API tools faq
paste
Advertisement
cesarzeta

firewall-iptables

cesarzeta
Mar 23rd, 2014
164
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.69 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/bash
  2. ## SCRIPT de IPTABLES
  3. ##Script para proteger la propia máquina con DROP por defecto
  4.  
  5. ## FLUSH de reglas
  6. /sbin/iptables -F
  7. /sbin/iptables -X
  8. /sbin/iptables -Z
  9. /sbin/iptables -t nat -F
  10.  
  11. ## Establecemos politica por defecto: DROP
  12. /sbin/iptables -P INPUT DROP
  13. /sbin/iptables -P OUTPUT DROP
  14. /sbin/iptables -P FORWARD DROP
  15.  
  16. ## Empezamos a abrir porque ahora esta TODO denegado.
  17. ## Debemos decir de manera explicita qué es lo que queremos abrir
  18.  
  19. ## Operar en localhost sin limitaciones
  20. /sbin/iptables -A INPUT -i lo -j ACCEPT
  21. /sbin/iptables -A OUTPUT -o lo -j ACCEPT
  22.  
  23. ## A nuestra IP le permitimos todo
  24. iptables -A INPUT -s 192.168.1.2/255.255.255.0 -j ACCEPT
  25. iptables -A OUTPUT -d 192.168.1.2/255.255.255.0 -j ACCEPT
  26.  
  27. ## Hosts bloqueados
  28. /sbin/iptables -A INPUT -s XXX.XXX.XXX.XXX -j DROP
  29. /sbin/iptables -A OUTPUT -d XXX.XXX.XXX.XXX -j DROP
  30. /sbin/iptables -A INPUT -s 54.245.112.177 -j DROP
  31. /sbin/iptables -A OUTPUT -d 54.245.112.177 -j DROP
  32.  
  33. ## Este es el servicio que da internet a la maquina, todo paquete entrante se acepta y los salientes vinculados.
  34. /sbin/iptables -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  35. /sbin/iptables -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
  36.  
  37. ## Permitimos que la maquina pueda salir a la web
  38. /sbin/iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
  39. /sbin/iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  40.  
  41.  
  42. ## Y tambien a webs seguras - Incoming
  43. /sbin/iptables -A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  44. /sbin/iptables -A OUTPUT -p tcp --sport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT
  45.  
  46. ## Y tambien a web seguras - Outgoing
  47. /sbin/iptables -A INPUT -p tcp --sport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT
  48. /sbin/iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  49.  
  50.  
  51. ## Permitimos la consulta a un primer DNS
  52. /sbin/iptables -A INPUT -p udp -m udp --sport 53 -j ACCEPT
  53. /sbin/iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
  54.  
  55. ## Puertos para correo e IMAP
  56. /sbin/iptables -A INPUT -p tcp --sport 110 -m state --state ESTABLISHED,RELATED -j ACCEPT
  57. /sbin/iptables -A OUTPUT -p tcp --dport 110 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  58. /sbin/iptables -A INPUT -p tcp --sport 995 -m state --state ESTABLISHED,RELATED -j ACCEPT
  59. /sbin/iptables -A OUTPUT -p tcp --dport 995 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  60. /sbin/iptables -A INPUT -p tcp --sport 465 -m state --state ESTABLISHED,RELATED -j ACCEPT
  61. /sbin/iptables -A OUTPUT -p tcp --dport 465 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  62. /sbin/iptables -A INPUT -p tcp --sport 25 -m state --state ESTABLISHED,RELATED -j ACCEPT
  63. /sbin/iptables -A OUTPUT -p tcp --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  64. /sbin/iptables -A INPUT -p tcp --sport 143 -m state --state ESTABLISHED,RELATED -j ACCEPT
  65. /sbin/iptables -A OUTPUT -p tcp --dport 143 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  66. /sbin/iptables -A INPUT -p tcp --sport 993 -m state --state ESTABLISHED,RELATED -j ACCEPT
  67. /sbin/iptables -A OUTPUT -p tcp --dport 993 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  68.  
  69. ## SALIDA FTP - Para que el servidor se pueda conectar a FTP
  70. /sbin/iptables -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  71. /sbin/iptables -A OUTPUT -p tcp --sport 21 -m state --state ESTABLISHED,RELATED -j ACCEPT
  72.  
  73. ## Ftp activo
  74. /sbin/iptables -A INPUT -p tcp --dport 20 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  75. /sbin/iptables -A OUTPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
  76.  
  77. ## Ftp pasivo
  78. /sbin/iptables -A INPUT -p tcp -m tcp --dport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  79. /sbin/iptables -A OUTPUT -p tcp -m tcp --sport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
  80. /sbin/iptables -A INPUT -p tcp -m tcp --sport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
  81. /sbin/iptables -A OUTPUT -p tcp -m tcp --dport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  82.  
  83. ## Puertos UDP para transmission
  84. /sbin/iptables -A INPUT -p udp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  85. /sbin/iptables -A OUTPUT -p udp --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
  86. /sbin/iptables -A INPUT -p udp --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
  87. /sbin/iptables -A OUTPUT -p udp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  88. /sbin/iptables -A INPUT -p udp -m udp --dport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  89. /sbin/iptables -A OUTPUT -p udp -m udp --sport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
  90. /sbin/iptables -A INPUT -p udp --sport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
  91. /sbin/iptables -A OUTPUT -p udp --dport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  92.  
  93. ## Barrera de backup por si cambiamos a modo ACCEPT temporalmente
  94. ## Con esto protegemos los puertos reservados y otros conocidos por ser utilizados por hackers
  95. /sbin/iptables -A INPUT -p tcp -m tcp --dport 1:1024 -j DROP
  96. /sbin/iptables -A INPUT -p udp -m udp --dport 1:1024 -j DROP
  97. /sbin/iptables -A INPUT -p tcp -m tcp --dport 1723 -j DROP
  98. /sbin/iptables -A INPUT -p udp -m udp --dport 1723 -j DROP
  99. /sbin/iptables -A INPUT -p tcp -m tcp --dport 3306 -j DROP
  100. /sbin/iptables -A INPUT -p udp -m udp --dport 3306 -j DROP
  101. /sbin/iptables -A INPUT -p tcp -m tcp --dport 5432 -j DROP
  102. /sbin/iptables -A INPUT -p udp -m udp --dport 5432 -j DROP
  103. /sbin/iptables -A INPUT -p tcp -m tcp --dport 31337:31340 -j DROP
  104. /sbin/iptables -A INPUT -p udp -m udp --dport 31337:31340 -j DROP
  105.  
  106. exit
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!