Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== IPtables ====== <code> #!/bin/bash ##### IFACE SECTION ##### IFACE0= IFACE1= ##### IP SECTION ##### ADMIN_NETWORK= PROD_NETWORK= DNS_SERVERS= NAGIOS_SERVERS= NTPD_SERVERS= REPO_SERVERS= SYSLOGD_SERVERS= ##### PORT SECTION ##### DNS_PORT=53 HTTPD_PORT=80 NTPD_PORT=123 SNMPD_PORT=161 SSHD_PORT=22 SYSLOGD_PORT=514 # Flush all tables iptables -F iptables -X iptables -t nat -X iptables -t nat -F iptables -t mangle -X iptables -t mangle -F # Define all policies to drop iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # Initialize NAT table iptables -t nat -F iptables -t nat -X iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P POSTROUTING ACCEPT iptables -t nat -P OUTPUT ACCEPT # Initialize MANGLE table iptables -t mangle -F iptables -t mangle -X iptables -t mangle -P PREROUTING ACCEPT iptables -t mangle -P INPUT ACCEPT iptables -t mangle -P OUTPUT ACCEPT iptables -t mangle -P FORWARD ACCEPT # Drop all malformatted connections iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # Keep all connection which are etablished and related iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Loopback traffic iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Autorize ping from Admin network iptables -A INPUT -p icmp -i ${IFACE1} -s ${ADMIN_NETWORK} -m state --state NEW -j ACCEPT # SSH connections from admin network only iptables -A INPUT -i ${IFACE1} -s ${ADMIN_NETWORK} -p tcp --dport ${SSHD_PORT} -m state --state NEW -j ACCEPT iptables -A INPUT -p tcp --dport ${SSHD_PORT} -j LOG --log-prefix "Tentative SSH" iptables -A INPUT -p tcp --dport ${SSHD_PORT} -j DROP # SNMP connections from admin network only iptables -A INPUT -i ${IFACE1} -s ${ADMIN_NETWORK} -p udp --dport ${SNMPD_PORT} -m state --state NEW -j ACCEPT iptables -A INPUT -p udp --dport ${SNMPD_PORT} -j LOG --log-prefix "Tentative SNMPD" iptables -A INPUT -p udp --dport ${SNMPD_PORT} -j DROP # Autorize NTPD synchronization to NTDP_SERVERS iptables -A OUTPUT -o ${IFACE0} -d ${NTPD_SERVERS} -p udp --dport ${NTPD_PORT} -m state --state NEW -j ACCEPT # Autorize SYSLOG forwarding to SYSLOGD_SERVERS iptables -A OUTPUT -o ${IFACE1} -d ${SYSLOGD_SERVERS} -p udp --dport ${SYSLOGD_PORT} -m state --state NEW -j ACCEPT # Autorize HTTP connection to the repositories iptables -A OUTPUT -o ${IFACE0} -m iprange --dst-range ${REPO_SERVERS} -p tcp --dport ${HTTPD_PORT} -m state --state NEW -j ACCEPT # Autorize DNS request iptables -A OUTPUT -o ${IFACE0} -d ${DNS_SERVERS} -p udp --dport ${DNS_PORT} -m state --state NEW -j ACCEPT </code> utils/iptables.txt Last modified: 2024/10/14 20:59by 127.0.0.1