Iptables script

From Wiki
Jump to: navigation, search
# flush rules
/sbin/iptables -F

#trust loopback connections
/sbin/iptables -A INPUT -i lo -j ACCEPT

#trust established connections
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# allow icmp
/sbin/iptables -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT

## ssh
/sbin/iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

## snmp
/sbin/iptables -A INPUT -p udp -m udp --dport 161 -j ACCEPT

## nrpe
/sbin/iptables -A INPUT -p tcp -m tcp --dport 5666 -j ACCEPT

## puppet
/sbin/iptables -A INPUT -p tcp -m tcp --dport 8139 -j ACCEPT

## mail
/sbin/iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 587 -j ACCEPT

## RSD
/sbin/iptables -A INPUT -p tcp -m tcp -s 64.235.144.0/23 --dport 5000 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp -s 10.128.36.0/23 --dport 5000 -j ACCEPT

/sbin/iptables -N LOGDROP

#log what would be dropped
/sbin/iptables -A LOGDROP -j LOG --log-prefix "iptables denied: "

#/sbin/iptables -A LOGDROP -j DROP

## drop all unknown traffic - send to LOGDROP chain
/sbin/iptables -A INPUT -m limit --limit 5/min -p all -j LOGDROP