Iptables firewall script

There are plenty good firewall scripts online. Some of them are too strict for using on servers, however. Also I highly recommend shorewall  for more complex rules. This is my implementation of iptables, which I am using on multiple Debian servers. The nice thing about it, is that nagios monitoring is supported by executing status command (might only work when default policy is DROP).

/etc/init.d/iptables

#!/bin/bash
### BEGIN INIT INFO
# Provides:          iptables
# Required-Start:    $remote_fs $network $syslog $named
# Required-Stop:     $remote_fs $network $syslog $named
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Configure iptables firewall
### END INIT INFO

# Set external interface
EXTERNAL_IF=eth0
INTERNAL_IF=eth1

function firewall_start
{
	# Drop ICMP echo-request messages sent to broadcast or multicast addresses
	echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

	# Drop source routed packets
	echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

	# Enable TCP SYN cookie protection from SYN floods
	echo 1 > /proc/sys/net/ipv4/tcp_syncookies

	# Don't accept ICMP redirect messages
	echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

	# Don't send ICMP redirect messages
	echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

	# Enable source address spoofing protection
	echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

	# Flush existing rules
	iptables -F

	# Default policies
	iptables -P INPUT ACCEPT
	iptables -P FORWARD ACCEPT
	iptables -P OUTPUT ACCEPT

	# Allow traffic from local and internal interface
	iptables -A INPUT -i lo -j ACCEPT
	#iptables -A INPUT -i $INTERNAL_IF -j ACCEPT

	# Allow established connections on external
	iptables -A INPUT -i $EXTERNAL_IF -m state --state ESTABLISHED,RELATED -j ACCEPT

	# Allow ICMP ping requests
	iptables -A INPUT -i $EXTERNAL_IF -p icmp --icmp-type echo-request -j ACCEPT

	# SSH
	iptables -A INPUT -i $EXTERNAL_IF -p tcp --destination-port 22 --syn -j ACCEPT

	# HTTP
	iptables -A INPUT -i $EXTERNAL_IF -p tcp --destination-port 80 --syn -j ACCEPT
	iptables -A INPUT -i $EXTERNAL_IF -p tcp --destination-port 443 --syn -j ACCEPT

	# MySQL
	iptables -A INPUT -i $EXTERNAL_IF -p tcp --destination-port 3306 --syn -j ACCEPT

	# DROP EVERYTHING ELSE
	iptables -A INPUT -i $EXTERNAL_IF -j DROP
}

function firewall_stop
{
        # Default policy
        iptables -P INPUT   ACCEPT
        iptables -P FORWARD ACCEPT
        iptables -P OUTPUT  ACCEPT

        # Flush rules
        iptables -F
        iptables -F -t mangle
        iptables -X -t mangle
        iptables -F -t nat
        iptables -X -t nat
        iptables -X
}

case "$1" in
  start)
        echo -n "Starting firewall: "
        firewall_start
        echo "OK."
        ;;
  stop)
        echo -n "Stopping firewall: "
        firewall_stop
        echo "OK."
        ;;
  restart|force-reload)
        echo -n "Restarting firewall: "
        firewall_stop
        firewall_start
        echo "OK."
        ;;
  status)
        input_state=`iptables -n -L | grep "Chain INPUT" | awk {'print $4;'}`

        if [ $input_state == "ACCEPT)" ]; then
                echo "CRITICAL: Firewall is stopped"
                exit 2
        fi
        if [ $input_state == "DROP)" ]; then
                echo "OK: Firewall is running"
                exit 0
        fi
        echo "WARNING: Unable to check firewall state"
        exit 1
        ;;
  *)
        echo "Usage: /etc/init.d/iptables {start|stop|restart|force-reload|status}" >&2
        exit 1
        ;;
esac

exit 0

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s