C3rd
My Standard Firewall in CentOS Web Server (iptables)
Posted: 28 Jan 2012, 23:05pm - Saturday
#!/bin/bash IPTABLES="/sbin/iptables" #REMOVE OLD FIREWALL /sbin/iptables -F #/sbin/iptables -X #/sbin/iptables -t nat -F #/sbin/iptables -t nat -X #/sbin/iptables -t mangle -F #/sbin/iptables -t mangle -X #ENABLE SYN COOKIES echo "1" > /proc/sys/net/ipv4/tcp_syncookies #ALLOW LOCALHOST TO OUTSIDE WORLD UNLIMITED PORTS $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT #ALLOW UDP, DNS AND PASSIVE FTP $IPTABLES -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT #ENABLE LOGGING OF SYN FLOOD $IPTABLES -N LSYNFLOOD $IPTABLES -A LSYNFLOOD -m limit --limit 10/s --limit-burst 5 -j LOG --log-prefix "fp=SYNFLOOD:1 a=DROP" $IPTABLES -A LSYNFLOOD -j DROP #TCPACCEPT - Check for SYN-Floods before letting TCP-Packets in $IPTABLES -N TCPACCEPT $IPTABLES -A TCPACCEPT -p tcp --syn -j LSYNFLOOD $IPTABLES -A TCPACCEPT -p tcp -m tcp ! --syn -m state --state NEW -j DROP #TCPACCEPT - Check for SYN-Floods before letting TCP-Packets in $IPTABLES -N MACCEPT $IPTABLES -N LMAILFLOOD $IPTABLES -A MACCEPT -p tcp --syn -m limit --limit 10/s --limit-burst 3 -j ACCEPT $IPTABLES -A MACCEPT -p tcp --syn -j LMAILFLOOD $IPTABLES -A MACCEPT -p tcp ! --syn -j ACCEPT #BASIC CHAIN RULE (PASSIVE FTP) $IPTABLES -A INPUT -p tcp -s 0/0 --dport 60000:64000 -j ACCEPT #BASIC CHAIN $IPTABLES -A INPUT -p tcp -s 0/0 --dport 7680 -j ACCEPT #SSH $IPTABLES -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT #HTTP $IPTABLES -A INPUT -p tcp -s 0/0 --dport 443 -j ACCEPT #HTTPS $IPTABLES -A INPUT -p tcp -s 0/0 --dport 21 -j ACCEPT #FTP $IPTABLES -A INPUT -p tcp -s 0/0 --dport 993 -j ACCEPT #SSL $IPTABLES -A INPUT -p tcp -s 0/0 --dport 587 -j ACCEPT #GOOGLE SMTP $IPTABLES -A INPUT -p tcp -s 0/0 --dport 465 -j ACCEPT #GOOGLE SMTP $IPTABLES -A INPUT -p tcp -s 0/0 --dport 53 -j ACCEPT #DNS $IPTABLES -A INPUT -p tcp -s 127.0.0.1 --dport 110 -j ACCEPT #POP LOCALHOST ONLY $IPTABLES -A INPUT -p tcp -s 127.0.0.1 --dport 143 -j ACCEPT #IMAP LOCALHOST ONLY $IPTABLES -A INPUT -p tcp -s 127.0.0.1 --dport 3306 -j ACCEPT $IPTABLES -A INPUT -p tcp -s 0/0 --dport 3306 -j DROP #DROP ALL SQL $IPTABLES -A INPUT -p tcp -s 0/0 --dport 110 -j DROP #POP DROP ALL $IPTABLES -A INPUT -p tcp -s 0/0 --dport 143 -j DROP #IMAP DROP ALL #DISABLE PING FLOOD $IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j DROP #ALLOW ALL INBOUND MAILS $IPTABLES -A INPUT -p tcp -s 0/0 --dport 25 -j ACCEPT #ALLOW OUTGOING MAILS FROM LOCALHOST ONLY /sbin/iptables -A OUTPUT -p TCP -s ! 127.0.0.1 --dport 25 -j ACCEPT #DROP ALL RELAY MAILS /sbin/iptables -A OUTPUT -p TCP -s ! 0/0 --dport 25 -j DROP #DROP EVERYTHING $IPTABLES -A INPUT -j DROP exit 0Download Firewall Bash Script: [download id="26"]