usefulfor.com/security

#!/bin/bash

###
### IPTables config file
### Based on the rules compiled by Ranjit San aka 'the grasshopper'
### Created 2007-09-14 by Daniel Martin Gomez
### Revision 1
###

###
### define variables
###

### path to iptables
IPT=/sbin/iptables

### This contains a list of approved Debian sites to get software updates.
DEBIAN_SITES=('194.109.137.218' '212.219.56.139' '212.219.56.133' '212.219.56.134' '212.219.56.135' '212.219.56.138')

### This contains the authorised DNS servers configured in /etc/resolv.conf.
DNS_SERVERS=('')

### This is a list of external IPs that you want to allow ssh access from.
OTHER_GATEWAYS=('')

### This is a list of hosts authorised to try ICMP probes to check if the
### server is running. This could be your ISP's IPs
CONTROL_GATEWAYS=('')

### Types of ICMP probes to allow from the previous servers
ICMP_TYPES=('echo-reply' 'destination-unreachable' 'echo-request' 'ttl-exceeded')

#### NTP servers for time synch
NTP_SERVERS=('')

### ------------------------------------------------- do not change below this line

###
### INPUT
###

### will flush the chains or all rules one by one. Therefore all new rules will be created.
$IPT -F

### allows inbound packets to be processed
$IPT -P INPUT ACCEPT

### drops packets so that they can not come through one interface and flow out of another.
$IPT -P FORWARD DROP

### This allows outbound packets to be processed
$IPT -P OUTPUT ACCEPT

### allows ICMP types (defined above) for hosts in the control list
for IP in ${CONTROL_GATEWAYS[@]}; do
for ICMP in ${ICMP_TYPES[@]}; do
$IPT -A INPUT -s $IP -p icmp --icmp-type $ICMP -j ACCEPT
done
done

### this accepts connections for http and https access from anywhere
$IPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

### this allows remote administration using ssh from your other gateways.
for IP in ${OTHER_GATEWAYS[@]}; do
$IPT -A INPUT -s $IP -p tcp -m tcp --dport 22 -j ACCEPT
done

### this allows packets to start a new connection or allows packets that are
### already associated with a connection, required for stateful inspection.
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

### this allows NTP traffic from NTP server
for NTP in ${NTP_SERVERS[@]}; do
$IPT -A INPUT -s $NTP -p udp -m udp --sport 123 -j ACCEPT
done

### we are about to drop everything else, so first log the discarded traffic
### just in case we want to know what *they* are trying.
$IPT -A INPUT -j LOG

### this drops any traffic that does not match to the INPUT rules
$IPT -A INPUT -j DROP

###
### OUTPUT
###

### Allows traffic to authorised DNS servers
for IP in ${DNS_SERVERS[@]}; do
$IPT -A OUTPUT -d $IP -p udp -m udp --dport 53 -j ACCEPT
done

### Allows http traffic to debain sites for software updates.
### Initial config rule
for IP in ${DEBIAN_SITES[@]}; do
$IPT -A OUTPUT -d $IP -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
done

### this allows packets to start a new connection or allows packets that are
### already associated with a connection, required for stateful inspection.
$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

### this allows NTP traffic to the NTP servers
for NTP in ${NTP_SERVERS[@]}; do
$IPT -A OUTPUT -d $NTP -p udp -m udp --dport 123 -j ACCEPT
done

### this logs all OUTPUT traffic that does not match the rules before it beign
### dropped.
$IPT -A OUTPUT -j LOG

### this drops any traffic that does not match to the OUTPUT rules
$IPT -A OUTPUT -j DROP

cd /etc/init.d/
wget http://usefulfor.com/security/files/2008/06/firewall.sh
chmod +x firewall.sh
update-rc.d firewall.sh defaults

update-rc.d -f firewall.sh remove