«
»

Ubuntu Iptables Firewall Script for /etc/init.d


I have used alot of diffierent firewall scripts over the years, and I
have fell in love with the following script wriiten by Tero Karvinen It
is a simple Iptables firewall script and it is easy to maintain. Not
alot of variables, and totally customizable. Why would I want anything
else. I have below my mail servers Iptables firewall configuration with
a state hitcount to slow down potential spammers, I have it set for a
mail server that accepts 16 messages a second. That is 1.3 million
emails a day. So the iptables firewall script works. Here is how to
install it.

1.) Copy the following lines.
——————————————————————
#!/bin/sh
# Cleanup old rules # All the time firewall is in a secure, closed state
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables –flush # Flush all rules, but keep policies
iptables –delete-chain
## Workstation Minimal firewall ###
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -A INPUT -i lo –source 127.0.0.1 –destination 127.0.0.1 -j ACCEPT
iptables -A INPUT -m state –state “ESTABLISHED,RELATED” -j ACCEPT
iptables -A INPUT -p icmp –icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp –icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp –icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp –icmp-type echo-reply -j ACCEPT
####### HOLES ####### Edit holes below, then run this script again
# munin
iptables -A INPUT -p TCP -s 192.168.1.16/32 –destination-port 4949 -j ACCEPT
# mysql
iptables -A INPUT -p TCP -s 192.168.1.0.0/24 –destination-port 3306 -j ACCEPT
# nagios
iptables -A INPUT -p TCP -s 192.168.1.16/32 –destination-port 5666 -j ACCEPT
# sshd
iptables -A INPUT -p TCP -s 192.168.1.0/24 –destination-port 22 -j ACCEPT
iptables -A INPUT -p TCP -s 10.0.0.0/24 –destination-port 22 -j ACCEPT
# smtp
iptables -A INPUT -p TCP –dport 25 -j ACCEPT
iptables -I INPUT -p TCP –dport 25 -i eth0 -m state –state NEW -m recent –set
iptables -I INPUT -p TCP –dport 25 -i eth0 -m state –state NEW -m recent –update –seconds 600 –hitcount 45 -j DROP
# pop
iptables -A INPUT -p TCP -s 0/0 –destination-port 110 -j ACCEPT
# imap
iptables -A INPUT -p TCP -s 0/0 –destination-port 143 -j ACCEPT
# 587
iptables -A INPUT -p TCP -s 0/0 –destination-port 587 -j ACCEPT
##################### Edit above
# iptables -A INPUT -j LOG -m limit –limit 40/minute
iptables -A INPUT -j DROP
# Save
# iptables-save > /etc/sysconfig/iptables
echo “: Done.”#!/bin/sh
————————————————————————
2.) Open /etc/init.d/firewall.sh with your favorite editor.

$ sudo vi /etc/init.d/firewall.sh

3.) Paste script into your editor, and edit the ports to your liking. Make sure your are in insert mode in vi before you paste.

4.) Change permissions to all execute on the file.

$ sudo chmod 744 /etc/init.d/firewall.sh

5.) Start the script

$ sudo /etc/init.d/firewall.sh

6.) Add the script to start-up

$ sudo update-rc.d firewall.sh defaults

Please let me know if you have any questions about this really easy and nice Ubuntu iptables firewall script. Like I said I have tried a bunch and this is the best iptables firewall script I have found.

This entry was posted on April 13, 2009, 7:06 pm and is filed under Walkthroughs. You can follow any responses to this entry through RSS 2.0. You can leave a response, or trackback from your own site.

  1. No comments yet.

You must be logged in to post a comment.