Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- iptables -F
- iptables -X
- iptables -t nat -F
- iptables -t nat -F
- iptables -t mangle -F
- iptables -t mangle -X
- iptables -P INPUT ACCEPT
- iptables -P FORWARD ACCEPT
- iptables -P OUTPUT ACCEPT
- # connection online
- #iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- #Setting default filter policy
- iptables -P INPUT DROP
- iptables -P OUTPUT ACCEPT
- iptables -P FORWARD DROP
- # logging
- iptables -I INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
- #allow unlimited traffic on loopback
- iptables -A INPUT -i lo -j ACCEPT
- # drop bad
- iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
- # accept ping
- iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
- iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
- iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
- iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
- iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
- iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable
- # bad stuff drop / reject
- iptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-reset
- iptables -D INPUT -p tcp -j REJECT --reject-with tcp-reset
- iptables -A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-reset
- iptables -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreachable
- iptables -D INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
- iptables -A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreachable
- # ssh
- iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- # webserver
- iptables -A INPUT -p tcp --dport 80 -j ACCEPT
- iptables -A INPUT -p tcp --dport 443 -j ACCEPT
- # dns
- iptables -A INPUT -p udp --sport 53 -j ACCEPT
- # smtp
- iptables -A INPUT -p tcp --dport 25 -j ACCEPT
- # submission
- #iptables -A INPUT -p tcp --dport 587 -j ACCEPT
- # imaps
- #iptables -A INPUT -p tcp --dport 12550 -j ACCEPT
- # rsync
- iptables -A INPUT -p tcp --dport 873 -j ACCEPT
- # openvpn
- iptables -A INPUT -m state --state NEW -i eth0 -p udp --dport 1194 -j ACCEPT
- iptables -A INPUT -i tun+ -j ACCEPT
- iptables -A FORWARD -i tun+ -j ACCEPT
- iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
- iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
- iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
- iptables -A OUTPUT -o tun+ -j ACCEPT
- # blacklist
- iptables -I INPUT 1 -m set --match-set blacklist src -j DROP
- # logging
- iptables -A INPUT -j LOG
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement