- Initial set of firewall rules for a NAT vps
vi start.fw4
#!/bin/bash
LOGLIMIT="5/m"
LOGLIMITBURST="10"
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#change port 33322 to configured SSH port
iptables -A INPUT -p tcp --dport 33322 -j ACCEPT
#open UDP 123 for NTP
iptables -A INPUT -p udp --sport 123 --dport 123 -j ACCEPT
#for openvpn and pptp access
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to rem.ot.e.ip
iptables -A FORWARD -i venet0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun0 -o venet0 -j ACCEPT
#block others
iptables -N LOGDROP
iptables -A INPUT -j LOGDROP
iptables -A LOGDROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level 7 --log-prefix "TCP LOGDROP: "
iptables -A LOGDROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level 7 --log-prefix "UDP LOGDROP: "
iptables -A LOGDROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level 7 --log-prefix "ICMP LOGDROP: "
iptables -A LOGDROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level 7 --log-prefix "FRAGMENT LOGDROP: "
iptables -A LOGDROP -j DROP
chmod +x start.fw4
./start.fw4
- To list rules,
# iptables -L
To list masquerade and NAT rules,
# iptables -t nat -L
vi start.fw4
#!/bin/bash
LOGLIMIT="5/m"
LOGLIMITBURST="10"
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#change port 33322 to configured SSH port
iptables -A INPUT -p tcp --dport 33322 -j ACCEPT
#open UDP 123 for NTP
iptables -A INPUT -p udp --sport 123 --dport 123 -j ACCEPT
#for openvpn and pptp access
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to rem.ot.e.ip
iptables -A FORWARD -i venet0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun0 -o venet0 -j ACCEPT
#block others
iptables -N LOGDROP
iptables -A INPUT -j LOGDROP
iptables -A LOGDROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level 7 --log-prefix "TCP LOGDROP: "
iptables -A LOGDROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level 7 --log-prefix "UDP LOGDROP: "
iptables -A LOGDROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level 7 --log-prefix "ICMP LOGDROP: "
iptables -A LOGDROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level 7 --log-prefix "FRAGMENT LOGDROP: "
iptables -A LOGDROP -j DROP
chmod +x start.fw4
./start.fw4
- To list rules,
# iptables -L
To list masquerade and NAT rules,
# iptables -t nat -L
No comments:
Post a Comment