iptables script for Debian / Ubuntu
Mar 30, 2012
Most Linux distributions seem to have their own way of handling iptables. Red
Hat based distributions come with an init script /etc/init.d/iptables which
saves/restores configuration and allows you to check the status.
Debian / Ubuntu come with .. nothing.
So, there is a plethora of advice and ways of setting iptables up them, and this is mine.
It’s a simple shell script which is installed to
/etc/network/if-pre-up.d/iptables, meaning it is executed prior to an
interface being brought up - better to do it then than afterwards :)
I provide a couple of shell functions to make it easy write rules which are to be applied to both IPv4 and IPv6.
Here it is in its entirety, feel free to use/copy/whatever, it’s public domain.
#!/bin/sh
#
# IPTables firewall script. There are many. This is mine.
#
#
# Ensure sane path
#
PATH=/sbin:/usr/sbin:/bin:/usr/bin
#
# When running from the command line, provide a -v option to print the
# installed rules at the end.
#
verbose=
if [ "$1" = "-v" ]; then
shift
verbose=on
fi
#
# Rather than duplicate entries for iptables and ip6tables, have some small
# wrapper functions do it for us.
#
# ip4tbl - apply ruleset for just iptables
# ip6tbl - apply ruleset for just ip6tables
# iptbl - apply ruleset for both iptables and ip6tables
#
ip4tbl()
{
iptables "$@"
}
ip6tbl()
{
ip6tables "$@"
}
iptbl()
{
ip4tbl "$@"
ip6tbl "$@"
}
#
# Flush all rulesets
#
iptbl -F
iptbl -X
#
# Block by default except outgoing traffic
#
iptbl -P INPUT DROP
iptbl -P FORWARD DROP
iptbl -P OUTPUT ACCEPT
#
# Allow everything on loopback
#
iptbl -A INPUT -i lo -j ACCEPT
#
# Permit established connections
#
iptbl -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#
# Permit allowed services on all interfaces. DNS is restricted to my public
# DNS servers, this just runs a hidden master.
#
iptbl -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptbl -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
ip4tbl -A INPUT -p tcp -m tcp --dport 53 -s 85.158.46.77 -j ACCEPT
ip4tbl -A INPUT -p udp -m udp --dport 53 -s 85.158.46.77 -j ACCEPT
ip4tbl -A INPUT -p tcp -m tcp --dport 53 -s 193.108.199.128 -j ACCEPT
ip4tbl -A INPUT -p udp -m udp --dport 53 -s 193.108.199.128 -j ACCEPT
ip4tbl -A INPUT -p tcp -m tcp --dport 53 -s 193.108.199.130 -j ACCEPT
ip4tbl -A INPUT -p udp -m udp --dport 53 -s 193.108.199.130 -j ACCEPT
ip4tbl -A INPUT -p tcp -m tcp --dport 53 -s 213.5.89.46 -j ACCEPT
ip4tbl -A INPUT -p udp -m udp --dport 53 -s 213.5.89.46 -j ACCEPT
iptbl -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptbl -A INPUT -p tcp -m tcp --dport 113 -j ACCEPT
iptbl -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptbl -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
iptbl -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
#
# Permit ICMP and traceroute
#
ip4tbl -A INPUT -p icmp -j ACCEPT
ip6tbl -A INPUT -p ipv6-icmp -j ACCEPT
iptbl -A INPUT -p udp -m udp --dport 33434:33523 -j ACCEPT
#
# Log denied connections
#
LOGCOMMON="-m limit --limit 5/min -j LOG --log-prefix 'iptables: ' --log-level 7"
