iptables config

This is a iptables shell script that enables SSH, HTTP/S, mail protocols, FTP, ICMP and NRPE. It also blocks outbound UDP floods and incoming SYN floods.

To support passive mode FTP you need to load the ip_conntrack_ftp module on boot. Uncomment and modify the IPTABLES_MODULES line in the /etc/sysconfig/iptables-config file to read:

IPTABLES_MODULES="ip_conntrack_ftp"

If there are already other modules, seperate them with a space, like this:

IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_ftp"

Alse set these settings in the same config file:

IPTABLES_SAVE_ON_STOP="yes"
IPTABLES_SAVE_ON_RESTART="yes"

Don’t forget to start iptables on boot, and restart after the config change;

chkconfig iptables on
service iptables restart

Save this as a .sh script and execute;

#!/bin/sh
echo "Flushing iptables and allowing everything..."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

echo "Applying baseline rules..."
# Deny everything on the default INPUT chain
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -A OUTPUT -o lo -j ACCEPT

echo "Allow all on internal interface eth0..."
# Allow all on internal interface
#iptables -A INPUT -i eth0 -p all -j ACCEPT
#iptables -A OUTPUT -i eth0 -p all -j ACCEPT

echo "Applying rules OUTPUT"
# HTTP:
iptables -A OUTPUT -p TCP --dport 80 -j ACCEPT

# HTTPS:
iptables -A OUTPUT -p TCP --dport 443 -j ACCEPT

# DNS:
iptables -A OUTPUT -p UDP --dport 53 -m state --state NEW -j ACCEPT

# DNS (TCP fallback):
iptables -A OUTPUT -p TCP --dport 53 -m state --state NEW -j ACCEPT

# SMTP:
iptables -A OUTPUT -p TCP --dport 25 -j ACCEPT

# MYSQL:
iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 3306 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

echo "Applying rules INPUT"
# Allow connections that are already connected to the server.
#iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Outbound UDP Flood protection in a user defined chain.
iptables -N udp-flood
iptables -A OUTPUT -p udp -j udp-flood
iptables -A udp-flood -p udp -m limit --limit 50/s --limit-burst 100 -j RETURN
iptables -A udp-flood -j LOG --log-level 4 --log-prefix 'UDP-flood attempt: '
iptables -A udp-flood -j DROP

# SYN-Flood protection in a user defined chain
iptables -N syn-flood
iptables -A INPUT -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 30/s --limit-burst 60 -j RETURN
iptables -A syn-flood -j LOG --log-level 4 --log-prefix 'SYN-flood attempt: '
iptables -A syn-flood -j DROP

# Allow SSH on 22
iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# Allow HTTP and HTTPS
iptables -A INPUT  -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT  -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT  -p tcp --dport 8443 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 8443 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT  -p tcp --dport 8880 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 8880 -m state --state ESTABLISHED -j ACCEPT


# Allow pop, imap and smtp
iptables -A INPUT  -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT  -p tcp --dport 465 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 465 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT  -p tcp --dport 106 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 106 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT  -p tcp --dport 113 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 133 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT  -p tcp --dport 143 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT  -p tcp --dport 993 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 993 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT  -p tcp --dport 995 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT  -p tcp --dport 587 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 587 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT  -p tcp --dport 110 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT  -p tcp --dport 995 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT

# Allow FTP
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 20 -j ACCEPT

iptables -A INPUT -p tcp --sport 1024: --dport 1024:  -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 1024:  -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow ICMP
iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow Nagios NRPE
iptables -A INPUT  -p tcp --dport 5666 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 5666 -m state --state ESTABLISHED -j ACCEPT

# If we made it this far the packet will be dropped - so log it as denied.
iptables -A INPUT -j LOG --log-level 4 --log-prefix 'Denied: '