Pages

Script Iptables on Centos

POSTED BY :
ON
/
[thudv@syslogserver ~]$ cat /opt/firewall/firewall.sh
#!/bin/sh
# -------------------------------------------------------------
# A Linux Shell Script with common rules for IPTABLES Firewall.
# By default this script only open port 80, 22, 53 (input)
# All outgoing traffic is allowed (default - output)
# ---------------------Created by Thudv---------------------------

IPT="/sbin/iptables"
IF=`/sbin/route | grep -i 'default' | awk '{print $8}'`
IP=`/sbin/ifconfig $IF |  grep "inet addr" | awk -F":" '{print $2}' | awk '{print $1}'`
NET="any/0"
DNS="8.8.8.8"
NTP="123.30.109.226"
OK_ICMP="0 3 4 8 11"
Block_IP="58.221.58.137,222.186.21.163,192.74.244.60"
#SSH_IP="203.162.96.91 203.162.100.19 222.255.100.30"


echo "Starting IPv4 FireWall..."

#Delete All Existing Rules
$IPT --flush
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X

# Set Default Chain Policies
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT

#Deny ip connect any
$IPT -A INPUT -s $Block_IP -d $IP -j DROP

## Allow Loopback
$IPT -A INPUT -i lo -j ACCEPT

## Allow Established and Related Connections
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT



## Allow SSH (From LAN)
#$IPT -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 2202 -m state --state NEW,ESTABLISHED -j ACCEPT
#$IPT -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT



## Allow HTTP
$IPT -A INPUT -s $NET -p tcp -m tcp -d $IP --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -o $IF -s $IP -p tcp -m tcp -d $NET --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

## Allow HTTPS
$IPT -A INPUT -s $NET -p tcp -m tcp -d $IP --dport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -o $IF -s $IP -p tcp -m tcp -d $NET --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

## Allow NTP
$IPT -A OUTPUT -o $IF -s $IP -p udp -d $NTP --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT

## Allow DNS
$IPT -A OUTPUT -o $IF -s $IP -p udp -d $DNS --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT


## Allow NFSEN for netflow
$IPT -A INPUT -s $NET -p tcp -m tcp -d $IP --dport 9996 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -s $NET -p udp -m udp -d $IP --dport 9996 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT


echo "Allow logcenter"
$IPT -A INPUT -p udp -m udp --dport 5014 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p udp -m udp --dport 5044 -m state --state NEW,ESTABLISHED -j ACCEPT
#$IPT -A INPUT -p tcp -m tcp --dport 5044 -m state --state NEW,ESTABLISHED -j ACCEPT
#$IPT -A INPUT -p udp -m udp --dport 5045 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 9000 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -s $IP -p udp -m udp -d $IP --dport 9300 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -s $IP -p tcp -m tcp -d $IP --dport 9300 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -s $IP -p udp -m udp -d $IP --dport 9200 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -s $IP -p tcp -m tcp -d $IP --dport 9200 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p udp -m udp -s $IP -d $IP --dport 27017 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -s $IP -p tcp -m tcp -d $IP --dport 27017 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p udp -m udp --dport 12201 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -s $IP -p tcp -m tcp -d $IP --dport 12900 -m state --state NEW,ESTABLISHED -j ACCEPT
#$IPT -A OUTPUT -p udp --sport 12201 -m state --state NEW,ESTABLISHED -j ACCEPT

#echo "Allow icmp..."
$IPT -A INPUT -i $IF -s $NET -p icmp -j ACCEPT
#for item in $OK_ICMP; do
#$IPT -A INPUT -i $IF -s $NET -p icmp --icmp-type 8 -m length --length 42:43 -j ACCEPT
#$IPT -A OUTPUT -o $IF -s $IP -p icmp --icmp-type 0 -m length --length 42:43 -j ACCEPT
#$IPT -A INPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
#done

#send mail alert
$IPT -A OUTPUT -o $IF -s $IP -p tcp -m tcp -d $NET --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -s $NET -p tcp -m tcp -d $IP --dport 25 -m state --state ESTABLISHED,RELATED -j ACCEPT
thudinh Network and Security

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Adsense

Translate

Copyright © THU DINH. Created By