iptables-stuff

1. # ---------------------------------------------------
2. #!/bin/bash
3.  
4. if [ $(id -u) != "0" ]; then
5. echo "Run as sudo or root"
6. exit 1
7. fi
8.  
9. iptables -F
10. iptables -X
11. iptables -t nat -F
12. iptables -P INPUT DROP
13. iptables -P OUTPUT DROP
14. iptables -P FORWARD DROP
15.  
16. # loopback. some apps might need to bind to loopback even if sourcing non-loopback ip-address.
17. iptables -A INPUT -i lo -s 127.0.0.1/32 -j ACCEPT
18. iptables -A OUTPUT -o lo -d 127.0.0.1/32 -j ACCEPT
19.  
20. # permit ssh mgmt
21. iptables -A INPUT -i eth1 -s A.B.C.D/32 -p tcp -m tcp --dport 22 -j ACCEPT
22. iptables -A OUTPUT -o eth1 -d A.B.C.D/32 -p tcp -m tcp --sport 22 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
23.  
24. # permit icmp
25. # incoming ping outgoing pong
26. iptables -A INPUT --protocol icmp --icmp-type 8 -j ACCEPT
27. iptables -A OUTPUT --protocol icmp --icmp-type 0 -j ACCEPT
28. # outgoing ping incoming pong
29. iptables -A OUTPUT --protocol icmp --icmp-type 8 -j ACCEPT
30. iptables -A INPUT --protocol icmp --icmp-type 0 -j ACCEPT
31.  
32. # permit outbound to internet
33. # iptables -A OUTPUT -o eth1 -p tcp -m multiport --dports 53,80,443,22,23 -j ACCEPT
34. # iptables -A OUTPUT -o eth1 -p udp -m udp --dport 53 -j ACCEPT
35. # iptables -A INPUT -i eth1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
36.  
37. # ---------------------------------------------------
38.  
39. bash -c "iptables-save > /etc/iptables.rules"
40.  
41. # ---------------------------------------------------
42.  
43. /etc/rc.local
44. Above "exit 0"
45. iptables-restore < /etc/iptables.rules
46.  
47. # ---------------------------------------------------