iptbl -A INPUT -p tcp ${LOGCOMMON}
iptbl -A INPUT -p udp ${LOGCOMMON}
ip4tbl -A INPUT -p icmp ${LOGCOMMON}
ip6tbl -A INPUT -p ipv6-icmp ${LOGCOMMON}
#
# Finally, reject to keep open connections down
#
iptbl -A INPUT -j REJECT
#
# Display INPUT chain if verbose
#
if [ -n "${verbose}" ]; then
iptables -L INPUT -vn --line-numbers
ip6tables -L INPUT -vn --line-numbers
fiJust remember to make it executable ;-)
All Posts
- 16 Jul 2015 » Reducing RAM usage in pkgin
- 03 Mar 2015 » pkgsrc-2014Q4: LTS, signed packages, and more
- 06 Oct 2014 » Building packages at scale
- 04 Dec 2013 » A node.js-powered 8-bit CPU - part four
- 03 Dec 2013 » A node.js-powered 8-bit CPU - part three
- 02 Dec 2013 » A node.js-powered 8-bit CPU - part two
- 01 Dec 2013 » A node.js-powered 8-bit CPU - part one
- 21 Nov 2013 » MDB support for Go
- 30 Jul 2013 » What's new in pkgsrc-2013Q2
- 24 Jul 2013 » Distributed chrooted pkgsrc bulk builds
- 07 Jun 2013 » pkgsrc on SmartOS - creating new packages
- 15 Apr 2013 » What's new in pkgsrc-2013Q1
- 19 Mar 2013 » Installing SVR4 packages on SmartOS
- 27 Feb 2013 » SmartOS is Not GNU/Linux
- 18 Feb 2013 » SmartOS development preview dataset
- 17 Jan 2013 » pkgsrc on SmartOS - fixing broken builds
- 15 Jan 2013 » pkgsrc on SmartOS - zone creation and basic builds
- 10 Jan 2013 » Multi-architecture package support in SmartOS
- 09 Jan 2013 » Solaris portability - cfmakeraw()
- 08 Jan 2013 » Solaris portability - flock()
- 06 Jan 2013 » pkgsrc-2012Q4 illumos packages now available
- 23 Nov 2012 » SmartOS and the global zone
- 24 Oct 2012 » Setting up Samba on SmartOS
- 10 Oct 2012 » pkgsrc-2012Q3 packages for illumos
- 23 Aug 2012 » Creating local SmartOS packages
- 10 Jul 2012 » 7,000 binary packages for OSX Lion
- 09 Jul 2012 » 9,000 packages for SmartOS and illumos
- 07 May 2012 » Goodbye Oracle, Hello Joyent!
- 13 Apr 2012 » SmartOS global zone tweaks
- 12 Apr 2012 » Automated VirtualBox SmartOS installs
- 30 Mar 2012 » iptables script for Debian / Ubuntu
- 20 Feb 2012 » New site design
- 11 Jan 2012 » Set up anonymous FTP upload on Oracle Linux
- 09 Jan 2012 » Kickstart Oracle Linux in VirtualBox
- 09 Jan 2012 » Kickstart Oracle Linux from Ubuntu
- 22 Dec 2011 » Last day at MySQL
- 15 Dec 2011 » Installing OpenBSD with softraid
- 21 Sep 2011 » Create VirtualBox VM from the command line
- 14 Sep 2011 » Creating chroots for fun and MySQL testing
- 30 Jun 2011 » Graphing memory usage during an MTR run
- 29 Jun 2011 » Fix input box keybindings in Firefox
- 24 Jun 2011 » How to lose weight
- 23 Jun 2011 » How to fix stdio buffering
- 13 Jun 2011 » Serving multiple DNS search domains in IOS DHCP
- 13 Jun 2011 » Fix Firefox URL double click behaviour
- 20 Apr 2011 » SSH via HTTP proxy in OSX
- 09 Nov 2010 » How to build MySQL releases
- 29 Apr 2010 » 'apt-get' and 5,000 packages for Solaris10/x86
- 16 Sep 2009 » ZFS and NFS vs OSX
- 12 Sep 2009 » pkgsrc on Solaris
- 09 Dec 2008 » Jumpstart from OSX
- 31 Dec 2007 » Set up local caching DNS server on OSX 10.4