Iptables security settings script
Last Update:2014-05-27
Source: Internet
Author: User
The default script only enables port 80, 3306, and port 22 of the conventional web server # videfault_firewall.sh #! /Bin/bash #################################### ####################################### File: the default default_firewall.sh script only enables ports 80, 3306, and 22 of the conventional web server.
# Vi default_firewall.sh
#! /Bin/bash
######################################## #################################
#
# File: default_firewall.sh
# Description:
# Language: GNU Bourne-Again SHell
# Version: 1.0
# Date: 2010-6-23
# Corp.: c1gstudio.com
# Author: c1g
# WWW: http://blog.c1gstudio.com
### END INIT INFO
######################################## #######################################
IPTABLES =/sbin/
Iptables
# Start by flushing the rules
$ IPTABLES-P INPUT DROP
$ IPTABLES-P FORWARD ACCEPT
$ IPTABLES-P OUTPUT ACCEPT
$ IPTABLES-t nat-P PREROUTING ACCEPT
$ IPTABLES-t nat-P POSTROUTING ACCEPT
$ IPTABLES-t nat-P OUTPUT ACCEPT
$ IPTABLES-t mangle-P PREROUTING ACCEPT
$ IPTABLES-t mangle-P OUTPUT ACCEPT
$ IPTABLES-F
$ IPTABLES-X
$ IPTABLES-Z
$ IPTABLES-t nat-F
$ IPTABLES-t mangle-F
$ IPTABLES-t nat-X
$ IPTABLES-t mangle-X
$ IPTABLES-t nat-Z
# Allow packets coming from the machine
$ IPTABLES-a input-I lo-j ACCEPT
$ IPTABLES-a output-o lo-j ACCEPT
# Allow outgoing traffic
$ IPTABLES-a output-o eth0-j ACCEPT
# Block spoofing
$ IPTABLES-a input-s 127.0.0.0/8-I! Lo-j DROP
$ IPTABLES-a input-m state -- state RELATED, ESTABLISHED-j ACCEPT
$ IPTABLES-a input-p icmp-j ACCEPT
# Stop bad packets
# $ IPTABLES-a input-m state -- state INVALID-j DROP
# Nmap fin/URG/PSH
# $ IPTABLES-a input-I eth0-p tcp -- tcp-flags ALL FIN, URG, PSH-j DROP
# Stop Xmas Tree type scanning
# $ IPTABLES-a input-I eth0-p tcp -- tcp-flags ALL-j DROP
# $ IPTABLES-a input-I eth0-p tcp -- tcp-flags ALL SYN, RST, ACK, FIN, URG-j DROP
# Stop null scanning
# $ IPTABLES-a input-I eth0-p tcp -- tcp-flags ALL NONE-j DROP
# SYN/RST
# $ IPTABLES-a input-I eth0-p tcp -- tcp-flags SYN, RST SYN, RST-j DROP
# SYN/FIN
# $ IPTABLES-a input-I eth0-p tcp -- tcp-flags SYN, FIN SYN, FIN-j DROP
# Stop sync flood
# $ IPTABLES-N SYNFLOOD
# $ IPTABLES-a synflood-p tcp -- syn-m limit -- limit 1/s-j RETURN
# $ IPTABLES-a synflood-p tcp-j REJECT -- reject-with tcp-reset
# $ IPTABLES-a input-p tcp-m state -- state NEW-j SYNFLOOD
# Stop ping flood attack
# $ IPTABLES-N PING
# $ IPTABLES-a ping-p icmp -- icmp-type echo-request-m limit -- limit 1/second-j RETURN
# $ IPTABLES-a ping-p icmp-j REJECT
# $ IPTABLES-I INPUT-p icmp -- icmp-type echo-request-m state -- state NEW-j PING
#################################
# What we allow
#################################
# Tcp ports
# Smtp
# $ IPTABLES-a input-p tcp-m tcp -- dport 25-j ACCEPT
# Http
$ IPTABLES-a input-p tcp-m tcp -- dport 80-j ACCEPT
# Pop3
# $ IPTABLES-a input-p tcp-m tcp -- dport 110-j ACCEPT
# Imap
# $ IPTABLES-a input-p tcp-m tcp -- dport 143-j ACCEPT
# Ldap
# $ IPTABLES-a input-p tcp-m tcp -- dport 389-j ACCEPT
# Https
# $ IPTABLES-a input-p tcp-m tcp -- dport 443-j ACCEPT
# Smtp over SSL
# $ IPTABLES-a input-p tcp-m tcp -- dport 465-j ACCEPT
# Line printer spooler
# $ IPTABLES-a input-p tcp-m tcp -- dport 515-j ACCEPT
# Cups
# $ IPTABLES-a input-p tcp-m tcp -- dport 631-j ACCEPT
#
Mysql
$ IPTABLES-a input-p tcp-m tcp -- dport 3306-j ACCEPT
# Tomcat
# $ IPTABLES-a input-p tcp-m tcp -- dport 8080-j ACCEPT
# Squid
# $ IPTABLES-a input-p tcp-m tcp -- dport 81-j ACCEPT
# Nrpe
# $ IPTABLES-a input-p tcp-m tcp -- dport 15666-j ACCEPT
# Restrict some tcp things ##
# Ssh
$ IPTABLES-a input-p tcp-m tcp -- dport 22-j ACCEPT
# $ IPTABLES-a input-p tcp-m tcp -- dport 6022-j ACCEPT
# Samba (netbios)
# $ IPTABLES-a input-p tcp-m tcp-s 192.168.0.0/16 -- dport 137: 139-j ACCEPT
# Ntop
# $ IPTABLES-a input-p tcp-m tcp-s 192.168.0.0/16 -- dport 3000-j ACCEPT
# Hylafax
# $ IPTABLES-a input-p tcp-m tcp-s 192.168.0.0/16 -- dport 4558: 4559-j ACCEPT
# Webmin
# $ IPTABLES-a input-p tcp-m tcp-s 192.168.0.0/16 -- dport 10000-j ACCEPT
# Udp ports
# DNS
# $ IPTABLES-a input-p udp-m udp -- dport 53-j ACCEPT
# DHCP
# $ IPTABLES-a input-p udp-m udp -- dport 67: 68-j ACCEPT
# NTP
# $ IPTABLES-a input-p udp-m udp -- dport 123-j ACCEPT
# SNMP
# $ IPTABLES-a input-p udp-m udp -- dport 161: 162-j ACCEPT
# Restrict some udp things ##
# Samba (Netbios)
# $ IPTABLES-a input-p udp-m udp-s 192.168.0.0/16 -- dport 137: 139-j ACCEPT
# $ IPTABLES-a input-p udp-m udp -- sport 137: 138-j ACCEPT
# Finally-drop the rest
# $ IPTABLES-a input-p tcp -- syn-j DROP
Set permissions
Chmod u + x./default_firewall.sh
Run scripts
./Default_firewall.sh
View iptables
#/Sbin/iptables-nL
Save iptables
#/Sbin/iptables-save>/etc/sysconfig/iptables
Restart iptables
#/Etc/init. d/iptables restart