hosting / Linux

Linux Firewall for Basic Deployment

- by jason

iptables Firewall

cat >/root/firewall.sh 
#!/bin/sh
# iptables script generated 2014-02-05
# http://www.mista.nu/iptables

IPT="/sbin/iptables"

modprobe ip_conntrack_ftp

# Flush old rules, old custom tables
$IPT --flush
$IPT --delete-chain

# Set default policies for all three default chains
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT

# Enable free use of loopback interfaces
$IPT -I INPUT -i lo -j ACCEPT
$IPT -I OUTPUT -o lo -j ACCEPT

# All TCP sessions should begin with SYN
$IPT -I INPUT -p tcp ! --syn -m state --state NEW -s 0.0.0.0/0 -j DROP

# Accept inbound TCP packets
$IPT -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -I INPUT -p tcp --dport 22 -s 0.0.0.0/0 -j ACCEPT
# DNS
$IPT -I INPUT -p tcp --dport 53 -s 0.0.0.0/0 -j ACCEPT

# HTTP
$IPT -I INPUT -p tcp --dport 80 -s 0.0.0.0/0 -j ACCEPT
# DirectAdmin
$IPT -I INPUT -p tcp --dport 2222 -s 0.0.0.0/0 -j ACCEPT
# HTTPs
$IPT -I INPUT -p tcp --dport 443 -s 0.0.0.0/0 -j ACCEPT
# STMP
$IPT -I INPUT -p tcp --dport 25 -s 0.0.0.0/0 -j ACCEPT
# imaps
$IPT -I INPUT -p tcp --dport 993 -s 0.0.0.0/0 -j ACCEPT
# pop3s
$IPT -I INPUT -p tcp --dport 995 -s 0.0.0.0/0 -j ACCEPT
# imap
$IPT -I INPUT -p tcp --dport 143 -s 0.0.0.0/0 -j ACCEPT
# pop3
$IPT -I INPUT -p tcp --dport 110 -s 0.0.0.0/0 -j ACCEPT
# SMTPsp
$IPT -I INPUT -p tcp --dport 587 -s 0.0.0.0/0 -j ACCEPT
# SMTPs
$IPT -I INPUT -p tcp --dport 465 -s 0.0.0.0/0 -j ACCEPT
# LDAP
$IPT -I INPUT -p tcp --dport 389 -s 0.0.0.0/0 -j ACCEPT
# MySQL
$IPT -I INPUT -p tcp --dport 3306 -s 0.0.0.0/0 -j ACCEPT
# postgresql
$IPT -I INPUT -p tcp --dport 5432 -s 0.0.0.0/0 -j ACCEPT
# observium
$IPT -I INPUT -p tcp --dport 36602 -s 0.0.0.0/0 -j ACCEPT

#$IPT -I OUTPUT -p tcp --dport 25 -d 0.0.0.0/0 -j ACCEPT
#$IPT -I OUTPUT -p tcp --dport 25 -d 103.246.188.61 -j ACCEPT
#$IPT -I OUTPUT -p tcp --dport 25 -d 103.246.188.96 -j ACCEPT

# FTP
$IPT -I INPUT  -p tcp -m tcp --dport 21 -m conntrack --ctstate ESTABLISHED,NEW -j ACCEPT
$IPT -I OUTPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
$IPT -I INPUT  -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -I OUTPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED -j ACCEPT

# FTP Passive ports
$IPT -I INPUT -p tcp -m tcp --sport 1024:65535 --dport 20:21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
$IPT -I INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
$IPT -I OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 20:21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
$IPT -I OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Accept inbound UDP packets
# SNMP
$IPT -I INPUT -p udp -m udp --dport 161 -s 0.0.0.0/0 -j ACCEPT

# Accept inbound ICMP messages
$IPT -I INPUT -p ICMP --icmp-type 8 -s 0.0.0.0/0 -j ACCEPT
$IPT -I INPUT -p ICMP --icmp-type 11 -s 0.0.0.0/0 -j ACCEPT

# NTP
$IPT -I INPUT -p udp -m udp --dport 123 -s 0.0.0.0/0 -j ACCEPT
# DNS
$IPT -I INPUT -p udp -m udp --dport 53 -s 0.0.0.0/0 -j ACCEPT

chmod +x /root/firewall.sh

echo "@reboot      root     /root/firewall.sh > /dev/null 2>&1" >> /etc/crontab
echo "*/7 * * * *  root     /root/firewall.sh > /dev/null 2>&1" >> /etc/crontab

Related Posts

How to change the root URL (move Magento 2 to another domain)?

How to Install Let’s Encrypt SSL Certificate on CentOS 6/7

Protected: วิธีการเพิ่ม Apache mod Security + COMODO WAF

About jason

View all posts by jason →