This is my new basic firewall script. For updates, check my github: https://github.com/xdth
Screenshot
Code
#! /bin/bash
# ######################### qFirewall (qfw) 0.1 ########################
#
# This is a basic iptables firewall script.
#
# Usage:
# ./qfw {start|stop}
#
# Notes:
# 1. Comment or uncomment the firewall rules below according to your
# needs.
# 2. For convenience, add this script to your /usr/bin or alike with
# chmod +x permissions.
# 2. License: MIT
# 3. Author: dth at dthlabs dot com
# Site: https://dthlabs.com
# github: https://github.com/xdth
#
# Brussels, Jan 23, 2018
# note: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
# #######################################################################
# #######################################################################
# ## Rules function -- edit this according to your needs
function qfw_rules {
# Block everything
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
echo " > Block everything"
# Don't break established connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
echo " > Don't break established connections"
# Authorize loopback (127.0.0.1)
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT
echo " > Authorize Loopback"
# ICMP (ping)
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT
echo " > Authorize ICMP (ping)"
# SSH in/out
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 9000 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 9000 -j ACCEPT
echo " > Authorize SSH"
# DNS in/out
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
echo " > Authorize DNS"
# NTP Out
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
echo " > Authorize NTP outbound"
# HTTP + HTTPS Out
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
# iptables -t filter -A OUTPUT -p tcp --dport 8080 -j ACCEPT
# HTTP + HTTPS In
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
# iptables -t filter -A INPUT -p tcp --dport 8443 -j ACCEPT
# iptables -t filter -A INPUT -p tcp --dport 8080 -j ACCEPT
echo " > Authorize http and https"
# FTP Out
iptables -t filter -A OUTPUT -p tcp --dport 21 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 20 -j ACCEPT
# FTP In
iptables -t filter -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo " > Authorize FTP"
# Mail SMTP
iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 587 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 587 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 465 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 465 -j ACCEPT
# Mail POP3:110
iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT
# Mail IMAP:143
iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT
# Mail POP3S:995
iptables -t filter -A INPUT -p tcp --dport 995 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 995 -j ACCEPT
echo " > Authorize mail"
# OpenVZ Web Pannel
# iptables -t filter -A OUTPUT -p tcp --dport 3000 -j ACCEPT
# iptables -t filter -A INPUT -p tcp --dport 3000 -j ACCEPT
# echo " > Authorize OpenVZ panel"
# Allow WMs
# iptables -P FORWARD ACCEPT
# iptables -F FORWARD
# echo "WMs ok"
# echo " > Authorize WMs"
# Saltstack
# iptables -t filter -A OUTPUT -p tcp --dport 4505 -j ACCEPT
# iptables -t filter -A INPUT -p tcp --dport 4505 -j ACCEPT
# iptables -t filter -A OUTPUT -p tcp --dport 4506 -j ACCEPT
# iptables -t filter -A INPUT -p tcp --dport 4506 -j ACCEPT
# echo " > Authorize Saltstack"
# Block UDP attack
# iptables -A INPUT -m state --state INVALID -j DROP
# echo " > Block UDP attack"
}
# #######################################################################
# ## Other functions
function qfw_help {
echo "qFirewall usage: ./qfw {start|stop}"
exit 1
}
function qfw_seeya {
echo " > Thanks for using qFirewall (qfw) v1. Have a good day."
echo ""
echo ""
}
function qfw_separator {
echo ""
echo ""
echo "===================== qFirewall (qfw) v0.1 ====================="
echo ""
}
function qfw_reset {
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t filter -F
iptables -t filter -X
}
function qfw_start {
qfw_separator
echo " > Starting qFirewall..."
qfw_clean
echo " > Loading the rules..."
qfw_rules
echo " > Rules loaded"
echo " > qFirewall started"
}
function qfw_clean {
echo " > Cleaning rules..."
qfw_reset
echo " > Rules cleaned"
}
function qfw_stop {
qfw_separator
echo " > Stopping qFirewall..."
qfw_clean
echo " > qFirewall stopped"
}
# #######################################################################
# ## Main
case "$1" in
start)
qfw_start
;;
stop)
qfw_stop
;;
*)
qfw_help
exit 1
;;
esac
qfw_seeya
exit 0
