iptables config
This is a iptables shell script that enables SSH, HTTP/S, mail protocols, FTP, ICMP and NRPE. It also blocks outbound UDP floods and incoming SYN floods.
To support passive mode FTP you need to load the ip_conntrack_ftp module on boot. Uncomment and modify the IPTABLES_MODULES line in the /etc/sysconfig/iptables-config
file to read:
IPTABLES_MODULES="ip_conntrack_ftp"
If there are already other modules, seperate them with a space, like this:
IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_ftp"
Alse set these settings in the same config file:
IPTABLES_SAVE_ON_STOP="yes" IPTABLES_SAVE_ON_RESTART="yes"
Don’t forget to start iptables on boot, and restart after the config change;
chkconfig iptables on service iptables restart
Save this as a .sh script and execute;
#!/bin/sh echo "Flushing iptables and allowing everything..." iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT echo "Applying baseline rules..." # Deny everything on the default INPUT chain iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -A OUTPUT -o lo -j ACCEPT echo "Allow all on internal interface eth0..." # Allow all on internal interface #iptables -A INPUT -i eth0 -p all -j ACCEPT #iptables -A OUTPUT -i eth0 -p all -j ACCEPT echo "Applying rules OUTPUT" # HTTP: iptables -A OUTPUT -p TCP --dport 80 -j ACCEPT # HTTPS: iptables -A OUTPUT -p TCP --dport 443 -j ACCEPT # DNS: iptables -A OUTPUT -p UDP --dport 53 -m state --state NEW -j ACCEPT # DNS (TCP fallback): iptables -A OUTPUT -p TCP --dport 53 -m state --state NEW -j ACCEPT # SMTP: iptables -A OUTPUT -p TCP --dport 25 -j ACCEPT # MYSQL: iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -s 0/0 --sport 3306 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT echo "Applying rules INPUT" # Allow connections that are already connected to the server. #iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Outbound UDP Flood protection in a user defined chain. iptables -N udp-flood iptables -A OUTPUT -p udp -j udp-flood iptables -A udp-flood -p udp -m limit --limit 50/s --limit-burst 100 -j RETURN iptables -A udp-flood -j LOG --log-level 4 --log-prefix 'UDP-flood attempt: ' iptables -A udp-flood -j DROP # SYN-Flood protection in a user defined chain iptables -N syn-flood iptables -A INPUT -p tcp --syn -j syn-flood iptables -A syn-flood -m limit --limit 30/s --limit-burst 60 -j RETURN iptables -A syn-flood -j LOG --log-level 4 --log-prefix 'SYN-flood attempt: ' iptables -A syn-flood -j DROP # Allow SSH on 22 iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT # Allow HTTP and HTTPS iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -A OUTPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 8443 -j ACCEPT iptables -A OUTPUT -p tcp --sport 8443 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 8880 -j ACCEPT iptables -A OUTPUT -p tcp --sport 8880 -m state --state ESTABLISHED -j ACCEPT # Allow pop, imap and smtp iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A OUTPUT -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 465 -j ACCEPT iptables -A OUTPUT -p tcp --sport 465 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 106 -j ACCEPT iptables -A OUTPUT -p tcp --sport 106 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 113 -j ACCEPT iptables -A OUTPUT -p tcp --sport 133 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 143 -j ACCEPT iptables -A OUTPUT -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 993 -j ACCEPT iptables -A OUTPUT -p tcp --sport 993 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 995 -j ACCEPT iptables -A OUTPUT -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 587 -j ACCEPT iptables -A OUTPUT -p tcp --sport 587 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 110 -j ACCEPT iptables -A OUTPUT -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 995 -j ACCEPT iptables -A OUTPUT -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT # Allow FTP iptables -A INPUT -p tcp --dport 21 -j ACCEPT iptables -A OUTPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 20 -j ACCEPT iptables -A OUTPUT -p tcp --sport 20 -j ACCEPT iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow ICMP iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow Nagios NRPE iptables -A INPUT -p tcp --dport 5666 -j ACCEPT iptables -A OUTPUT -p tcp --sport 5666 -m state --state ESTABLISHED -j ACCEPT # If we made it this far the packet will be dropped - so log it as denied. iptables -A INPUT -j LOG --log-level 4 --log-prefix 'Denied: '