├── README.md
└── firewall.sh


/README.md:
--------------------------------------------------------------------------------
1 | Iptables
2 | ========
3 | 
4 | An iptables firewall configuration template that accompanies the following blog post:
5 | 
6 | <a href="http://danielmiessler.com/blog/professional-firewall-iptables/">[ Building a Professional Firewall Using Linux and Iptables ]</a>
7 | 


--------------------------------------------------------------------------------
/firewall.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | #############################
 4 | #  SETUP
 5 | #############################
 6 | 
 7 | # Define your hostname
 8 | DEMOSTHENES=123.456.789.012
 9 | 
10 | # Clear all rules
11 | /sbin/iptables -F
12 | 
13 | # Don't forward traffic
14 | /sbin/iptables -P FORWARD DROP 
15 | 
16 | # Allow outgoing traffic
17 | /sbin/iptables -P OUTPUT ACCEPT
18 | 
19 | # Allow established traffic
20 | /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 
21 | 
22 | # Allow localhost traffic
23 | /sbin/iptables -A INPUT -i lo -j ACCEPT
24 | 
25 | #############################
26 | #  MANAGEMENT RULES
27 | #############################
28 | 
29 | # Allow SSH (alternate port)
30 | /sbin/iptables -A INPUT -p tcp --dport 2222 -j LOG --log-level 7 --log-prefix "Accept 2222 alt-ssh"
31 | /sbin/iptables -A INPUT -p tcp -d $DEMOSTHENES --dport 2222 -j ACCEPT 
32 | 
33 | #############################
34 | #  ACCESS RULES
35 | #############################
36 | 
37 | # Allow web server
38 | /sbin/iptables -A INPUT -p tcp --dport 80 -j LOG --log-level 7 --log-prefix "Accept 80 HTTP"
39 | /sbin/iptables -A INPUT -p tcp -d $DEMOSTHENES --dport 80 -j ACCEPT 
40 | 
41 | # Allow two types of ICMP
42 | /sbin/iptables -A INPUT -p icmp -d $DEMOSTHENES --icmp-type 8/0 -j LOG --log-level 7 --log-prefix "Accept Ping"
43 | /sbin/iptables -A INPUT -p icmp -d $DEMOSTHENES --icmp-type 8/0 -j ACCEPT
44 | /sbin/iptables -A INPUT -p icmp -d $DEMOSTHENES --icmp-type 8/0 -j LOG --log-level 7 --log-prefix "Accept Time Exceeded"
45 | /sbin/iptables -A INPUT -p icmp -d $DEMOSTHENES --icmp-type 11/0 -j ACCEPT
46 | 
47 | #############################
48 | #  DEFAULT DENY
49 | #############################
50 | 
51 | /sbin/iptables -A INPUT -d $DEMOSTHENES -j LOG --log-level 7 --log-prefix "Default Deny"
52 | /sbin/iptables -A INPUT -j DROP 
53 | 


--------------------------------------------------------------------------------