#!/bin/bash IPT="/sbin/iptables" #flush policy $IPT -F $IPT -X #default policy $IPT -P INPUT ACCEPT $IPT -P FORWARD ACCEPT $IPT -P OUTPUT ACCEPT
#!/bin/bash IPT="/sbin/iptables" #flush policy $IPT -F $IPT -X #default policy $IPT -P FORWARD ACCEPT $IPT -P OUTPUT ACCEPT $IPT -P INPUT DROP #create custom chain $IPT -N POLICY # INPUT policy $IPT -A INPUT -i lo -j ACCEPT $IPT -A INPUT -s 127.0.0.1 -j ACCEPT $IPT -A INPUT -d 127.0.0.1 -j ACCEPT $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT -A INPUT -p icmp -j ACCEPT #jump to chain $IPT -A INPUT -j POLICY #chain policy $IPT -A POLICY -p tcp -m tcp --dport 53 -j ACCEPT $IPT -A POLICY -p udp -m udp --dport 53 -j ACCEPT $IPT -A POLICY -p tcp -m tcp --dport 22 -j ACCEPT $IPT -A POLICY -p tcp -m tcp --dport 80 -j ACCEPT $IPT -A POLICY -p tcp -m tcp --dport 443 -j ACCEPT
http://www.cyberciti.biz/tips/virtuozzo-iptables-firewall.html
http://bash.cyberciti.biz/security/linux-virtuozzo-vps-firewall-script-2
#!/bin/bash # Firewall for Red hat enterprise linux Virtuozzo VPS # It is simple firewall but effective one on Red hat enterprise linux Virtuozzo VPS :) # --------------------------------------------------------- # 1) DO NOT FORGEDT TO SETUP CORRECT IPS first # 2) touch /root/allbadips.txt; echo "192.1678.0.10"> /root/allbadips.txt # 3) To load/start firewall from this script # chmod +x virtuozzo-iptables-firewall-script.bash # ./virtuozzo-iptables-firewall-script.bash # ----------------------------------------------------- # Laste updated : Aug - 08 - 2005 # ----------------------------------------------------- # Copyright (C) 2004,2005 nixCraft <http://cyberciti.biz/fb/> # This script is licensed under GNU GPL version 2.0 or above # For more info, please visit: # http://www.cyberciti.biz/nixcraft/vivek/blogger/2004/12/virtuozzo-iptables-firewall.html #----------------------------------------------------- # ip = can be setup once - Aug-2005. # ------------------------------------------------------------------------- # This script is part of nixCraft shell script collection (NSSC) # Visit http://bash.cyberciti.biz/ for more information. # ------------------------------------------------------------------------- # BAD IPS FILE all ip in this file are droped BADIPS="$(cat /root/allbadips.txt|grep -v -E "^#")" # setup your IPS here myIPS="xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx" # Setup VPS main IP here ip="xxx.xxx.xxx.xxx" # stop RedHAT linux iptables service iptables stop # Setting default filter policy DROP ALL :D iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # allow unlinited traffic on both lo and venet0 iptables -A INPUT -i venet0 -s 127.0.0.1 -j ACCEPT iptables -A OUTPUT -o venet0 -d 127.0.0.1 -j ACCEPT iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT # Block all those IPs for ip in $BADIPS do iptables -A INPUT -s $ip -j DROP iptables -A OUTPUT -d $ip -j DROP done # Stop flood iptables -N flood iptables -A INPUT -p tcp --syn -j flood iptables -A flood -m limit --limit 1/s --limit-burst 3 -j RETURN iptables -A flood -j DROP # Spoofing and bad addresses # Bad incoming source ip address i.e server IP drop all here for myip in $myIPS do iptables -A INPUT -s $myip -j DROP done # Drop all incoming fragments iptables -A INPUT -f -j DROP # Drop all incoming malformed XMAS packets iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP # Drop all incoming malformed NULL packets iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # Bad incoming source ip address 0.0.0.0/8 iptables -A INPUT -s 0.0.0.0/8 -j DROP # Bad incoming source ip address 127.0.0.0/8 iptables -A INPUT -s 127.0.0.0/8 -j DROP # Bad incoming source ip address 10.0.0.0/8 iptables -A INPUT -s 10.0.0.0/8 -j DROP # Bad incoming source ip address 172.16.0.0/12 iptables -A INPUT -s 172.16.0.0/12 -j DROP # Bad incoming source ip address 192.168.0.0/16 iptables -A INPUT -s 192.168.0.0/16 -j DROP # Bad incoming source ip address 224.0.0.0/3 iptables -A INPUT -s 224.0.0.0/3 -j DROP #Open Port 80 , no statful fw as VPS don't support it :( #ip="xxx.xxx.xxx.xxx" # IP of your www service iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $ip --dport 80 -j ACCEPT iptables -A OUTPUT -p tcp -s $ip --sport 80 -d 0/0 --dport 1024:65535 -j ACCEPT #Open Port 443 #ip="xxx.xxx.xxx.xxx" # IP of your wwws service iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $ip --dport 443 -j ACCEPT iptables -A OUTPUT -p tcp -s $ip --sport 443 -d 0/0 --dport 1024:65535 -j ACCEPT #Open Port 25 #ip="xxx.xxx.xxx.xxx" iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $ip --dport 25 -j ACCEPT iptables -A OUTPUT -p tcp -s $ip --sport 25 -d 0/0 --dport 1024:65535 -j ACCEPT #Open port 22 for all #ip="xxx.xxx.xxx.xxx" iptables -A INPUT -p tcp -s 0/0 --sport 513:65535 -d $ip --dport 22 -j ACCEPT iptables -A OUTPUT -p tcp -s $ip --sport 22 -d 0/0 --dport 513:65535 -j ACCEPT # Outgoing DNS # udp first NSIP="ns1_IP ns2_IP" # NS1 NS2 of ISP #ip="your_main_IP" for mip in $NSIP do iptables -A OUTPUT -p udp -s $ip --sport 1024:65535 -d $mip --dport 53 -j ACCEPT iptables -A INPUT -p udp -s $mip --sport 53 -d $ip --dport 1024:65535 -j ACCEPT # tcp next iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d $mip --dport 53 -j ACCEPT iptables -A INPUT -p tcp -s $mip --sport 53 -d $ip --dport 1024:65535 -j ACCEPT done #outgoin ICMP #ip="your_main_IP" iptables -A OUTPUT -p icmp -s $ip -d 0/0 -j ACCEPT iptables -A INPUT -p icmp -s 0/0 -d $ip -j ACCEPT #outgoing traceroute #ip="your_main_IP" iptables -A OUTPUT -p udp -s $ip --sport 1024:65535 -d 0/0 --dport 33434:33523 -j ACCEPT #outgoing SMTP #ip="your_main_IP" iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d 0/0 --dport 25 -j ACCEPT iptables -A INPUT -p tcp -s 0/0 --sport 25 -d $ip --dport 1024:65535 -j ACCEPT #outgoing FTP #ip="your_main_IP" iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d 0/0 --dport 21 -j ACCEPT iptables -A INPUT -p tcp -s 0/0 --sport 21 -d $ip --dport 1024:65535 -j ACCEPT iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d 0/0 --dport 1024:65535 -j ACCEPT iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $ip --dport 1024:65535 -j ACCEPT #outgoin SSH #ip="your_main_IP" iptables -A OUTPUT -p tcp -s $ip --sport 513:65535 -d 0/0 --dport 22 -j ACCEPT iptables -A INPUT -p tcp -s 0/0 --sport 22 -d $ip --dport 513:65535 -j ACCEPT #outgoin http and https # for up2date and other stuff #ip="your_main_IP" iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d 0/0 --dport 80 -j ACCEPT iptables -A INPUT -p tcp -s 0/0 --sport 80 -d $ip --dport 1024:65535 -j ACCEPT iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d 0/0 --dport 443 -j ACCEPT iptables -A INPUT -p tcp -s 0/0 --sport 443 -d $ip --dport 1024:65535 -j ACCEPT # Okay Drop everything from here :D iptables -A INPUT -s 0/0 -j DROP iptables -A OUTPUT -d 0/0 -j DROP # EOF SFW
http://www.dailycupoftech.com/2009/02/19/basic-slicehost-slice-setup-part-2-configure-iptables/
#!/bin/bash IPT="/sbin/iptables" #Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn’t use lo0 $IPT -A INPUT -i lo -j ACCEPT $IPT -A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT #Accepts all established inbound connections $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #Allows all outbound traffic $IPT -A OUTPUT -j ACCEPT #Allows HTTP and HTTPS connections from anywhere $IPT -A INPUT -p tcp --dport 80 -j ACCEPT $IPT -A INPUT -p tcp --dport 443 -j ACCEPT #Allows SSH connections $IPT -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT #Allow ping $IPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT #Log iptables denied calls $IPT -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 #Reject all other inbound - default deny unless explicitly allowed policy $IPT -A INPUT -j DROP $IPT -A FORWARD -j DROP
http://adinugro.blogspot.com/2009/05/secure-vps-day-2-iptables.html
cd ~ sudo iptables-save >~/iptables.policy sudo iptables-restore <~/iptables.policy
*filter # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT # Accepts all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allows all outbound traffic -A OUTPUT -j ACCEPT # Allows HTTP and HTTPS connections from anywhere (the normal ports for websites) -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT # Allows SSH connections # # THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE # -A INPUT -p tcp --dport 22 -j ACCEPT # Reject ping -A INPUT -p icmp -m icmp --icmp-type 8 -j REJECT # log iptables denied calls -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Reject all other inbound - default deny unless explicitly allowed policy -A INPUT -j REJECT -A FORWARD -j REJECT COMMIT