#!/bin/bash IPTABLES=/sbin/iptables SAVE=/sbin/iptables-save #RESTORE=/sbin/iptables-restore #INITIALIZE IPTABLES $IPTABLES --flush $IPTABLES --delete-chain #INBOUND RULES, ALLOW ONLY TRAFFIC IN THE STATE TABLE $IPTABLES -A INPUT -m state -p tcp --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -m state -p udp --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -m state -p icmp --state ESTABLISHED,RELATED -j ACCEPT #$IPTABLES -A INPUT -m tcp -p tcp --dport 22 -i lo -j ACCEPT $IPTABLES -A INPUT -m tcp -p tcp --dport 8834 -i lo -j ACCEPT #OUTBOUND STATEFUL RULES. $IPTABLES -A OUTPUT -m state -p tcp --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -m state -p udp --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -m state -p icmp --state NEW,ESTABLISHED,RELATED -j ACCEPT #DEFAULT DROP AT THE END OF THE RULES. $IPTABLES -A INPUT -j DROP $IPTABLES -A FORWARD -j DROP $IPTABLES -A OUTPUT -j DROP $SAVE > /root/firewall.cfg #GRACEFUL EXIT exit 0
The above is the script written by myself, it is not very flexible as I am still learning bash scripting myself…I want to be spoon fed :p (joking…*wink*)
This script creates a quick and simple way to get started with iptables. iptables provides stateful firewalling. The script will result in firewall.cfg, this firewall.cfg will be loaded into /etc/rc.local so that everytime when you start your linux it will be loaded, if you do not do this during startup, you will have to reload the firewall.cfg everytime you start your linux. The destination tcp port 8834 is for reconnecting back to my nessusd using 127.0.0.1. Basically I did not write a rule to allow icmp from loopback interface… so.. you cannot ping 127.0.0.1, you can change this the way it works for you.
#!/bin/sh -e # # rc.local # # This script is executed at the end of each multiuser runlevel. # Make sure that the script will "exit 0" on success or any other # value on error. # # In order to enable or disable this script just change the execution # bits. # # By default this script does nothing. /sbin/iptables-restore < /root/firewall.cfg exit 0
The above is the rc.local script, by default nothing except for exit 0 exists.