46 lines
1.4 KiB
Bash
Executable file
46 lines
1.4 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
#
|
|
# v0.1
|
|
ipt=$(which iptables)
|
|
|
|
# Clear all rules
|
|
$ipt -F
|
|
$ipt -X
|
|
|
|
|
|
# Default policies
|
|
$ipt -P INPUT DROP
|
|
$ipt -P FORWARD DROP
|
|
$ipt -P OUTPUT ACCEPT
|
|
|
|
# Create a logging chain
|
|
$ipt -N LOGDROP
|
|
|
|
# allow loopback communication
|
|
$ipt -A INPUT -i lo -j ACCEPT
|
|
$ipt -A OUTPUT -o lo -j ACCEPT
|
|
|
|
# Block bad people
|
|
#$ipt -I INPUT -s x.x.x.x -j DROP
|
|
|
|
# Allowing wanted ports
|
|
$ipt -A INPUT -p tcp -m multiport --dports 25,80 -j ACCEPT
|
|
|
|
# Allow SSH only from trusted networks
|
|
$ipt -A INPUT -p tcp -s 80.243.211.96/28 --dport 22 -j ACCEPT # Acceleris
|
|
$ipt -A INPUT -p tcp -s 212.60.32.0/19 --dport 22 -j ACCEPT # Quickline
|
|
$ipt -A INPUT -p tcp -s 89.236.128.0/18 --dport 22 -j ACCEPT # Quickline
|
|
$ipt -A INPUT -p tcp -s 83.76.0.0/14 --dport 22 -j ACCEPT # Swisscom
|
|
$ipt -A INPUT -p tcp -s 188.60.0.0/14 --dport 22 -j ACCEPT # Swisscom
|
|
$ipt -A INPUT -p tcp -s 213.0.0.0/8 --dport 22 -j ACCEPT # Orange
|
|
$ipt -A INPUT -p tcp -s 84.72.0.0/14 --dport 22 -j ACCEPT # Cablecom
|
|
# Logs all SSH traffic from unlisted networks
|
|
$ipt -A LOGDROP -m limit -p tcp --dport 22 --limit 3/s --limit-burst 10 -j LOG --log-prefix "#fw SSH block: "
|
|
$ipt -A LOGDROP -j DROP
|
|
|
|
$ipt -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
$ipt -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
|
|
|
|
# this logs the specified rule:
|
|
#$IPT -A INPUT -p icmp -j LOG --log-level 4 --log-prefix '[PING DROP ] '
|