Index ¦ Archives ¦ Atom

My IP Tables script example

Posted on: Thu 09 February 2017

Below is an example of the IP Tables script I use on many of my servers. The names and IP addresses have been changed to reserved addresses and obviously it needs to be tweaked each time for relevent rules. 

#!/bin/bash

# This script is symlinked to /etc/network/if-pre-up.d/firewall-rules
# ln -s /home/michael/firewall-rules.sh /etc/network/if-pre-up.d/firewall-rules

################################################################################
# IPv4 Rules
################################################################################

# Networks
MichaelHome="198.51.100.122/32"
MichaelHomeV6="2001:db8:62F8:cc01::0/64"
TienHome="203.0.113.94/32"
WorkNetwork="192.0.2.0/24"

function GeneralRules {
        #start and flush
        $IPTABLES -F
        $IPTABLES -t nat -F
        $IPTABLES -X
        $IPTABLES -P FORWARD DROP
        $IPTABLES -P INPUT   DROP
        $IPTABLES -P OUTPUT  ACCEPT

        #Ping, Trace Route, etc...
        $IPTABLES -A INPUT -p icmp -j ACCEPT

        #Mail - SMTP, SMTPS, IMAP and IMAPS
        $IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT #SMTP
        $IPTABLES -A INPUT -p tcp --dport 465 -j ACCEPT #SMTPS
        $IPTABLES -A INPUT -p tcp --dport 587 -j ACCEPT #SMTP Submission
        $IPTABLES -A INPUT -p tcp --dport 143 -j ACCEPT #IMAP
        $IPTABLES -A INPUT -p tcp --dport 993 -j ACCEPT #IMAPS
        $IPTABLES -A INPUT -p tcp --dport 4190 -j ACCEPT # dovecot-sieve set mail filter settings.

        #HTTP[S] traffic
        $IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
        $IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT

        # i2p
        $IPTABLES -A INPUT -p tcp --dport 21546 -j ACCEPT
        $IPTABLES -A INPUT -p udp --dport 21546 -j ACCEPT

        # zeronet
        $IPTABLES -A INPUT -p tcp --dport 15441 -j ACCEPT

        #Allow Establishted Sessions
        $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

        #loopback
        $IPTABLES -A INPUT  -i lo -j ACCEPT
        $IPTABLES -A OUTPUT -o lo -j ACCEPT

}
function IPv4Rules {
        # SSH and Mosh
        $IPTABLES \
            -A INPUT \
            -p tcp \
            -s $MichaelHome,$TienHome,$WorkNetwork \
            --dport 22 \
            -j ACCEPT
        $IPTABLES \
            -A INPUT \
            -p udp \
            -s $MichaelHome,$TienHome,$WorkNetwork \
            --dport 60000:60010 \
            -j ACCEPT
}

function IPv6Rules {
        # SSH and Mosh
        $IPTABLES \
            -A INPUT \
            -p tcp \
            -s $MichaelHomeV6 \
            --dport 22 \
            -j ACCEPT
        $IPTABLES \
            -A INPUT \
            -p udp \
            -s $MichaelHomeV6 \
            --dport 60000:60010 \
            -j ACCEPT
}

#Run general rules for both IPv4 and IPv6
IPTABLES=/sbin/iptables
GeneralRules
IPv4Rules

IPTABLES=/sbin/ip6tables
GeneralRules
IPv6Rules

#DHCP
$IPTABLES -A INPUT -p udp --dport 546 -j ACCEPT
$IPTABLES -A INPUT -p icmpv6 -j ACCEPT

Category: Posts – Tags: Firewalls, IPv6, Debian, IP Tables

Creative Commons License
Content on this site is licensed under a Creative Commons Attribution 4.0 International License.
Built using Pelican. Based on a theme by Giulio Fidente on github.