Revision [273]
Most recent edit made on 2008-11-20 11:35:57 by cmantitoAdditions:
required = ["iptables"];
seeAlso = ["iptablesConfig"];
iptables-easy-config is based on iptables-config, but it was designed to be even simpler than that one. It is designed to filter access to certain ports based on source while either allowing or denying all traffic to all other ports. Configure the variables in the script, then set it to run each time the system boots (for example in ArchLinux, you would do this by putting the full path to the script in /etc/rc.local). You also want to make sure the script is exectuable (chmod +x ./iptables-easy-config.sh).
ALLOW_PORTS="22 25 110 143"
seeAlso = ["iptablesConfig"];
iptables-easy-config is based on iptables-config, but it was designed to be even simpler than that one. It is designed to filter access to certain ports based on source while either allowing or denying all traffic to all other ports. Configure the variables in the script, then set it to run each time the system boots (for example in ArchLinux, you would do this by putting the full path to the script in /etc/rc.local). You also want to make sure the script is exectuable (chmod +x ./iptables-easy-config.sh).
ALLOW_PORTS="22 25 110 143"
Deletions:
Information coming soon.
ALLOW_PORTS="2200"
ALLOW_PORTS="2200"
Revision [271]
The oldest known version of this page was edited on 2008-11-20 11:26:35 by cmantitoScript Information
Information coming soon.
Script Source
iptables-easy-config.sh
#!/bin/bash
### Simple iptables manipulation script.
### Written by Kevin Leacock/cmantito
### Based off of iptables-config written by the same.
### iptables-config source available at http://kevinsnet.com/
### Instructions:
# The parameters below modify how the script functions. Each parameter is
# preceeded by a short description of how it works. After modifying these
# parameters, this script must be run in your console (./iptables-easy-config.sh)
# It is also recommended that you configure this script to run at boot.
# If you make any manual modifications to your rules after running this script,
# they will be cleared the next time it is run. Please append those rules to
# this file if you would like them to be included when the script runs.
# NOTE: This script is designed for use with TCP ports only. It will also work for
# UDP ports, but, it was not designed to provide rules for TCP and UDP ports at the
# same time. Please see the final option in the configuration section if you
# wish to switch it from TCP to UDP.
### Configuration:
# The following should be a space-separated list of hosts/CIDR networks
# to allow access from.
ALLOW_ACCESS="192.168.1.0/24 127.0.0.1"
# The following should be a space-separated list of ports for which to allow
# access from the above hosts/networks
ALLOW_PORTS="2200"
# If the following is set to "NO", then ports NOT on the above list will be
# unaffected by firewall rules. If it is set to "YES", then NO traffic will be
# permitted to reach this machine UNLESS it is for a port on the above list and
# from a machine in the first list. This parameter is case-sensitive.
# !!! NOTE: This ONLY affects ports of the protocol set by PROTOCOL below -- ports
# for another protocol will be unaffected by this parameter! See NOTE in above
# section !!!
FIREWALL_OTHER_PORTS="NO"
# The script should automatically detect the location of the iptables executable.
# Usually, it is found at /usr/sbin/iptables. If for some reason the script fails
# to run because it cannot find it, or you would like to use a different executable,
# uncomment this parameter and set it to the location of your iptables.
# IPTABLES_LOCATION="/usr/sbin/iptables"
# Set this to TCP or UDP to specify which protocol is being firewalled.
# !!! Before modifying, see NOTE in above section !!!
PROTOCOL="TCP"
#################### END OF CONFIGURATION ####################
if [ -z $IPTABLES_LOCATION ]; then IPTABLES_LOCATION=$(which iptables 2>/dev/null); fi
if [ -z $IPTABLES_LOCATION ]; then echo "Cannot locate iptables executable. Exiting..."; exit; fi
IPT=$IPTABLES_LOCATION
PROTO=$PROTOCOL
$IPT -F
for PORT in $ALLOW_PORTS; do
echo "Processing port $PORT..."
for HOSTMASK in $ALLOW_ACCESS; do
echo "Allowing access to port $PORT for $HOSTMASK..."
$IPT -A INPUT -p $PROTO --dport $PORT -s $HOSTMASK -j ACCEPT
done
echo "Denying all other access to port $PORT..."
$IPT -A INPUT -p $PROTO --dport $PORT -j REJECT
done
if [ $FIREWALL_OTHER_PORTS == "YES" ]; then
echo "Denying access to all other non-defined ports..."
$IPT -A INPUT -p $PROTO -j REJECT
fi
echo "Execution complete."
### Simple iptables manipulation script.
### Written by Kevin Leacock/cmantito
### Based off of iptables-config written by the same.
### iptables-config source available at http://kevinsnet.com/
### Instructions:
# The parameters below modify how the script functions. Each parameter is
# preceeded by a short description of how it works. After modifying these
# parameters, this script must be run in your console (./iptables-easy-config.sh)
# It is also recommended that you configure this script to run at boot.
# If you make any manual modifications to your rules after running this script,
# they will be cleared the next time it is run. Please append those rules to
# this file if you would like them to be included when the script runs.
# NOTE: This script is designed for use with TCP ports only. It will also work for
# UDP ports, but, it was not designed to provide rules for TCP and UDP ports at the
# same time. Please see the final option in the configuration section if you
# wish to switch it from TCP to UDP.
### Configuration:
# The following should be a space-separated list of hosts/CIDR networks
# to allow access from.
ALLOW_ACCESS="192.168.1.0/24 127.0.0.1"
# The following should be a space-separated list of ports for which to allow
# access from the above hosts/networks
ALLOW_PORTS="2200"
# If the following is set to "NO", then ports NOT on the above list will be
# unaffected by firewall rules. If it is set to "YES", then NO traffic will be
# permitted to reach this machine UNLESS it is for a port on the above list and
# from a machine in the first list. This parameter is case-sensitive.
# !!! NOTE: This ONLY affects ports of the protocol set by PROTOCOL below -- ports
# for another protocol will be unaffected by this parameter! See NOTE in above
# section !!!
FIREWALL_OTHER_PORTS="NO"
# The script should automatically detect the location of the iptables executable.
# Usually, it is found at /usr/sbin/iptables. If for some reason the script fails
# to run because it cannot find it, or you would like to use a different executable,
# uncomment this parameter and set it to the location of your iptables.
# IPTABLES_LOCATION="/usr/sbin/iptables"
# Set this to TCP or UDP to specify which protocol is being firewalled.
# !!! Before modifying, see NOTE in above section !!!
PROTOCOL="TCP"
#################### END OF CONFIGURATION ####################
if [ -z $IPTABLES_LOCATION ]; then IPTABLES_LOCATION=$(which iptables 2>/dev/null); fi
if [ -z $IPTABLES_LOCATION ]; then echo "Cannot locate iptables executable. Exiting..."; exit; fi
IPT=$IPTABLES_LOCATION
PROTO=$PROTOCOL
$IPT -F
for PORT in $ALLOW_PORTS; do
echo "Processing port $PORT..."
for HOSTMASK in $ALLOW_ACCESS; do
echo "Allowing access to port $PORT for $HOSTMASK..."
$IPT -A INPUT -p $PROTO --dport $PORT -s $HOSTMASK -j ACCEPT
done
echo "Denying all other access to port $PORT..."
$IPT -A INPUT -p $PROTO --dport $PORT -j REJECT
done
if [ $FIREWALL_OTHER_PORTS == "YES" ]; then
echo "Denying access to all other non-defined ports..."
$IPT -A INPUT -p $PROTO -j REJECT
fi
echo "Execution complete."
Categories: CategoryStable