API tools faq
paste
Advertisement
Slapy

LinuxIptables

Slapy
Jun 8th, 2015
265
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.63 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/bash +x
  2.  
  3. # first author: marcos de vera
  4. # second: joan marc riera
  5.  
  6. ip=/sbin/iptables
  7. mriera="xx.xx.xx.xx"
  8. nsancho="yy.yy.yy.yy"
  9. admins="$mriera $nsancho "
  10. sshers=""
  11. mysqlrs="zz.zz.zz.zz/23"
  12. tcpservices="80 443 22"
  13. udpservices=""
  14.  
  15. # Firewall script for servername
  16.  
  17. echo -n ">> Applying iptables rules... "
  18.  
  19. ## flushing...
  20. $ip -F
  21. $ip -X
  22. $ip -Z
  23. $ip -t nat -F
  24.  
  25. # default: DROP!
  26. $ip -P INPUT DROP
  27. $ip -P OUTPUT DROP
  28. $ip -P FORWARD DROP
  29.  
  30. # filtering...
  31.  
  32. # localhost: free pass!
  33. $ip -A INPUT -i lo -j ACCEPT
  34. $ip -A OUTPUT -o lo -j ACCEPT
  35.  
  36. # administration ips: free pass!
  37. for admin in $admins ; do
  38. $ip -A INPUT -s $admin -j ACCEPT
  39. $ip -A OUTPUT -d $admin -j ACCEPT
  40. done
  41.  
  42. # allow ssh access to sshers
  43. for ssher in $sshers ; do
  44. $ip -A INPUT -s $ssher -p tcp -m tcp --dport 22 -j ACCEPT
  45. $ip -A OUTPUT -d $ssher -p tcp -m tcp --sport 22 -j ACCEPT
  46. done
  47.  
  48. # allow access to mysql port to iReport on sugar
  49.  
  50. for mysql in $mysqlrs ; do
  51. $ip -A INPUT -s $mysql -p tcp -m tcp --dport 3306 -j ACCEPT
  52. $ip -A OUTPUT -d $mysql -p tcp -m tcp --sport 3306 -j ACCEPT
  53. $ip -A INPUT -s $mysql -p udp -m udp --dport 3306 -j ACCEPT
  54. $ip -A OUTPUT -d $mysql -p udp -m udp --sport 3306 -j ACCEPT
  55. done
  56.  
  57.  
  58. # allowed services
  59. for service in $tcpservices ; do
  60. $ip -A INPUT -p tcp -m tcp --dport $service -j ACCEPT
  61. $ip -A OUTPUT -p tcp -m tcp --sport $service -m state --state RELATED,ESTABLISHED -j ACCEPT
  62. done
  63. for service in $udpservices ; do
  64. $ip -A INPUT -p udp -m udp --dport $service -j ACCEPT
  65. $ip -A OUTPUT -p udp -m udp --sport $service -m state --state RELATED,ESTABLISHED -j ACCEPT
  66. done
  67.  
  68. $ip -A INPUT -j LOG --log-level 4
  69. # VAS and VGP
  70. #88 tcp udp
  71. #389 tcp ldap queries , udp ldap ping
  72. #464 tcp upd kerberos
  73. #3268 tcp global catalog access
  74. for dc in ip.ip.ip.ip ; do # our dc servers for some ldap auth
  75. vas=88
  76. $ip -A INPUT -s $dc -p tcp -m tcp --dport $vas -j ACCEPT
  77. $ip -A OUTPUT -d $dc -p tcp -m tcp --dport $vas -j ACCEPT
  78. $ip -A INPUT -s $dc -p udp -m udp --dport $vas -j ACCEPT
  79. $ip -A OUTPUT -d $dc -p udp -m udp --dport $vas -j ACCEPT
  80. ldap=389
  81. $ip -A INPUT -s $dc -p tcp -m tcp --dport $ldap -j ACCEPT
  82. $ip -A OUTPUT -d $dc -p tcp -m tcp --dport $ldap -j ACCEPT
  83. $ip -A INPUT -s $dc -p udp -m udp --dport $ldap -j ACCEPT
  84. $ip -A OUTPUT -d $dc -p udp -m udp --dport $ldap -j ACCEPT
  85. kpasswd=464
  86. $ip -A INPUT -s $dc -p tcp -m tcp --dport $kpasswd -j ACCEPT
  87. $ip -A OUTPUT -d $dc -p tcp -m tcp --dport $kpasswd -j ACCEPT
  88. $ip -A INPUT -s $dc -p udp -m udp --dport $kpasswd -j ACCEPT
  89. $ip -A OUTPUT -d $dc -p udp -m udp --dport $kpasswd -j ACCEPT
  90. gca=3268
  91. $ip -A INPUT -s $dc -p tcp -m tcp --dport $gca -j ACCEPT
  92. $ip -A OUTPUT -d $dc -p tcp -m tcp --dport $gca -j ACCEPT
  93. vgp=445
  94. $ip -A INPUT -s $dc -p tcp -m tcp --dport $vgp -j ACCEPT
  95. $ip -A OUTPUT -d $dc -p tcp -m tcp --dport $vgp -j ACCEPT
  96. done
  97.  
  98.  
  99. # allow the machine to browse the internet
  100. $ip -A INPUT -p tcp -m tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT
  101. $ip -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
  102. $ip -A INPUT -p tcp -m tcp --sport 443 -m state --state RELATED,ESTABLISHED -j ACCEPT
  103. $ip -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
  104.  
  105. $ip -A INPUT -p tcp -m tcp --sport 8080 -m state --state RELATED,ESTABLISHED -j ACCEPT
  106. $ip -A OUTPUT -p tcp -m tcp --dport 8080 -j ACCEPT
  107.  
  108.  
  109. # don't forget the dns...
  110. $ip -A INPUT -p udp -m udp --sport 53 -j ACCEPT
  111. $ip -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
  112. $ip -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
  113. $ip -A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
  114.  
  115. # ... neither the ntp... (hora.rediris.es)
  116. #$ip -A INPUT -s 130.206.3.166 -p udp -m udp --dport 123 -j ACCEPT
  117. #$ip -A OUTPUT -d 130.206.3.166 -p udp -m udp --sport 123 -j ACCEPT
  118.  
  119. $ip -A INPUT -p udp -m udp --dport 123 -j ACCEPT
  120. $ip -A OUTPUT -p udp -m udp --sport 123 -j ACCEPT
  121.  
  122.  
  123. # and last but not least, the smtp access
  124. $ip -A INPUT -s uu.uu.uu.uu -p tcp -m tcp --sport 161 -j ACCEPT # monitoring service
  125. $ip -A OUTPUT -d uu.uu.uu.uu -p tcp -m tcp --dport 161 -j ACCEPT # monitoring service
  126.  
  127. $ip -A INPUT -p tcp -m tcp --sport 25 -j ACCEPT
  128. $ip -A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
  129.  
  130.  
  131. # temporary backup if we change from DROP to ACCEPT policies
  132. $ip -A INPUT -p tcp -m tcp --dport 1:1024 -j DROP
  133. $ip -A INPUT -p udp -m udp --dport 1:1024 -j DROP
  134.  
  135.  
  136. echo "OK. Check rules with iptables -L -n"
  137.  
  138. # end :)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!