Home Explore Help
Register Sign In
jeremy
/
HON95-wiki
mirror of https://github.com/HON95/wiki
1
0
Fork 0
Files Issues 0 Wiki
Tree: 8e6f272f21
Branches Tags
HON95-wiki
/
config
/
linux-server
/
files
/
iptables
/
iptables-simple.sh

iptables-simple.sh 1.6 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374 
  1. #!/bin/bash
    2. 

  2. 

  3. # Simple IPTables script for servers.
    4. 

  4. 

  5. set -eu
    6. 

  6. 

  7. command -v iptables 1>/dev/null || (echo "Please install iptables." 1>&2 && exit -1)
    8. 

  8. command -v netfilter-persistent 1>/dev/null || (echo "Please install iptables-persistent and netfilter-persistent." 1>&2 && exit -1)
    9. 

  9. 

  10. ## Helper functions
    11. 

  11. 

  12. ipt4() {
    13. 

  13.     iptables "$@" || return $?
    14. 

  14. }
    15. 

  15. 

  16. ipt6() {
    17. 

  17.     ip6tables "$@" || return $?
    18. 

  18. }
    19. 

  19. 

  20. ipt46() {
    21. 

  21.     ipt4 "$@" || return $?
    22. 

  22.     ipt6 "$@" || return $?
    23. 

  23. }
    24. 

  24. 

  25. ipt_save() {
    26. 

  26.     netfilter-persistent save || return $?
    27. 

  27. }
    28. 

  28. 

  29. ## Policies
    30. 

  30. ipt46 -P INPUT DROP
    31. 

  31. ipt46 -P FORWARD DROP
    32. 

  32. ipt46 -P OUTPUT DROP
    33. 

  33. 

  34. ## Clear all
    35. 

  35. ipt46 -F
    36. 

  36. ipt46 -X
    37. 

  37. ipt46 -t nat -F
    38. 

  38. ipt46 -t nat -X
    39. 

  39. ipt46 -t mangle -F
    40. 

  40. ipt46 -t mangle -X
    41. 

  41. ipt46 -t raw -F
    42. 

  42. ipt46 -t raw -X
    43. 

  43. ipt46 -t security -F
    44. 

  44. ipt46 -t security -X
    45. 

  45. 

  46. ## Input Basic
    47. 

  47. # Connection tracking
    48. 

  48. ipt46 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    49. 

  49. ipt46 -A INPUT -m conntrack --ctstate INVALID -j DROP
    50. 

  50. # Localhost
    51. 

  51. ipt46 -A INPUT -i lo -j ACCEPT
    52. 

  52. # Ping
    53. 

  53. ipt4 -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
    54. 

  54. ipt6 -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
    55. 

  55. # NDP
    56. 

  56. ipt6 -A INPUT -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
    57. 

  57. ipt6 -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
    58. 

  58. ipt6 -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
    59. 

  59. ipt6 -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
    60. 

  60. # DHCPv6 client and server
    61. 

  61. ipt6 -A INPUT -p udp --dport 546 -j ACCEPT
    62. 

  62. ipt6 -A INPUT -p udp --dport 547 -j ACCEPT
    63. 

  63. 

  64. ## Input Special
    65. 

  65. # SSH
    66. 

  66. ipt46 -A INPUT -p tcp --dport 22 -j ACCEPT
    67. 

  67. 

  68. ## Output
    69. 

  69. # Accept all
    70. 

  70. ipt46 -A OUTPUT -j ACCEPT
    71. 

  71. 

  72. ## Save
    73. 

  73. ipt_save
    74. 

  74. echo "Done"
    75.