How To: iptables example

Posted: April 21, 2011 in FOSS

This is an example script for iptables

#!/bin/sh
#
# IP addresses
SERVER_IP='<your_server_ip>’
DNS1_SERVER_IP='<primary_dns_server_ip>’
SMTP_SERVER_IP='<smtp_server_ip>’
BACKUP_SERVER_IP='<amanda_server_ip>’
MONITOR_SERVER_IP='<zenoss_server_ip>’

# Subnets
LAN_SUBNET='<your_lan_subnet>’

# Flushing all chains
iptables -F
iptables -X

# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow incoming ssh
iptables -A INPUT -p tcp -s 0/0 -d ${SERVER_IP} –sport 513:65535 –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -I INPUT -p tcp -s 0/0 -d ${SERVER_IP} –sport 513:65535 –dport 22 -m state –state NEW -m recent –set
iptables -I INPUT -p tcp -s 0/0 -d ${SERVER_IP} –sport 513:65535 –dport 22 -m state –state NEW -m recent –update –seconds 600 –hitcount 3 -j LOG –log-prefix ‘ERR: SSH hitcount exceed: ‘
iptables -I INPUT -p tcp -s 0/0 -d ${SERVER_IP} –sport 513:65535 –dport 22 -m state –state NEW -m recent –update –seconds 600 –hitcount 4 -j DROP
iptables -A OUTPUT -p tcp -s ${SERVER_IP} -d 0/0 –sport 22 –dport 513:65535 -m state –state ESTABLISHED -j ACCEPT

# Allow incoming http/https
iptables -A INPUT -p tcp -s 0/0 -d ${SERVER_IP} –sport 1024:65535 -m multiport –dports 80,443 -m state –state NEW,ESTABLISHED -j ACCEPT

# Allow incoming svn
iptables -A INPUT -p tcp -s 0/0 -d ${SERVER_IP} –sport 1024:65535 –dport 3690 -m state –state NEW,ESTABLISHED -j ACCEPT

# Allow incoming snmp from monitoring server
iptables -A INPUT -p udp -s ${MONITOR_SERVER_IP} -d ${SERVER_IP} –sport 1024:65535 –dport 161 -m state –state NEW,ESTABLISHED -j ACCEPT

# Allow incoming mysql for monitoring(zenoss) and backups(mysql-zrm via socket)
iptables -A INPUT -p tcp -s ${MONITOR_SERVER_IP} -d ${SERVER_IP} –sport 1024:65535 -m multiport –dports 3306,25300 -m state –state NEW,ESTABLISHED -j ACCEPT

# Allow outgoing dns lookups
iptables -A OUTPUT -p udp -s ${SERVER_IP} -d ${DNS1_SERVER_IP} –sport 1024:65535 –dport 53 -j ACCEPT

 # Allow outgoing ntp syncs(only privilege port)
iptables -A OUTPUT -p udp -s ${SERVER_IP} -d 0/0 –sport 123 –dport 123 -m state –state NEW,ESTABLISHED -j ACCEPT

# Allow incoming/outgoing icmp within the subnet
iptables -A OUTPUT -p icmp -s ${SERVER_IP} -d ${LAN_SUBNET} -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -s ${LAN_SUBNET} -d ${SERVER_IP} -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

# Allow amanda – amdump, amcheck
iptables -A INPUT -p tcp -s ${BACKUP_SERVER_IP} -d ${SERVER_IP} –dport 10080 -m state –state NEW,ESTABLISHED -j ACCEPT

# Allow amanda – amrecover
iptables -A OUTPUT -p tcp -s ${SERVER_IP} -d ${BACKUP_SERVER_IP} –dport 10080 -m state –state NEW,ESTABLISHED -j ACCEPT

# Allow outgoing ssh within the subnet
iptables -A OUTPUT -p tcp -s ${SERVER_IP} -d ${LAN_SUBNET} –sport 513:65535 –dport 22 -m state –state NEW -j ACCEPT

# Allow outgoing http/s (for yum)
iptables -A OUTPUT -p tcp -s ${SERVER_IP} -d 0/0 –sport 1024:65535 -m multiport –dports 80,443 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing ftp (for yum)
iptables -A OUTPUT -p tcp -s ${SERVER_IP} -d 0/0 –sport 1024:65535 –dport 21 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing smtp
iptables -A OUTPUT -p tcp -s ${SERVER_IP} -d ${SMTP_SERVER_IP} –sport 1024:65535 –dport 25 -m state –state NEW,ESTABLISHED -j ACCEPT

# Allow outgoing svn
iptables -A OUTPUT -p tcp -s ${SERVER_IP} -d 0/0 –sport 1024:65535 –dport 3690 -m state –state NEW,ESTABLISHED -j ACCEPT

# Allow all previously established incoming/outgoing connections
iptables -A INPUT -s 0/0 -d ${SERVER_IP} -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -s ${SERVER_IP} -d 0/0 -m state –state ESTABLISHED,RELATED -j ACCEPT

# Make sure nothing comes or goes out
iptables -A INPUT -j LOG –log-level 4 –log-prefix ‘ERR: INPUT drop: ‘
iptables -A INPUT -j DROP
iptables -A OUTPUT -j LOG –log-level 4 –log-prefix ‘ERR: OUTPUT drop: ‘
iptables -A OUTPUT -j DROP

# Save
/sbin/service iptables save

# List rules
iptables -L -v

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s