Introduction

The following show a typical example of Linux iptables firewall configuration.

Iptable script


function load_one_module()
{
result=`$LSMOD | $GREP $1 | $AWK {'print $1'} | $HEAD -1`
if [ -z $result ]; then
	$MODPROBE $1
fi

}

#============================================================================

function load_modules()
{
MODULES="ip_tables iptable_filter ip_conntrack"

for mod in $MODULES; do
	load_one_module $mod
done

}

#============================================================================
function load_rules()
{
#------------------------------
# Load Kernel modules
#------------------------------
load_modules

#------------------------------
# Flush all existing rules
#------------------------------
$IPTABLES -F INPUT 
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD

#------------------------------
# Set up default behaviour to DROP
#------------------------------
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#------------------------------
# Local loopback
# Allow only self referencing
#------------------------------
$IPTABLES -A INPUT  -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT 

#---------------------------------
# Allow existing connections
#---------------------------------
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED	-j ACCEPT

#---------------------------------
#	Allow all tcp out
#---------------------------------
$IPTABLES -A OUTPUT -o $NIC -p tcp  -j ACCEPT

#---------------------------------
# ICMP
#---------------------------------
$IPTABLES -A INPUT -p icmp -j ACCEPT
$IPTABLES -A OUTPUT -p icmp -j ACCEPT

#----------------------------------
# Allow DNS (tcp 53, udp 53)
#----------------------------------
$IPTABLES -A INPUT  -i $NIC -p tcp --sport 53 -j ACCEPT # client
$IPTABLES -A INPUT  -i $NIC -p tcp --dport 53 -j ACCEPT # server

$IPTABLES -A INPUT  -i $NIC -p udp --sport 53 -j ACCEPT # client
$IPTABLES -A INPUT  -i $NIC -p udp --dport 53 -j ACCEPT # server


$IPTABLES -A OUTPUT -o $NIC -p udp --dport 53 -j ACCEPT # client
$IPTABLES -A OUTPUT -o $NIC -p udp --sport 53 -j ACCEPT # server

$IPTABLES -A OUTPUT -o $NIC -p tcp --dport 53 -j ACCEPT # client
$IPTABLES -A OUTPUT -o $NIC -p tcp --sport 53 -j ACCEPT # server


#----------------------------------
# Allow ssh (tcp 22) 
#----------------------------------
$IPTABLES -A INPUT  -i $NIC -p tcp --dport 22 -j ACCEPT # server
$IPTABLES -A INPUT  -i $NIC -p tcp --sport 22 -j ACCEPT # client

#----------------------------------
# Allow http (tcp 80) in and out
#----------------------------------
$IPTABLES -A INPUT -i $NIC -p tcp --dport 80 -j ACCEPT  # server
$IPTABLES -A INPUT -i $NIC -p tcp --sport 80 -j ACCEPT  # client

#----------------------------------
# Allow https (tcp 443) in and out
#----------------------------------
$IPTABLES -A INPUT -i $NIC -p tcp --dport 443 -j ACCEPT  # server
$IPTABLES -A INPUT -i $NIC -p tcp --sport 443 -j ACCEPT  # client


#----------------------------------
# Allow mysql (tcp 3306) in and out
#----------------------------------
$IPTABLES -A INPUT -i $NIC -p tcp --dport 3306 -j ACCEPT  # server
$IPTABLES -A INPUT -i $NIC -p tcp --sport 3306 -j ACCEPT  # client



}



#============================================================================
function clear_rules()
{
#------------------------------
# Flush all existing rules
#------------------------------
$IPTABLES -F INPUT 
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD

#------------------------------
# default behaviour : ACCEPT
#------------------------------
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

}

Startup script

#!/bin/bash

#-------------------------------------------------------------------------
# Name          : firewall
# Description   : The script to automatically start the firewall script.
#
# Additional files : 
# - firewall.inc : define the load_rules, unload_rules ... functions
#-------------------------------------------------------------------------

#----------------------------------
# Set some variables
#----------------------------------
script=$0
service="firewall"
action=$1
INC_PATH="/etc"

#------------------------------
# Define a few variables
#------------------------------
NIC="eth0"
MYIP="MY IP ADDRESS HERE"


#------------------------------
# Define command path
#------------------------------
IPTABLES="/usr/sbin/iptables"
MODPROBE="/sbin/modprobe"
LSMOD="/sbin/lsmod"
GREP="/usr/bin/grep"
AWK="/usr/bin/awk"
HEAD="/usr/bin/head"

#----------------------------------
# Perform some checks
#----------------------------------

#----------------------------------
# Load other files
#----------------------------------
source $INC_PATH/firewall.inc
. /etc/rc.status
#----------------------------------
# Action switch
#----------------------------------
rc_reset
case "$action" in

    start)
    echo -n "Starting $service"
    load_rules
    rc_status -v
    ;;

    stop)
    echo -n "Stopping $service"
    clear_rules
    rc_status -v
    ;;

    restart)
    echo "Restarting $service"
    $0 stop
    $0 start
    ;;

    *)
    echo "usage : firewall start|stop|restart "
    exit 1
esac

Advertisements