IP Tables Firewall

A simple firewall script I made a while back to be used on linux gateways and general security like blocking IP adresses, optimizing traffic, etc. Requires iptables.

How to use
Place the script anywhere, run as root. Edit the script to add allowed/blocked traffic or to make other adjustments. As default the script will block very little, and mostly just set up general security rules + optimize traffic. It will also have open the following services as examples:

MySQL, SSH, SMTP, WWW, POP, IMAP, IDENT.

To close any of them, just change ACCEPT to DROP in the script.

Here is the code: 
#!/bin/sh

printf "Initiating firewall: "
IPC=/sbin/iptables
IF=eth0
printf "OK.\n"

printf "Flushing current firewall rules: "
# Clear up ..
$IPC -F
$IPC -X
$IPC -Z
printf "OK.\n";

printf "Establishing general security: "
#Allow all traffic on the loopback interface (lo)
$IPC -I INPUT -i lo -j ACCEPT
$IPC -I OUTPUT -o lo -j ACCEPT
$IPC -I INPUT -i ! lo -s 127.0.0.0/255.0.0.0 -j DROP

#Allow connections with the ack bit set.
#(They are from an established connections)
$IPC -A INPUT -p tcp ! --syn -i $IF -j ACCEPT

#Turn on source address verification in kernel
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
fi

#Turn on syn cookies protection in kernel
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]
then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi
printf "OK.\n"

printf "Block/Allow services and IP adresses to access our network: "

# Blocking ping to us, change to your address where it says x.x.x.130
#$IPC -A FORWARD -p icmp -i $IF -s 0.0.0.0/24 -d x.x.x.130 -j DROP

# Block IP's
# $IPC -A FORWARD -p tcp -i $IF -s 212.112.231.212 -j DROP
# $IPC -A FORWARD -p udp -i $IF -s 212.112.231.212 -j DROP
# $IPC -A FORWARD -p tcp -i $IF -s 212.125.203.0/24 -j DROP
# $IPC -A FORWARD -p udp -i $IF -s 212.125.203.0/24 -j DROP

#PortsRules

#MySQL
$IPC -A INPUT -p tcp -i $IF --dport 3306 -j ACCEPT

#SSH
$IPC -A INPUT -p tcp -i $IF --dport 22 -j ACCEPT

#SMTP
$IPC -A INPUT -p tcp -i $IF --dport 25 -j ACCEPT

#WWW
$IPC -A INPUT -p tcp -i $IF --dport 80 -j ACCEPT

#POP
$IPC -A INPUT -p tcp -i $IF --dport 110 -j ACCEPT

#IMAP
$IPC -A INPUT -p tcp -i $IF --dport 143 -j ACCEPT

#IDENT
$IPC -A INPUT -p tcp -i $IF --dport 113 -j ACCEPT
$IPC -A INPUT -p udp -i $IF --dport 113 -j ACCEPT
printf "OK.\n"

printf "Setting rules for traffic optimizing: "
$IPC -t mangle -A OUTPUT -p tcp --dport 21 -j TOS --set-tos Minimize-Delay
$IPC -t mangle -A OUTPUT -p tcp --dport 22 -j TOS --set-tos Minimize-Delay
$IPC -t mangle -A OUTPUT -p tcp --dport 23 -j TOS --set-tos Minimize-Delay
$IPC -t mangle -A OUTPUT -p tcp --dport 80 -j TOS --set-tos Minimize-Delay
$IPC -t mangle -A OUTPUT -p tcp --dport 110 -j TOS --set-tos Minimize-Delay
$IPC -t mangle -A OUTPUT -p tcp --dport 25 -j TOS --set-tos Minimize-Delay
$IPC -t mangle -A OUTPUT -p tcp --dport 20 -j TOS --set-tos Maximize-Throughput

#Allow ICMP
$IPC -A INPUT -p icmp -i $IF -j ACCEPT
$IPC -A OUTPUT -p icmp -o $IF -j ACCEPT

#Open ports for established connections
$IPC -A INPUT -m state --state ESTABLISHED -j ACCEPT
$IPC -A INPUT -m state --state RELATED -j ACCEPT
$IPC -A INPUT -p tcp -i $IF --dport 1023:65535 -j ACCEPT
$IPC -A INPUT -p udp -i $IF --dport 1023:65535 -j ACCEPT
printf "OK.\n"

printf "Firewall rules has been set, now activating chains: "
$IPC -P OUTPUT ACCEPT
$IPC -P INPUT ACCEPT
$IPC -P FORWARD ACCEPT
printf "OK.\n"
Written by: Dag Jonny Nedrelid
©2007-2012 http://thronic.com

Feel free to leave a comment.
Name:
URL:
0