-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathstateful-firewall-iptables.sh
executable file
·137 lines (105 loc) · 4.02 KB
/
stateful-firewall-iptables.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
#!/bin/sh
# Configure iptables for a basic stateful firewall
if [ $(id -u) -ne 0 ]
then
echo "This script requires elevated privileges. Exiting..."
exit
fi
echo "Current iptables configuration is:"
iptables -nvL
echo
echo "Select option:"
echo "1. Reset iptables to empty default configuration"
echo "2. Configure iptables for basic stateful firewall"
echo
read -p "Choose option. (1/2) " choice
if [ $choice -eq 1 ]
then
echo "Clearing iptables configuration..."
iptables-restore < /etc/iptables/empty.rules
exit
fi
# Require the user to clear the previous configurations
echo "Clearing previous iptables configuration..."
iptables-restore < /etc/iptables/empty.rules
echo
echo "Starting basic stateful firewall configuration..."
echo "Creating user-defined chains for TCP and UDP..."
iptables -N TCP
iptables -N UDP
echo
echo "Setting policies for default chains..."
echo "FORWARD chain policy: DROP all forwarding traffic"
iptables -P FORWARD DROP
echo "OUTPUT chain policy: allow all outbound traffic"
iptables -P OUTPUT ACCEPT
echo "INPUT chain policy: DROP all inbound traffic"
iptables -P INPUT DROP
echo
echo "Appending additional rules to INPUT..."
echo "INPUT chain rule: allow traffic from RELATED and ESTABLISHED connections"
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
echo "INPUT chain rule: allow loopback traffic"
iptables -A INPUT -i lo -j ACCEPT
echo "INPUT chain rule: drop all traffic with and invalid state"
# Account for ICMPv6 neighbour discovery that remains untracked and is marked
# as invalid.
iptables -A INPUT -p 41 -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
echo "INPUT chain rule: allow new ICMP echo requests"
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
echo "Attaching user created TCP and UDP to INPUT chain..."
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
echo "Adding rules for rejecting incoming traffic..."
# Reject TCP connections with TCP RESET
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
# Reject UDP streams with ICMP port unreachable
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
# Reject all other incoming traffic with ICMP protocol unreachable
iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable
echo "Saving base configuration for stateful firewall..."
iptables-save -f /etc/iptables/iptables.rules
echo
read -p "Add basic TCP/UDP rules? (y/n)" choice
if [ "$choice" != "y" ]
then
echo
echo "Configure custom TCP/UDP rules using iptables."
echo "Example: iptables -A <TCP/UDP> -p <PROTOCOL> [OPTIONS] -j <TARGET>"
echo "For more information see: man iptables and iptables -h."
echo "When you have reached your desired configuration save it using:"
echo "iptables-save -f /etc/iptables/iptables.rules"
echo "To clear all iptables configurations use: iptables-restore < /etc/iptables/empty.rules"
exit
fi
read -p "Allow SSH connections on port 22? (y/n)" choice
if [ "$choice" = "y" ]
then
iptables -A TCP -p tcp --dport 22 -j ACCEPT
fi
read -p "Allow HTTP connections (TCP port 80)? (y/n)" choice
if [ "$choice" = "y" ]
then
iptables -A TCP -p tcp --dport 80 -j ACCEPT
fi
read -p "Allow HTTPS connections (TCP port 443)? (y/n)" choice
if [ "$choice" = "y" ]
then
iptables -A TCP -p tcp --dport 443 -j ACCEPT
fi
read -p "Allow TCP/UDP requests for a DNS server (port 53)? (y/n)" choice
if [ "$choice" = "y" ]
then
iptables -A TCP -p tcp --dport 53 -j ACCEPT
iptables -A TCP -p tcp --dport 53 -j ACCEPT
fi
echo "Saving current rules..."
iptables-save -f /etc/iptables/iptables.rules
echo
echo "Configure other custom TCP/UDP rules using iptables."
echo "Example: iptables -A <TCP/UDP> -p <PROTOCOL> [OPTIONS] -j <TARGET>"
echo "For more information see: man iptables and iptables -h."
echo "When you have reached your desired configuration save it using:"
echo "iptables-save -f /etc/iptables/iptables.rules"
echo "To clear all iptables configurations use: iptables-restore < /etc/iptables/empty.rules"