IPTables Script for Ubuntu

kanakamedalachaitanya

#!/bin/sh

Ensure sane path
PATH=/sbin:/usr/sbin:/bin:/usr/bin

When running from the command line, provide a -v option to print the
verbose=
if [ “$1” = “-v” ]; then
shift
verbose=on
fi
ip4tbl – apply ruleset for just iptables
ip6tbl – apply ruleset for just ip6tables
iptbl  – apply ruleset for both iptables and ip6tables
ip4tbl()
{
iptables “$@”
}
ip6tbl()
{
ip6tables “$@”
}
iptbl()
{
ip4tbl “$@”
ip6tbl “$@”
}

Flush all rulesets
iptbl -F
iptbl -X

Block by default except outgoing traffic
iptbl -P INPUT DROP
iptbl -P FORWARD DROP
iptbl -P OUTPUT ACCEPT

Allow everything on loopback
iptbl -A INPUT -i lo -j ACCEPT

Permit established connections
iptbl -A INPUT -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT

Permit Allowed Services On all Interfaces, DNS is Restricted to My Public
iptbl  -A INPUT -p tcp -m tcp –dport 22   -j ACCEPT
iptbl  -A INPUT -p tcp -m tcp –dport 25   -j ACCEPT
ip4tbl -A INPUT -p tcp -m tcp –dport 53   -s 85.158.46.77    -j ACCEPT
ip4tbl -A INPUT -p udp -m udp –dport 53   -s 85.158.46.77    -j ACCEPT
ip4tbl -A INPUT -p tcp -m tcp –dport 53   -s 193.108.199.128 -j ACCEPT
ip4tbl -A INPUT -p udp -m udp –dport 53   -s 193.108.199.128 -j ACCEPT
ip4tbl -A INPUT -p tcp -m tcp –dport 53   -s 193.108.199.130 -j ACCEPT
ip4tbl -A INPUT -p udp -m udp –dport 53   -s 193.108.199.130 -j ACCEPT
ip4tbl -A INPUT -p tcp -m tcp –dport 53   -s 213.5.89.46     -j ACCEPT
ip4tbl -A INPUT -p udp -m udp –dport 53   -s 213.5.89.46     -j ACCEPT
iptbl  -A INPUT -p tcp -m tcp –dport 80   -j ACCEPT
iptbl  -A INPUT -p tcp -m tcp –dport 113  -j ACCEPT
iptbl  -A INPUT -p tcp -m tcp –dport 443  -j ACCEPT
iptbl  -A INPUT -p tcp -m tcp –dport 465  -j ACCEPT
iptbl  -A INPUT -p tcp -m tcp –dport 993  -j ACCEPT

Permit ICMP and traceroute
ip4tbl -A INPUT -p icmp -j ACCEPT
ip6tbl -A INPUT -p ipv6-icmp -j ACCEPT
iptbl  -A INPUT -p udp -m udp –dport 33434:33523 -j ACCEPT

Log denied connections
LOGCOMMON=”-m limit –limit 5/min -j LOG –log-prefix ‘iptables: ‘ –log-level 7″
iptbl  -A INPUT -p tcp       ${LOGCOMMON}
iptbl  -A INPUT -p udp       ${LOGCOMMON}
ip4tbl -A INPUT -p icmp      ${LOGCOMMON}
ip6tbl -A INPUT -p ipv6-icmp ${LOGCOMMON}

Finally, reject to keep open connections down
iptbl -A INPUT -j REJECT

Display INPUT chain if verbose
if [ -n “${verbose}” ]; then
iptables  -L INPUT -vn –line-numbers
ip6tables -L INPUT -vn –line-numbers
fi

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s