Iptables, the great danger


This afternoon I worked on munin (which I won’t document because so many good website exists, GIYF). Nevertheless, iptables is a higher level of difficulty. Why is that? Because you can lock yourself out of your server. No more connection won’t be accepted, the only solution is to restart it in rescue mode… Not fun, can take a long time.

So I find a very good script on this website (in french) : http://doc.ubuntu-fr.org/iptables

I was thinking that it could be very useful for non french speaking people. And of course, I added some custom code to fit my needs.


# Script iptables by BeAvEr customized by Titouan13

## Flush iptables.
/sbin/iptables -F

## Delete all existing rules
/sbin/iptables -X

## Default rule: drop input
/sbin/iptables -P INPUT DROP

## Default rule: drop output
/sbin/iptables -P OUTPUT DROP

## Default rule: drop forward
/sbin/iptables -P FORWARD DROP

## Drop XMAS and NULL scans
/sbin/iptables -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
/sbin/iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

## Drop broadcast packets
/sbin/iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP

## Allow opened connection to receive incoming traffic
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

## Allow opened connection to receive outgoing traffic
/sbin/iptables -A OUTPUT -m state ! --state INVALID -j ACCEPT

## Accept local traffic
/sbin/iptables -I INPUT -i lo -j ACCEPT

## Log input packets
/sbin/iptables -A INPUT -j LOG

## Log forward packets
/sbin/iptables -A FORWARD -j LOG

# Save rules: iptables-save -c
# Apply on boot: service iptables-persistent

# Custom rules
/sbin/iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Replace PORT with your port for ssh
/sbin/iptables -A INPUT -p tcp -i eth0 --dport PORT -j ACCEPT
# Web traffic
/sbin/iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
# Secured web traffic
/sbin/iptables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT
# SMTP traffic
/sbin/iptables -A INPUT -p tcp -i eth0 --dport 25 -j ACCEPT
# PING traffic
/sbin/iptables -A OUTPUT -p icmp -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p icmp -j ACCEPT

exit 0

Leave a Reply

Your email address will not be published. Required fields are marked *