip6t -A INPUT -j LogRefuse