====== Примеры скриптов iptables ======
===== Flush iptables policy =====
#!/bin/bash
IPT="/sbin/iptables"
#flush policy
$IPT -F
$IPT -X
#default policy
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
===== Simple personal firewall =====
#!/bin/bash
IPT="/sbin/iptables"
#flush policy
$IPT -F
$IPT -X
#default policy
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P INPUT DROP
#create custom chain
$IPT -N POLICY
# INPUT policy
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -s 127.0.0.1 -j ACCEPT
$IPT -A INPUT -d 127.0.0.1 -j ACCEPT
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p icmp -j ACCEPT
#jump to chain
$IPT -A INPUT -j POLICY
#chain policy
$IPT -A POLICY -p tcp -m tcp --dport 53 -j ACCEPT
$IPT -A POLICY -p udp -m udp --dport 53 -j ACCEPT
$IPT -A POLICY -p tcp -m tcp --dport 22 -j ACCEPT
$IPT -A POLICY -p tcp -m tcp --dport 80 -j ACCEPT
$IPT -A POLICY -p tcp -m tcp --dport 443 -j ACCEPT
===== Standalone VPS (1)=====
http://www.cyberciti.biz/tips/virtuozzo-iptables-firewall.html
http://bash.cyberciti.biz/security/linux-virtuozzo-vps-firewall-script-2
#!/bin/bash
# Firewall for Red hat enterprise linux Virtuozzo VPS
# It is simple firewall but effective one on Red hat enterprise linux Virtuozzo VPS :)
# ---------------------------------------------------------
# 1) DO NOT FORGEDT TO SETUP CORRECT IPS first
# 2) touch /root/allbadips.txt; echo "192.1678.0.10"> /root/allbadips.txt
# 3) To load/start firewall from this script
# chmod +x virtuozzo-iptables-firewall-script.bash
# ./virtuozzo-iptables-firewall-script.bash
# -----------------------------------------------------
# Laste updated : Aug - 08 - 2005
# -----------------------------------------------------
# Copyright (C) 2004,2005 nixCraft
# This script is licensed under GNU GPL version 2.0 or above
# For more info, please visit:
# http://www.cyberciti.biz/nixcraft/vivek/blogger/2004/12/virtuozzo-iptables-firewall.html
#-----------------------------------------------------
# ip = can be setup once - Aug-2005.
# -------------------------------------------------------------------------
# This script is part of nixCraft shell script collection (NSSC)
# Visit http://bash.cyberciti.biz/ for more information.
# -------------------------------------------------------------------------
# BAD IPS FILE all ip in this file are droped
BADIPS="$(cat /root/allbadips.txt|grep -v -E "^#")"
# setup your IPS here
myIPS="xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx"
# Setup VPS main IP here
ip="xxx.xxx.xxx.xxx"
# stop RedHAT linux iptables
service iptables stop
# Setting default filter policy DROP ALL :D
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# allow unlinited traffic on both lo and venet0
iptables -A INPUT -i venet0 -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o venet0 -d 127.0.0.1 -j ACCEPT
iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT
# Block all those IPs
for ip in $BADIPS
do
iptables -A INPUT -s $ip -j DROP
iptables -A OUTPUT -d $ip -j DROP
done
# Stop flood
iptables -N flood
iptables -A INPUT -p tcp --syn -j flood
iptables -A flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A flood -j DROP
# Spoofing and bad addresses
# Bad incoming source ip address i.e server IP drop all here
for myip in $myIPS
do
iptables -A INPUT -s $myip -j DROP
done
# Drop all incoming fragments
iptables -A INPUT -f -j DROP
# Drop all incoming malformed XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# Drop all incoming malformed NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Bad incoming source ip address 0.0.0.0/8
iptables -A INPUT -s 0.0.0.0/8 -j DROP
# Bad incoming source ip address 127.0.0.0/8
iptables -A INPUT -s 127.0.0.0/8 -j DROP
# Bad incoming source ip address 10.0.0.0/8
iptables -A INPUT -s 10.0.0.0/8 -j DROP
# Bad incoming source ip address 172.16.0.0/12
iptables -A INPUT -s 172.16.0.0/12 -j DROP
# Bad incoming source ip address 192.168.0.0/16
iptables -A INPUT -s 192.168.0.0/16 -j DROP
# Bad incoming source ip address 224.0.0.0/3
iptables -A INPUT -s 224.0.0.0/3 -j DROP
#Open Port 80 , no statful fw as VPS don't support it :(
#ip="xxx.xxx.xxx.xxx" # IP of your www service
