Security: Script for iptables and how to start up.

#!/bin/bash
IPTABLES=/sbin/iptables
SAVE=/sbin/iptables-save
#RESTORE=/sbin/iptables-restore

#INITIALIZE IPTABLES
$IPTABLES --flush
$IPTABLES --delete-chain

#INBOUND RULES, ALLOW ONLY TRAFFIC IN THE STATE TABLE
$IPTABLES -A INPUT -m state -p tcp --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -m state -p udp --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -m state -p icmp --state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A INPUT -m tcp -p tcp --dport 22 -i lo -j ACCEPT
$IPTABLES -A INPUT -m tcp -p tcp --dport 8834 -i lo -j ACCEPT

#OUTBOUND STATEFUL RULES.
$IPTABLES -A OUTPUT -m state -p tcp --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -m state -p udp --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -m state -p icmp --state NEW,ESTABLISHED,RELATED -j ACCEPT

#DEFAULT DROP AT THE END OF THE RULES.
$IPTABLES -A INPUT -j DROP
$IPTABLES -A FORWARD -j DROP
$IPTABLES -A OUTPUT -j DROP

$SAVE > /root/firewall.cfg

#GRACEFUL EXIT
exit 0

The above is the script written by myself, it is not very flexible as I am still learning bash scripting myself…I want to be spoon fed :p (joking…*wink*)

This script creates a quick and simple way to get started with iptables. iptables provides stateful firewalling. The script will result in firewall.cfg, this firewall.cfg will be loaded into /etc/rc.local so that everytime when you start your linux it will be loaded, if you do not do this during startup, you will have to reload the firewall.cfg everytime you start your linux. The destination tcp port 8834 is for reconnecting back to my nessusd using 127.0.0.1. Basically I did not write a rule to allow icmp from loopback interface… so.. you cannot ping 127.0.0.1, you can change this the way it works for you.

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
/sbin/iptables-restore < /root/firewall.cfg

exit 0

The above is the rc.local script, by default nothing except for exit 0 exists.

Advertisements
This entry was posted in Linux, Security and tagged , , . Bookmark the permalink.

One Response to Security: Script for iptables and how to start up.

  1. Pingback: Security: Script for iptables and how to start up. « The Network … | Linux Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s