Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # ---------------------------------------------------
- #!/bin/bash
- if [ $(id -u) != "0" ]; then
- echo "Run as sudo or root"
- exit 1
- fi
- iptables -F
- iptables -X
- iptables -t nat -F
- iptables -P INPUT DROP
- iptables -P OUTPUT DROP
- iptables -P FORWARD DROP
- # loopback. some apps might need to bind to loopback even if sourcing non-loopback ip-address.
- iptables -A INPUT -i lo -s 127.0.0.1/32 -j ACCEPT
- iptables -A OUTPUT -o lo -d 127.0.0.1/32 -j ACCEPT
- # permit ssh mgmt
- iptables -A INPUT -i eth1 -s A.B.C.D/32 -p tcp -m tcp --dport 22 -j ACCEPT
- iptables -A OUTPUT -o eth1 -d A.B.C.D/32 -p tcp -m tcp --sport 22 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- # permit icmp
- # incoming ping outgoing pong
- iptables -A INPUT --protocol icmp --icmp-type 8 -j ACCEPT
- iptables -A OUTPUT --protocol icmp --icmp-type 0 -j ACCEPT
- # outgoing ping incoming pong
- iptables -A OUTPUT --protocol icmp --icmp-type 8 -j ACCEPT
- iptables -A INPUT --protocol icmp --icmp-type 0 -j ACCEPT
- # permit outbound to internet
- # iptables -A OUTPUT -o eth1 -p tcp -m multiport --dports 53,80,443,22,23 -j ACCEPT
- # iptables -A OUTPUT -o eth1 -p udp -m udp --dport 53 -j ACCEPT
- # iptables -A INPUT -i eth1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- # ---------------------------------------------------
- bash -c "iptables-save > /etc/iptables.rules"
- # ---------------------------------------------------
- /etc/rc.local
- Above "exit 0"
- iptables-restore < /etc/iptables.rules
- # ---------------------------------------------------
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement