iptables.sh initial upload

2011-07-06 14:57:43 +02:00 · 2011-07-06 14:57:43 +02:00 · 8abd7ac1e9
commit 8abd7ac1e9
parent 0f713b3d68
1 changed files with 46 additions and 0 deletions
--- a/iptables.sh
+++ b/iptables.sh
@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+#
+# v0.1
+ipt=$(which iptables)
+
+# Clear all rules
+$ipt -F
+$ipt -X
+
+
+# Default policies
+$ipt -P INPUT DROP
+$ipt -P FORWARD DROP
+$ipt -P OUTPUT ACCEPT
+
+# Create a logging chain
+$ipt -N LOGDROP
+
+# allow loopback communication
+$ipt -A INPUT -i lo -j ACCEPT
+$ipt -A OUTPUT -o lo -j ACCEPT
+
+# Block bad people
+#$ipt -I INPUT -s x.x.x.x -j DROP
+
+# Allowing wanted ports
+$ipt -A INPUT -p tcp -m multiport --dports 25,80 -j ACCEPT
+
+# Allow SSH only from trusted networks
+$ipt -A INPUT -p tcp -s 80.243.211.96/28 --dport 22 -j ACCEPT	# Acceleris
+$ipt -A INPUT -p tcp -s 212.60.32.0/19 --dport 22 -j ACCEPT	# Quickline
+$ipt -A INPUT -p tcp -s 89.236.128.0/18 --dport 22 -j ACCEPT	# Quickline
+$ipt -A INPUT -p tcp -s 83.76.0.0/14 --dport 22 -j ACCEPT	# Swisscom	
+$ipt -A INPUT -p tcp -s 188.60.0.0/14 --dport 22 -j ACCEPT	# Swisscom
+$ipt -A INPUT -p tcp -s 213.0.0.0/8 --dport 22 -j ACCEPT	# Orange
+$ipt -A INPUT -p tcp -s 84.72.0.0/14 --dport 22 -j ACCEPT	# Cablecom
+# Logs all SSH traffic from unlisted networks
+$ipt -A LOGDROP -m limit -p tcp --dport 22 --limit 3/s --limit-burst 10 -j LOG --log-prefix "#fw SSH block: "
+$ipt -A LOGDROP -j DROP
+
+$ipt -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+$ipt -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+
+# this logs the specified rule:
+#$IPT -A INPUT -p icmp -j LOG --log-level 4 --log-prefix '[PING DROP  ] '