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $ip --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -s $ip --sport 80 -d 0/0 --dport 1024:65535 -j ACCEPT
#Open Port 443
#ip="xxx.xxx.xxx.xxx" # IP of your wwws service
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $ip --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -s $ip --sport 443 -d 0/0 --dport 1024:65535 -j ACCEPT
#Open Port 25
#ip="xxx.xxx.xxx.xxx"
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $ip --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp -s $ip --sport 25 -d 0/0 --dport 1024:65535 -j ACCEPT
#Open port 22 for all
#ip="xxx.xxx.xxx.xxx"
iptables -A INPUT -p tcp -s 0/0 --sport 513:65535 -d $ip --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -s $ip --sport 22 -d 0/0 --dport 513:65535 -j ACCEPT
# Outgoing DNS
# udp first
NSIP="ns1_IP ns2_IP" # NS1 NS2 of ISP
#ip="your_main_IP"
for mip in $NSIP
do
iptables -A OUTPUT -p udp -s $ip --sport 1024:65535 -d $mip --dport 53 -j ACCEPT
iptables -A INPUT -p udp -s $mip --sport 53 -d $ip --dport 1024:65535 -j ACCEPT
# tcp next
iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d $mip --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -s $mip --sport 53 -d $ip --dport 1024:65535 -j ACCEPT
done
#outgoin ICMP
#ip="your_main_IP"
iptables -A OUTPUT -p icmp -s $ip -d 0/0 -j ACCEPT
iptables -A INPUT -p icmp -s 0/0 -d $ip -j ACCEPT
#outgoing traceroute
#ip="your_main_IP"
iptables -A OUTPUT -p udp -s $ip --sport 1024:65535 -d 0/0 --dport 33434:33523 -j ACCEPT
#outgoing SMTP
#ip="your_main_IP"
iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d 0/0 --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 25 -d $ip --dport 1024:65535 -j ACCEPT
#outgoing FTP
#ip="your_main_IP"
iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d 0/0 --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 21 -d $ip --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d 0/0 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $ip --dport 1024:65535 -j ACCEPT
#outgoin SSH
#ip="your_main_IP"
iptables -A OUTPUT -p tcp -s $ip --sport 513:65535 -d 0/0 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 22 -d $ip --dport 513:65535 -j ACCEPT
#outgoin http and https
# for up2date and other stuff
#ip="your_main_IP"
iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d 0/0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 80 -d $ip --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d 0/0 --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 443 -d $ip --dport 1024:65535 -j ACCEPT
# Okay Drop everything from here :D
iptables -A INPUT -s 0/0 -j DROP
iptables -A OUTPUT -d 0/0 -j DROP
# EOF SFW
===== Standalone VPS (2)=====
http://www.dailycupoftech.com/2009/02/19/basic-slicehost-slice-setup-part-2-configure-iptables/
#!/bin/bash
IPT="/sbin/iptables"
#Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn’t use lo0
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
#Accepts all established inbound connections
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Allows all outbound traffic
$IPT -A OUTPUT -j ACCEPT
#Allows HTTP and HTTPS connections from anywhere
$IPT -A INPUT -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -p tcp --dport 443 -j ACCEPT
#Allows SSH connections
$IPT -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
#Allow ping
$IPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
#Log iptables denied calls
$IPT -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
#Reject all other inbound - default deny unless explicitly allowed policy
$IPT -A INPUT -j DROP
$IPT -A FORWARD -j DROP
===== Standalone VPS (3) =====
http://adinugro.blogspot.com/2009/05/secure-vps-day-2-iptables.html
cd ~
sudo iptables-save >~/iptables.policy
sudo iptables-restore <~/iptables.policy
*filter
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic
-A OUTPUT -j ACCEPT
# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allows SSH connections
#
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
#
-A INPUT -p tcp --dport 22 -j ACCEPT
# Reject ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j REJECT
# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT