Примеры скриптов iptables

#!/bin/bash
 
IPT="/sbin/iptables"
 
#flush policy
$IPT -F
$IPT -X
 
#default policy
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT

#!/bin/bash
 
IPT="/sbin/iptables"
 
#flush policy
$IPT -F
$IPT -X
 
#default policy
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P INPUT DROP
 
#create custom chain
$IPT -N POLICY
 
# INPUT policy
$IPT -A INPUT -i lo -j ACCEPT
 
$IPT -A INPUT -s 127.0.0.1 -j ACCEPT
$IPT -A INPUT -d 127.0.0.1 -j ACCEPT
 
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p icmp -j ACCEPT
 
#jump to chain
$IPT -A INPUT -j POLICY
 
#chain policy
$IPT -A POLICY -p tcp -m tcp --dport 53 -j ACCEPT
$IPT -A POLICY -p udp -m udp --dport 53 -j ACCEPT
$IPT -A POLICY -p tcp -m tcp --dport 22 -j ACCEPT
$IPT -A POLICY -p tcp -m tcp --dport 80 -j ACCEPT
$IPT -A POLICY -p tcp -m tcp --dport 443 -j ACCEPT

http://www.cyberciti.biz/tips/virtuozzo-iptables-firewall.html

http://bash.cyberciti.biz/security/linux-virtuozzo-vps-firewall-script-2

#!/bin/bash
# Firewall for Red hat enterprise linux Virtuozzo VPS
# It is  simple firewall but effective one on Red hat enterprise linux Virtuozzo VPS :)
# ---------------------------------------------------------
# 1) DO NOT FORGEDT TO SETUP CORRECT IPS first
# 2) touch /root/allbadips.txt; echo "192.1678.0.10"> /root/allbadips.txt
# 3) To load/start firewall from this script
# chmod +x virtuozzo-iptables-firewall-script.bash
# ./virtuozzo-iptables-firewall-script.bash
# -----------------------------------------------------
# Laste updated : Aug - 08 - 2005
# -----------------------------------------------------
# Copyright (C) 2004,2005 nixCraft <http://cyberciti.biz/fb/>
# This script is licensed under GNU GPL version 2.0 or above
# For more info, please visit:
# http://www.cyberciti.biz/nixcraft/vivek/blogger/2004/12/virtuozzo-iptables-firewall.html
#-----------------------------------------------------
# ip = can be setup once - Aug-2005.
# -------------------------------------------------------------------------
# This script is part of nixCraft shell script collection (NSSC)
# Visit http://bash.cyberciti.biz/ for more information.
# -------------------------------------------------------------------------
 
# BAD IPS FILE all ip in this file are droped
BADIPS="$(cat /root/allbadips.txt|grep -v -E "^#")"
# setup your IPS here
myIPS="xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx"
 
# Setup VPS main IP here
ip="xxx.xxx.xxx.xxx"
 
# stop RedHAT linux iptables
service  iptables stop
 
# Setting default filter policy DROP ALL :D
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
 
# allow unlinited traffic on both lo and venet0
iptables -A INPUT  -i venet0 -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o venet0 -d 127.0.0.1 -j ACCEPT
 
iptables -A INPUT  -i lo -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT
 
# Block all those IPs
for ip in $BADIPS
do
    iptables -A INPUT -s $ip -j DROP
    iptables -A OUTPUT -d $ip -j DROP
done
# Stop  flood
iptables -N flood
iptables -A INPUT -p tcp --syn -j flood
iptables -A flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A flood -j DROP
# Spoofing and bad addresses
# Bad incoming source ip address i.e server IP drop all here
for myip in $myIPS
do
    iptables -A INPUT -s $myip -j DROP
done
 
# Drop all incoming fragments
iptables -A INPUT -f -j DROP
 
# Drop all incoming malformed XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
 
# Drop all incoming malformed NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
 
# Bad incoming source ip address 0.0.0.0/8
iptables -A INPUT -s 0.0.0.0/8 -j DROP
 
# Bad incoming source ip address 127.0.0.0/8
iptables -A INPUT -s 127.0.0.0/8 -j DROP
 
# Bad incoming source ip address 10.0.0.0/8
iptables -A INPUT -s 10.0.0.0/8 -j DROP
 
# Bad incoming source ip address 172.16.0.0/12
iptables -A INPUT -s 172.16.0.0/12 -j DROP
 
# Bad incoming source ip address 192.168.0.0/16
iptables -A INPUT -s 192.168.0.0/16 -j DROP
 
# Bad incoming source ip address 224.0.0.0/3
iptables -A INPUT -s 224.0.0.0/3 -j DROP
 
#Open Port 80 , no statful fw as VPS don't support it :(
#ip="xxx.xxx.xxx.xxx" # IP of your www service
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $ip --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -s $ip --sport 80 -d 0/0 --dport 1024:65535 -j ACCEPT
 
#Open Port 443
#ip="xxx.xxx.xxx.xxx" # IP of your wwws service
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $ip --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -s $ip --sport 443 -d 0/0 --dport 1024:65535 -j ACCEPT
 
#Open Port 25
#ip="xxx.xxx.xxx.xxx"
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $ip --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp -s $ip --sport 25 -d 0/0 --dport 1024:65535 -j ACCEPT
 
#Open port 22 for all
#ip="xxx.xxx.xxx.xxx"
iptables -A INPUT -p tcp -s 0/0 --sport 513:65535 -d $ip --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -s $ip --sport 22 -d 0/0 --dport 513:65535 -j ACCEPT
 
# Outgoing DNS
# udp first
NSIP="ns1_IP  ns2_IP" # NS1 NS2 of ISP
#ip="your_main_IP"
for mip in $NSIP
do
  iptables -A OUTPUT -p udp -s $ip --sport 1024:65535 -d $mip --dport 53 -j ACCEPT
  iptables -A INPUT -p udp -s $mip --sport 53 -d $ip --dport 1024:65535 -j ACCEPT
  # tcp next
  iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d $mip --dport 53 -j ACCEPT
  iptables -A INPUT -p tcp -s $mip --sport 53 -d $ip --dport 1024:65535 -j ACCEPT
done
 
#outgoin ICMP
#ip="your_main_IP"
iptables -A OUTPUT -p icmp -s $ip -d 0/0 -j ACCEPT
iptables -A INPUT -p icmp -s 0/0 -d $ip -j ACCEPT
 
#outgoing traceroute
#ip="your_main_IP"
iptables -A OUTPUT -p udp -s $ip --sport 1024:65535 -d 0/0 --dport 33434:33523 -j ACCEPT
 
#outgoing SMTP
#ip="your_main_IP"
iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d 0/0 --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 25 -d $ip --dport 1024:65535 -j ACCEPT
 
#outgoing FTP
#ip="your_main_IP"
iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d 0/0 --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 21 -d $ip --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d 0/0 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $ip --dport 1024:65535 -j ACCEPT
 
#outgoin SSH
#ip="your_main_IP"
iptables -A OUTPUT -p tcp -s $ip  --sport 513:65535 -d 0/0 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 22 -d $ip --dport 513:65535 -j ACCEPT
 
#outgoin http and https
# for up2date and other stuff
#ip="your_main_IP"
iptables -A OUTPUT -p tcp -s $ip  --sport 1024:65535 -d 0/0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 80 -d $ip --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p tcp -s $ip  --sport 1024:65535 -d 0/0 --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 443 -d $ip --dport 1024:65535 -j ACCEPT
# Okay Drop everything from here :D
iptables -A INPUT -s 0/0 -j DROP
iptables -A OUTPUT -d 0/0 -j DROP
# EOF SFW

http://www.dailycupoftech.com/2009/02/19/basic-slicehost-slice-setup-part-2-configure-iptables/

#!/bin/bash
 
IPT="/sbin/iptables"
 
#Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn’t use lo0
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
 
#Accepts all established inbound connections
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
#Allows all outbound traffic
$IPT -A OUTPUT -j ACCEPT
 
#Allows HTTP and HTTPS connections from anywhere
$IPT -A INPUT -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -p tcp --dport 443 -j ACCEPT
 
#Allows SSH connections
$IPT -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
 
#Allow ping
$IPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
 
#Log iptables denied calls
$IPT -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
 
#Reject all other inbound - default deny unless explicitly allowed policy
$IPT -A INPUT -j DROP
$IPT -A FORWARD -j DROP

http://adinugro.blogspot.com/2009/05/secure-vps-day-2-iptables.html

cd ~
sudo iptables-save >~/iptables.policy 
sudo iptables-restore <~/iptables.policy 

*filter

# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT

# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allows all outbound traffic
-A OUTPUT -j ACCEPT

# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

# Allows SSH connections
#
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
#
-A INPUT -p tcp --dport 22 -j ACCEPT

# Reject ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j REJECT

# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT
  
COMMIT