Create iptables-simple.sh

config/linux-server/files/iptables/iptables-simple.sh

@@ -0,0 +1,74 @@
+#!/bin/bash
+
+# Simple IPTables script for servers.
+
+set -eu
+
+command -v iptables 1>/dev/null || (echo "Please install iptables." 1>&2 && exit -1)
+command -v netfilter-persistent 1>/dev/null || (echo "Please install iptables-persistent and netfilter-persistent." 1>&2 && exit -1)
+
+## Helper functions
+
+ipt4() {
+    iptables "$@" || return $?
+}
+
+ipt6() {
+    ip6tables "$@" || return $?
+}
+
+ipt46() {
+    ipt4 "$@" || return $?
+    ipt6 "$@" || return $?
+}
+
+ipt_save() {
+    netfilter-persistent save || return $?
+}
+
+## Policies
+ipt46 -P INPUT DROP
+ipt46 -P FORWARD DROP
+ipt46 -P OUTPUT DROP
+
+## Clear all
+ipt46 -F
+ipt46 -X
+ipt46 -t nat -F
+ipt46 -t nat -X
+ipt46 -t mangle -F
+ipt46 -t mangle -X
+ipt46 -t raw -F
+ipt46 -t raw -X
+ipt46 -t security -F
+ipt46 -t security -X
+
+## Input Basic
+# Connection tracking
+ipt46 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+ipt46 -A INPUT -m conntrack --ctstate INVALID -j DROP
+# Localhost
+ipt46 -A INPUT -i lo -j ACCEPT
+# Ping
+ipt4 -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+ipt6 -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
+# NDP
+ipt6 -A INPUT -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
+ipt6 -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
+ipt6 -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+ipt6 -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+# DHCPv6 client and server
+ipt6 -A INPUT -p udp --dport 546 -j ACCEPT
+ipt6 -A INPUT -p udp --dport 547 -j ACCEPT
+
+## Input Special
+# SSH
+ipt46 -A INPUT -p tcp --dport 22 -j ACCEPT
+
+## Output
+# Accept all
+ipt46 -A OUTPUT -j ACCEPT
+
+## Save
+ipt_save
+echo "Done"