Linux Iptables Firewall Shell Script For Standalone Server

#!/bin/bash

# A Linux Shell Script with common rules for IPTABLES Firewall.

# By default this script only open port 80, 22, 53 (input)

# All outgoing traffic is allowed (default – output)

# ————————————————————————-

# Copyright (c) 2004 nixCraft project <http://cyberciti.biz/fb/>

# This script is licensed under GNU GPL version 2.0 or above

# ————————————————————————-

# This script is part of nixCraft shell script collection (NSSC)

# Visit http://bash.cyberciti.biz/ for more information.

# ————————————————————————-

 

IPT=”/sbin/iptables”

SPAMLIST=”blockedip”

SPAMDROPMSG=”BLOCKED IP DROP”

 

echo “Starting IPv4 Wall…”

$IPT -F

$IPT -X

$IPT -t nat -F

$IPT -t nat -X

$IPT -t mangle -F

$IPT -t mangle -X

modprobe ip_conntrack

 

[ -f /root/scripts/blocked.ips.txt ] && BADIPS=$(egrep -v -E “^#|^$” /root/scripts/blocked.ips.txt)

 

PUB_IF=”eth0″

 

#unlimited

$IPT -A INPUT -i lo -j ACCEPT

$IPT -A OUTPUT -o lo -j ACCEPT

 

# DROP all incomming traffic

$IPT -P INPUT DROP

$IPT -P OUTPUT DROP

$IPT -P FORWARD DROP

 

if [ -f /root/scripts/blocked.ips.txt ];

then

# create a new iptables list

$IPT -N $SPAMLIST

 

for ipblock in $BADIPS

do

$IPT -A $SPAMLIST -s $ipblock -j LOG –log-prefix “$SPAMDROPMSG”

$IPT -A $SPAMLIST -s $ipblock -j DROP

done

 

$IPT -I INPUT -j $SPAMLIST

$IPT -I OUTPUT -j $SPAMLIST

$IPT -I FORWARD -j $SPAMLIST

fi

 

# Block sync

$IPT -A INPUT -i ${PUB_IF} -p tcp ! –syn -m state –state NEW -m limit –limit 5/m –limit-burst 7 -j LOG –log-level 4 –log-prefix “Drop Sync”

$IPT -A INPUT -i ${PUB_IF} -p tcp ! –syn -m state –state NEW -j DROP

 

# Block Fragments

$IPT -A INPUT -i ${PUB_IF} -f -m limit –limit 5/m –limit-burst 7 -j LOG –log-level 4 –log-prefix “Fragments Packets”

$IPT -A INPUT -i ${PUB_IF} -f -j DROP

 

# Block bad stuff

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags ALL FIN,URG,PSH -j DROP

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags ALL ALL -j DROP

 

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags ALL NONE -m limit –limit 5/m –limit-burst 7 -j LOG –log-level 4 –log-prefix “NULL Packets”

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags ALL NONE -j DROP # NULL packets

 

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags SYN,RST SYN,RST -j DROP

 

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags SYN,FIN SYN,FIN -m limit –limit 5/m –limit-burst 7 -j LOG –log-level 4 –log-prefix “XMAS Packets”

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS

 

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags FIN,ACK FIN -m limit –limit 5/m –limit-burst 7 -j LOG –log-level 4 –log-prefix “Fin Packets Scan”

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags FIN,ACK FIN -j DROP # FIN packet scans

 

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

 

# Allow full outgoing connection but no incomming stuff

$IPT -A INPUT -i eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT

$IPT -A OUTPUT -o eth0 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

 

# Allow ssh

$IPT -A INPUT -p tcp –destination-port 22 -j ACCEPT

 

# allow incomming ICMP ping pong stuff

$IPT -A INPUT -p icmp –icmp-type 8 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

$IPT -A OUTPUT -p icmp –icmp-type 0 -m state –state ESTABLISHED,RELATED -j ACCEPT

 

# Allow port 53 tcp/udp (DNS Server)

$IPT -A INPUT -p udp –dport 53 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

$IPT -A OUTPUT -p udp –sport 53 -m state –state ESTABLISHED,RELATED -j ACCEPT

 

$IPT -A INPUT -p tcp –destination-port 53 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

$IPT -A OUTPUT -p tcp –sport 53 -m state –state ESTABLISHED,RELATED -j ACCEPT

 

# Open port 80

$IPT -A INPUT -p tcp –destination-port 80 -j ACCEPT

##### Add your rules below ######

 

##### END your rules ############

 

# Do not log smb/windows sharing packets – too much logging

$IPT -A INPUT -p tcp -i eth0 –dport 137:139 -j REJECT

$IPT -A INPUT -p udp -i eth0 –dport 137:139 -j REJECT

 

# log everything else and drop

$IPT -A INPUT -j LOG

$IPT -A FORWARD -j LOG

$IPT -A INPUT -j DROP

exit 0

———————————————————

How do I install and use this script?

Type the following command as root server:

# mkdir /root/scripts

# cd /root/scripts

# wget http://bash.cyberciti.biz/dl/381.sh.zip

# wget http://bash.cyberciti.biz/dl/151.sh.zip

# unzip 381.sh.zip

# unzip 151.sh.zip

# mv 381.sh start.fw

# mv 151.sh stop.fw

# chmod +x *.fw

Now edit firewall as per your requirements:
# vi /root/scripts/start.fw
Install firewall:
# echo '/root/scripts/start.fw' >> /etc/rc.local

How do I start firewall from a shell prompt?

# /root/scripts/start.fw

How do I stop firewall from a shell prompt?

# /root/scripts/stop.fw