API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Dec 22nd, 2015
105
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 2.65 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/bash
  2.  
  3. iptables -F
  4. iptables -X
  5. iptables -t nat -F
  6. iptables -t nat -F
  7. iptables -t mangle -F
  8. iptables -t mangle -X
  9. iptables -P INPUT ACCEPT
  10. iptables -P FORWARD ACCEPT
  11. iptables -P OUTPUT ACCEPT
  12.  
  13. # connection online
  14. #iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  15.  
  16. #Setting default filter policy
  17. iptables -P INPUT DROP
  18. iptables -P OUTPUT ACCEPT
  19. iptables -P FORWARD DROP
  20.  
  21. # logging
  22. iptables -I INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
  23.  
  24. #allow unlimited traffic on loopback
  25. iptables -A INPUT -i lo -j ACCEPT
  26.  
  27. # drop bad
  28. iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
  29.  
  30. # accept ping
  31. iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
  32. iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
  33. iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
  34. iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
  35. iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
  36. iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable
  37.  
  38. # bad stuff drop / reject
  39. iptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-reset
  40. iptables -D INPUT -p tcp -j REJECT --reject-with tcp-reset
  41. iptables -A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-reset
  42. iptables -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreachable
  43. iptables -D INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
  44. iptables -A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreachable
  45.  
  46. # ssh
  47. iptables -A INPUT -p tcp --dport 22 -j ACCEPT
  48.  
  49. # webserver
  50. iptables -A INPUT -p tcp --dport 80 -j ACCEPT
  51. iptables -A INPUT -p tcp --dport 443 -j ACCEPT
  52.  
  53. # dns
  54. iptables -A INPUT -p udp --sport 53 -j ACCEPT
  55.  
  56. # smtp
  57. iptables -A INPUT -p tcp --dport 25 -j ACCEPT
  58.  
  59. # submission
  60. #iptables -A INPUT -p tcp --dport 587 -j ACCEPT
  61.  
  62. # imaps
  63. #iptables -A INPUT -p tcp --dport 12550 -j ACCEPT
  64.  
  65. # rsync
  66. iptables -A INPUT -p tcp --dport 873 -j ACCEPT
  67.  
  68. # openvpn
  69. iptables -A INPUT -m state --state NEW -i eth0 -p udp --dport 1194 -j ACCEPT
  70. iptables -A INPUT -i tun+ -j ACCEPT
  71. iptables -A FORWARD -i tun+ -j ACCEPT
  72. iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
  73. iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
  74. iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
  75. iptables -A OUTPUT -o tun+ -j ACCEPT
  76.  
  77. # blacklist
  78. iptables -I INPUT 1 -m set --match-set blacklist src -j DROP
  79.  
  80. # logging
  81. iptables -A INPUT -j LOG
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!