linux:firewall

Last modified Saturday 27-08-2011

Firewall script

Firewall script for a non routing server.

firewall.sh
!#/bin/bash
iptables -F
iptables -Z
iptables -X
 
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
 
 
#Loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
 
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 
# standard ports
iptables -A INPUT -p icmp -j ACCEPT # ping
iptables -A INPUT -p tcp  --dport 22 -j ACCEPT   # ssh
iptables -A INPUT -p tcp  --dport 25 -j ACCEPT   # smtp
iptables -A INPUT -p tcp  --dport 80 -j ACCEPT   # http
iptables -A INPUT -p tcp  --dport 443 -j ACCEPT  # https
iptables -A INPUT -p tcp  --dport 8180 -j ACCEPT # my tomcat server
 
#allow FTP, but limit ip
iptables -A INPUT -p tcp -s 62.66.248.214 --dport 20 -j ACCEPT  # accept FTP for my home ip
iptables -A INPUT -p tcp -s  62.66.248.214 --dport 21 -j ACCEPT # accept FTP for my home ip
 
iptables -A INPUT -p tcp -s 90.185.113.207 --dport 20 -j ACCEPT # accept ftp for other ip
iptables -A INPUT -p tcp -s 90.185.113.207 --dport 21 -j ACCEPT # accept ftp for other ip
 
#DNS
iptables -A INPUT -p tcp -s 62.66.248.214 --dport 53 -j ACCEPT # accept DNS for my private ip
iptables -A INPUT -p udp -s 62.66.248.214 --dport 53 -j ACCEPT # accept DNS for my private ip
 
# database
#iptables -A INPUT -p tcp  --dport 3306 -j ACCEPT # mysql
 
#Kerberos
#iptables -A INPUT -p udp  --dport 88 -j ACCEPT #Receiving ticket
#iptables -A INPUT -p tcp  --dport 88 -j ACCEPT
 
#iptables -A INPUT -p tcp  --dport 749 -j ACCEPT #Passwd change unix
#iptables -A INPUT -p udp  --dport 749 -j ACCEPT 
 
#iptables -A INPUT -p tcp  --dport 464 -j ACCEPT #Passwd change on windows
#iptables -A INPUT -p udp  --dport 464 -j ACCEPT #Passwd change on windows
 
#iptables -A INPUT -p udp  --dport 4444 -j ACCEPT #AFS Tokens/Kerberos
#iptables -A INPUT -p udp  --dport 9878 -j ACCEPT #AFS Tokens/Kerberos
 
#AFS
#iptables -A INPUT -p udp  --dport 7000 -j ACCEPT
#iptables -A INPUT -p tcp  --dport 7000 -j ACCEPT
 
#iptables -A INPUT -p udp  --dport 7001 -j ACCEPT
#iptables -A INPUT -p tcp  --dport 7001 -j ACCEPT
 
#iptables -A INPUT -p udp  --dport 7002 -j ACCEPT
#iptables -A INPUT -p tcp  --dport 7002 -j ACCEPT
 
#iptables -A INPUT -p udp  --dport 7003 -j ACCEPT
#iptables -A INPUT -p tcp  --dport 7003 -j ACCEPT
 
#iptables -A INPUT -p udp  --dport 7004 -j ACCEPT
#iptables -A INPUT -p tcp  --dport 7004 -j ACCEPT
 
#iptables -A INPUT -p udp  --dport 7005 -j ACCEPT
#iptables -A INPUT -p tcp  --dport 7005 -j ACCEPT
 
#iptables -A INPUT -p udp  --dport 5007 -j ACCEPT
#iptables -A INPUT -p tcp  --dport 5007 -j ACCEPT
 
 
# drop all other packets
iptables -A INPUT -p all -j DROP