utils:iptables

IPtables

#!/bin/bash

##### IFACE SECTION #####
IFACE0=
IFACE1=

##### IP SECTION #####
ADMIN_NETWORK=
PROD_NETWORK=

DNS_SERVERS=
NAGIOS_SERVERS=
NTPD_SERVERS=
REPO_SERVERS=
SYSLOGD_SERVERS=

##### PORT SECTION #####
DNS_PORT=53
HTTPD_PORT=80
NTPD_PORT=123
SNMPD_PORT=161
SSHD_PORT=22
SYSLOGD_PORT=514

# Flush all tables
iptables -F
iptables -X
iptables -t nat -X
iptables -t nat -F
iptables -t mangle -X
iptables -t mangle -F


# Define all policies to drop
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Initialize NAT table
iptables -t nat -F
iptables -t nat -X
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT

# Initialize MANGLE table
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT

# Drop all malformatted connections
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

# Keep all connection which are etablished and related
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Loopback traffic
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Autorize ping from Admin network
iptables -A INPUT -p icmp -i ${IFACE1} -s ${ADMIN_NETWORK} -m state --state NEW -j ACCEPT

# SSH connections from admin network only
iptables -A INPUT -i ${IFACE1} -s ${ADMIN_NETWORK} -p tcp --dport ${SSHD_PORT} -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport ${SSHD_PORT} -j LOG --log-prefix "Tentative SSH"
iptables -A INPUT -p tcp --dport ${SSHD_PORT} -j DROP 

# SNMP connections from admin network only
iptables -A INPUT -i ${IFACE1} -s ${ADMIN_NETWORK} -p udp --dport ${SNMPD_PORT} -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp --dport ${SNMPD_PORT} -j LOG --log-prefix "Tentative SNMPD"
iptables -A INPUT -p udp --dport ${SNMPD_PORT} -j DROP 

# Autorize NTPD synchronization to NTDP_SERVERS 
iptables -A OUTPUT -o ${IFACE0} -d ${NTPD_SERVERS} -p udp --dport ${NTPD_PORT} -m state --state NEW -j ACCEPT

# Autorize SYSLOG forwarding to SYSLOGD_SERVERS
iptables -A OUTPUT -o ${IFACE1} -d ${SYSLOGD_SERVERS} -p udp --dport ${SYSLOGD_PORT} -m state --state NEW -j ACCEPT

# Autorize HTTP connection to the repositories
iptables -A OUTPUT -o ${IFACE0} -m iprange --dst-range ${REPO_SERVERS} -p tcp --dport ${HTTPD_PORT} -m state --state NEW -j ACCEPT

# Autorize DNS request
iptables -A OUTPUT -o ${IFACE0} -d ${DNS_SERVERS} -p udp --dport ${DNS_PORT} -m state --state NEW -j ACCEPT
  • utils/iptables.txt
  • Last modified: 2024/10/14 20:59
  • by 127.0.0.1