Installation
If iptables
is not present on the system, install it with:
apt-get install iptables
Startup script
Create a new init-script /etc/init.d/iptables
:
#!/bin/bash
#
if [[ $1 == start || $1 == restart ]] ; then
# Flush current settings and replace them with the default settings.
sudo /opt/scripts/iptables_rules.sh
elif [[ $1 == status ]] ; then
# Display the current chains
sudo iptables --list
else
# Important: all settings will be flushed.
# No remote connection will be possible!!
echo "Flush of iptables will not be executed. This is probably *not* what you want to do!"
echo "Usage: service iptables {start|restart|status}"
exit
# If you are stubborn and really want to shut yourselves
# out of this server then you can execute the following command:
# sudo iptables -F
fi
Create a script for the iptables’ rules in /opt/scripts/iptables_rules.sh
:
#!/bin/bash
# Flush all chains
iptables -F
# Set default policy for each of the pre-defined chains
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# Default rule set
# SSH
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
# Web + SSL
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
# SMTP + POP3 + IMAP + IMAP4-SSL + IMAPS + SSL-POP
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 110 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 585 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 993 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 995 -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth+ -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
echo "New chains loaded"
Change the permissions of the init-script. Only root should be allowed to execute it:
chmod 700 /etc/init.d/iptables
chmod 700 /opt/scripts/iptables_rules.sh
Add the script to the bootup-scripts:
update-rc.d iptables defaults 98 02