Ubuntu Server - Small Firewall

1. #!/bin/sh
2. #
3. # Modified firewall
4. #
5. ### BEGIN INIT INFO
6. # Provides: firewall
7. # Required-Start: $remote_fs $local_fs $syslog
8. # Required-Stop: umountfs
9. # Default-Start:    2 3 4 5
10. # Default-Stop:    
11. # Short-Description: firewall initialization
12. # Description: System firewall
13. ### END INIT INFO
14.  
15. reset_firewall() {
16.     iptables -F
17.     iptables -X
18.     iptables -t nat -F
19.     iptables -t nat -X
20.     iptables -t mangle -F
21.     iptables -t mangle -X
22.     iptables -P INPUT ACCEPT
23.     iptables -P OUTPUT ACCEPT
24.     iptables -P FORWARD DROP
25. }
26.  
27. start_firewall() {
28.     ##############################################
29.     # INPUT RULES
30.     ##############################################
31.  
32.     # loopback adapter
33.     iptables -A INPUT -i lo -j ACCEPT
34.  
35.     # drop private petworks
36.     iptables -A INPUT -s 192.168.0.0/24 -j DROP # (C)
37.     iptables -A INPUT -s 172.16.0.0/12 -j DROP # (B)
38.     iptables -A INPUT -s 224.0.0.0/4 -j DROP # (MULTICAST D)
39.     iptables -A INPUT -s 240.0.0.0/5 -j DROP # (E)
40.     iptables -A INPUT -s 10.0.1.1 -j DROP # router
41.     iptables -A INPUT -d 10.0.1.255 -j DROP # broadcast
42.     iptables -A INPUT -d 255.255.255.255 -j DROP # broadcast
43.  
44.     # related/established
45.     iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
46.  
47.     # invalid
48.     iptables -A INPUT -m state --state INVALID -j DROP
49.  
50.     # syn-flood protection
51.     iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j ACCEPT
52.  
53.     # allow http
54.     iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
55.  
56.     # allow ssh only from LAN
57.     iptables -A INPUT -s 10.0.1.0/24 -m state --state NEW -p tcp --dport 65212 -j ACCEPT
58.  
59.     # allow ping only from LAN
60.     iptables -A INPUT -s 10.0.1.0/24 -m state --state NEW -p icmp --icmp-type 8 -m limit --limit 1/s -j ACCEPT
61.  
62.     # log the rest
63.     iptables -A INPUT -m limit --limit 2/min --limit-burst 2 -j LOG --log-prefix "INPUT DROP: "
64.  
65.     # block everything else
66.     iptables -A INPUT -j DROP
67.  
68.     ##############################################
69.     # OUTPUT RULES
70.     ##############################################
71.  
72.     # loopback adapter
73.     iptables -A OUTPUT -o lo -j ACCEPT
74.  
75.     # related/established
76.     iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
77.  
78.     # allow dns queries
79.     iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
80.  
81.     # allow http/https queries
82.     iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
83.     iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
84.  
85.     # log the rest
86.     iptables -A OUTPUT -m limit --limit 2/min --limit-burst 2 -j LOG --log-prefix "OUTPUT DROP: "
87.  
88.     # block everything else
89.     iptables -A OUTPUT -j DROP
90. }
91.  
92. case "$1" in
93.     start)
94.         start_firewall
95.         ;;
96.  
97.     stop)
98.         reset_firewall
99.         ;;
100.  
101.     reload)
102.         echo 'Only restart is accepted!';
103.         exit 1
104.         ;;
105.  
106.     status)
107.         clear
108.         iptables -L -nv --line-numbers
109.         ;;
110.  
111.     force-reload|restart)
112.         reset_firewall
113.         start_firewall
114.         exit 1
115.         ;;
116.  
117.     live)
118.         while true; do $0 status; sleep 1; done;
119.         ;;
120.  
121.     active_connections)
122.         watch netstat -anlp
123.         ;;
124.  
125.     *)
126.         echo "Usage: /etc/init.d/firewall {start|stop|restart|status|live|active_connections}"
127.         exit 1
128.         ;;
129.     esac
130.  
131. exit 0