Script Information
iptables-config is a fairly simple, straightforward BASH script for quickly setting up an iptables firewall on a single server to block all but specified ports, and has the ability to block certain IPs, IP blocks, or ranges of IPs. It is configured by default to allow pings. Take a look below. Simply download, modify the variables to suit your setup, and then run the script. Hasn't been updated in a little over a year (hence why it's in this section), but I have plans for it soon to be rc-ified and maybe a bit more .. modular. As soon as I get some free time. ^_^
Script Source
iptables-config.sh
#!/bin/bash
# iptables-config by cmantito (cmantito@cmantito.com // cmantito.com)
# added a rule to allow incoming pings, so that is fixed [27/04/2006]
# next version will be rc-script-ish and slightly more flexible...eventually
# IPTABLES parameters config
incoming="iptables -A INPUT"
outgoing="iptables -A OUTPUT"
forwarding="iptables -A FORWARD"
tcp="-p TCP"
udp="-p UDP"
icmp="-p icmp"
accept="-j ACCEPT"
drop="-j DROP"
reject="-j REJECT"
forward="-j FORWARD"
# TCP: Allowed Ports
TCP_ACCEPT_PORTS="22 23 25 80 143 548 587 993 3306 3690 6667 6697 9999 48240 48241 48242 48243 48244"
# Blackholed IPs
TCP_REJECT_IPS=""
TCP_DROP_IPS="62.181.182.52"
# UDP: Allowed Ports
UDP_ACCEPT_PORTS=""
# Blackholed IPs
UDP_REJECT_IPS=""
UDP_DROP_IPS=""
# Clear existing rules.
iptables --flush
# Set REJECT rules
for ip in $TCP_REJECT_IPS ; do
$incoming $tcp -s $ip $reject
done
for ip in $UDP_REJECT_IPS ; do
$incoming $udp -s $ip $reject
done
# Set DROP rules
for ip in $TCP_DROP_IPS ; do
$incoming $tcp -s $ip $drop
done
for ip in $UDP_DROP_IPS ; do
$incoming $udp -s $ip $drop
done
# Set ACCEPT rules.
for port in $TCP_ACCEPT_PORTS ; do
$incoming $tcp --dport $port $accept
done
for port in $UDP_ACCEPT_PORTS ; do
$incoming $udp --dport $port $accept
done
# ACCEPT ICMP pings.
$incoming $icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED $accept
# Add more rules here.
# Allow all outgoing traffic, established sessions.
$incoming -m state --state RELATED,ESTABLISHED $accept
$forwarding -i eth0 -m state --state RELATED,ESTABLISHED $accept
$outgoing -m state --state NEW,RELATED,ESTABLISHED $accept
# Set an implicit DENY
$incoming $reject
$forwarding $reject
# Show em all.
iptables -L
# iptables-config by cmantito (cmantito@cmantito.com // cmantito.com)
# added a rule to allow incoming pings, so that is fixed [27/04/2006]
# next version will be rc-script-ish and slightly more flexible...eventually
# IPTABLES parameters config
incoming="iptables -A INPUT"
outgoing="iptables -A OUTPUT"
forwarding="iptables -A FORWARD"
tcp="-p TCP"
udp="-p UDP"
icmp="-p icmp"
accept="-j ACCEPT"
drop="-j DROP"
reject="-j REJECT"
forward="-j FORWARD"
# TCP: Allowed Ports
TCP_ACCEPT_PORTS="22 23 25 80 143 548 587 993 3306 3690 6667 6697 9999 48240 48241 48242 48243 48244"
# Blackholed IPs
TCP_REJECT_IPS=""
TCP_DROP_IPS="62.181.182.52"
# UDP: Allowed Ports
UDP_ACCEPT_PORTS=""
# Blackholed IPs
UDP_REJECT_IPS=""
UDP_DROP_IPS=""
# Clear existing rules.
iptables --flush
# Set REJECT rules
for ip in $TCP_REJECT_IPS ; do
$incoming $tcp -s $ip $reject
done
for ip in $UDP_REJECT_IPS ; do
$incoming $udp -s $ip $reject
done
# Set DROP rules
for ip in $TCP_DROP_IPS ; do
$incoming $tcp -s $ip $drop
done
for ip in $UDP_DROP_IPS ; do
$incoming $udp -s $ip $drop
done
# Set ACCEPT rules.
for port in $TCP_ACCEPT_PORTS ; do
$incoming $tcp --dport $port $accept
done
for port in $UDP_ACCEPT_PORTS ; do
$incoming $udp --dport $port $accept
done
# ACCEPT ICMP pings.
$incoming $icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED $accept
# Add more rules here.
# Allow all outgoing traffic, established sessions.
$incoming -m state --state RELATED,ESTABLISHED $accept
$forwarding -i eth0 -m state --state RELATED,ESTABLISHED $accept
$outgoing -m state --state NEW,RELATED,ESTABLISHED $accept
# Set an implicit DENY
$incoming $reject
$forwarding $reject
# Show em all.
iptables -L
Categories: CategoryStable