18 November, 2013

Secure Server With IPT

#!/bin/bash

###
### IPTables config file
###
### define variables
###

### path to iptables
IPT=/sbin/iptables

### This contains a list of approved Debian sites to get software updates.
DEBIAN_SITES=('194.109.137.218' '212.219.56.139' '212.219.56.133' '212.219.56.134' '212.219.56.135' '212.219.56.138')

### This contains the authorised DNS servers configured in /etc/resolv.conf.
DNS_SERVERS=('8.8.8.8' '4.4.4.4')

### This is a list of external IPs that you want to allow ssh access from.
OTHER_GATEWAYS=('')

### This is a list of hosts authorised to try ICMP probes to check if the
### server is running. This could be your ISP's IPs
CONTROL_GATEWAYS=('')

### Types of ICMP probes to allow from the previous servers
ICMP_TYPES=('echo-reply' 'destination-unreachable' 'echo-request' 'ttl-exceeded')

#### NTP servers for time synch
NTP_SERVERS=('')

### ---------------------- do not change below this line
###
### INPUT
###
### will flush the chains or all rules one by one. Therefore all new rules will be created.
$IPT -F

### allows inbound packets to be processed
$IPT -P INPUT ACCEPT

### drops packets so that they can not come through one interface and flow out of another.
$IPT -P FORWARD DROP

### This allows outbound packets to be processed
$IPT -P OUTPUT ACCEPT

### allows ICMP types (defined above) for hosts in the control list
for IP in ${CONTROL_GATEWAYS[@]}; do
for ICMP in ${ICMP_TYPES[@]}; do
$IPT -A INPUT -s $IP -p icmp --icmp-type $ICMP -j ACCEPT
done
done

### this accepts connections for http and https access from anywhere
$IPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

### this allows remote administration using ssh from your other gateways.
for IP in ${OTHER_GATEWAYS[@]}; do
$IPT -A INPUT -s $IP -p tcp -m tcp --dport 22 -j ACCEPT
done

### this allows packets to start a new connection or allows packets that are
### already associated with a connection, required for stateful inspection.
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

### this allows NTP traffic from NTP server
for NTP in ${NTP_SERVERS[@]}; do
$IPT -A INPUT -s $NTP -p udp -m udp --sport 123 -j ACCEPT
done

### we are about to drop everything else, so first log the discarded traffic
### just in case we want to know what *they* are trying.
$IPT -A INPUT -j LOG

### this drops any traffic that does not match to the INPUT rules
$IPT -A INPUT -j DROP
###
### OUTPUT
###
### Allows traffic to authorised DNS servers
for IP in ${DNS_SERVERS[@]}; do
$IPT -A OUTPUT -d $IP -p udp -m udp --dport 53 -j ACCEPT
done

### Allows http traffic to debain sites for software updates.
### Initial config rule
for IP in ${DEBIAN_SITES[@]}; do
$IPT -A OUTPUT -d $IP -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
done

### this allows packets to start a new connection or allows packets that are
### already associated with a connection, required for stateful inspection.
$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

### this allows NTP traffic to the NTP servers
for NTP in ${NTP_SERVERS[@]}; do
$IPT -A OUTPUT -d $NTP -p udp -m udp --dport 123 -j ACCEPT
done

### this logs all OUTPUT traffic that does not match the rules before it beign
### dropped.
$IPT -A OUTPUT -j LOG

### this drops any traffic that does not match to the OUTPUT rules
$IPT -A OUTPUT -j DROP

# ------------------------------------- Done!

Install This Script.
cp firewall.sh /etc/init.d/firewall.sh
cd /etc/init.d/
chmod +x firewall.sh
update-rc.d firewall.sh defaults

If you ever want to remove it from the boot sequence just issue:-

update-rc.d -f firewall.sh remove