C3rd

My Standard Firewall in CentOS Web Server (iptables)

Posted: 28 Jan 2012, 23:05pm - Saturday
#!/bin/bash

IPTABLES="/sbin/iptables"

#REMOVE OLD FIREWALL
/sbin/iptables -F
#/sbin/iptables -X
#/sbin/iptables -t nat -F
#/sbin/iptables -t nat -X
#/sbin/iptables -t mangle -F
#/sbin/iptables -t mangle -X

#ENABLE SYN COOKIES
echo "1" > /proc/sys/net/ipv4/tcp_syncookies

#ALLOW LOCALHOST TO OUTSIDE WORLD UNLIMITED PORTS
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

#ALLOW UDP, DNS AND PASSIVE FTP
$IPTABLES -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

#ENABLE LOGGING OF SYN FLOOD
$IPTABLES -N LSYNFLOOD
$IPTABLES -A LSYNFLOOD -m limit --limit 10/s  --limit-burst 5 -j LOG --log-prefix "fp=SYNFLOOD:1 a=DROP"
$IPTABLES -A LSYNFLOOD -j DROP

#TCPACCEPT - Check for SYN-Floods before letting TCP-Packets in
$IPTABLES -N TCPACCEPT
$IPTABLES -A TCPACCEPT -p tcp --syn -j LSYNFLOOD
$IPTABLES -A TCPACCEPT -p tcp -m tcp ! --syn -m state --state NEW -j DROP

#TCPACCEPT - Check for SYN-Floods before letting TCP-Packets in
$IPTABLES -N MACCEPT
$IPTABLES -N LMAILFLOOD
$IPTABLES -A MACCEPT -p tcp --syn -m limit --limit 10/s --limit-burst 3 -j ACCEPT
$IPTABLES -A MACCEPT -p tcp --syn -j LMAILFLOOD
$IPTABLES -A MACCEPT -p tcp ! --syn -j ACCEPT

#BASIC CHAIN RULE (PASSIVE FTP)
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 60000:64000 -j ACCEPT

#BASIC CHAIN
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 7680 -j ACCEPT #SSH
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT   #HTTP
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 443 -j ACCEPT  #HTTPS
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 21 -j ACCEPT   #FTP
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 993 -j ACCEPT   #SSL
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 587 -j ACCEPT   #GOOGLE SMTP
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 465 -j ACCEPT   #GOOGLE SMTP
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 53 -j ACCEPT   #DNS
$IPTABLES -A INPUT -p tcp -s 127.0.0.1 --dport 110 -j ACCEPT #POP LOCALHOST ONLY
$IPTABLES -A INPUT -p tcp -s 127.0.0.1 --dport 143 -j ACCEPT #IMAP LOCALHOST ONLY
$IPTABLES -A INPUT -p tcp -s 127.0.0.1 --dport 3306 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 3306 -j DROP #DROP ALL SQL
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 110 -j DROP #POP DROP ALL
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 143 -j DROP #IMAP DROP ALL

#DISABLE PING FLOOD
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j DROP

#ALLOW ALL INBOUND MAILS
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 25 -j ACCEPT

#ALLOW OUTGOING MAILS FROM LOCALHOST ONLY
/sbin/iptables -A OUTPUT -p TCP -s ! 127.0.0.1 --dport 25 -j ACCEPT

#DROP ALL RELAY MAILS
/sbin/iptables -A OUTPUT -p TCP  -s ! 0/0 --dport 25 -j DROP

#DROP EVERYTHING
$IPTABLES -A INPUT -j DROP

exit 0
Download Firewall Bash Script: [download id="26"]
Back to list
My Standard Firewall in CentOS Web Server (iptables)

Categories
