#!/bin/bash
### BEGIN INIT INFO
# Provides: iptables_firewall
# Required-Start: $local_fs $network
# Required-Stop: $local_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: iptables firewall initialisation
# Description: Initializes rules for iptables
### END INIT INFO
IPTABLES="/sbin/iptables"
case "$1" in
start)
echo "Initializing firewall..."
# Logging options.
#------------------------------------------------------------------------------
LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options"
LOG="$LOG --log-ip-options"
# Defaults for rate limiting
#------------------------------------------------------------------------------
RLIMIT="-m limit --limit 3/s --limit-burst 30"
# Default policies.
#------------------------------------------------------------------------------
# Drop everything by default.
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
# Set the nat/mangle/raw tables' chains to ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
# Cleanup.
#------------------------------------------------------------------------------
# Delete all
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
# Delete all
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
# Zero all packets and counters.
$IPTABLES -Z
$IPTABLES -t nat -Z
$IPTABLES -t mangle -Z
# Custom user-defined chains.
#------------------------------------------------------------------------------
# LOG packets, then ACCEPT.
$IPTABLES -N ACCEPTLOG
$IPTABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "FW-ACCEPT "
$IPTABLES -A ACCEPTLOG -j ACCEPT
# LOG packets, then DROP.
$IPTABLES -N DROPLOG
$IPTABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "FW-DROP "
$IPTABLES -A DROPLOG -j DROP
# LOG packets, then REJECT.
# TCP packets are rejected with a TCP reset.
$IPTABLES -N REJECTLOG
$IPTABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "FW-REJECT "
$IPTABLES -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A REJECTLOG -j REJECT
# Only allows RELATED ICMP types
# (destination-unreachable, time-exceeded, and parameter-problem).
# TODO: Rate-limit this traffic?
# TODO: Allow fragmentation-needed?
# TODO: Test.
$IPTABLES -N RELATED_ICMP
$IPTABLES -A RELATED_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A RELATED_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
$IPTABLES -A RELATED_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT
$IPTABLES -A RELATED_ICMP -j DROPLOG
# Make It Even Harder To Multi-PING
$IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp -j ACCEPT
# Only allow the minimally required/recommended parts of ICMP. Block the rest.
#------------------------------------------------------------------------------
# Allow all ESTABLISHED ICMP traffic.
$IPTABLES -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT
$IPTABLES -A OUTPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT
# Allow some parts of the RELATED ICMP traffic, block the rest.
$IPTABLES -A INPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT
$IPTABLES -A OUTPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT
# Allow incoming ICMP echo requests (ping), but only rate-limited.
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT
# Allow outgoing ICMP echo requests (ping), but only rate-limited.
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT
# Drop any other ICMP traffic.
$IPTABLES -A INPUT -p icmp -j DROPLOG
$IPTABLES -A OUTPUT -p icmp -j DROPLOG
$IPTABLES -A FORWARD -p icmp -j DROPLOG
# Selectively allow certain special types of traffic.
#------------------------------------------------------------------------------
# Allow loopback interface to do anything.
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
# Allow incoming connections related to existing allowed connections.
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow outgoing connections EXCEPT invalid
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Miscellaneous.
#------------------------------------------------------------------------------
# Explicitly drop invalid incoming traffic
$IPTABLES -A INPUT -m state --state INVALID -j DROP
# Drop invalid outgoing traffic, too.
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
# If we would use NAT, INVALID packets would pass - BLOCK them anyways
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
# Erlaube bestimmte ausgehende Anfragen (OUTPUT), blocke den Rest
#------------------------------------------------------------------------------
# DNS OUTPUT
$IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
# HTTP OUTPUT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
# HTTPS OUTPUT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
# SMTP OUTPUT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT
# SMTPS OUTPUT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 465 -j ACCEPT
# Erlaube ausgehende "submission" (RFC 2476) Anfragen.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 587 -j ACCEPT
# POP3S OUTPUT
#$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT
# IMAP OUTPUT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT
# IMAPS OUTPUT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 993 -j ACCEPT
# SSH OUTPUT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
# FTP OUTPUT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
# SMB OUTPUT
#$IPTABLES -A OUTPUT -p udp -m multiport --destination-port 137,138 -d 192.168.1.0/24 -j ACCEPTLOG
#$IPTABLES -A OUTPUT -p tcp -m multiport --destination-port 139,445 -d 192.168.1.0/24 -j ACCEPTLOG
# NFS OUTPUT
#$IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 111 -j ACCEPT
#$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 111 -j ACCEPT
#$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 2049 -j ACCEPT
#$IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 2049 -j ACCEPT
#$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 32764:32769 -j ACCEPT
#$IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 32764:32769 -j ACCEPT
# NTP OUTPUT
$IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 123 -j ACCEPT
# WHOIS OUTPUT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 43 -j ACCEPT
# CVS OUTPUT
#$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 2401 -j ACCEPT
# MySQL OUTPUT
#$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 3306 -j ACCEPT
# rsync OUTPUT
$IPTABLES -A OUTPUT -p tcp --dport 873 -m state --state NEW -d 192.168.1.0/24 -j ACCEPT
# SVN OUTPUT
#$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 3690 -j ACCEPT
# Mumble OUTPUT
#$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 64738 -j ACCEPT
#$IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 64738 -j ACCEPT
# Erlaube bestimmte eingehende Anfragen (INPUT), blocke den Rest
#------------------------------------------------------------------------------
# DNS INPUT
#$IPTABLES -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
#$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
# HTTP INPUT
#$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
# HTTPS INPUT
#$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
# Webmin, INPUT
#$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 10000 -j ACCEPT
# POP3 INPUT
#$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT
# IMAP4 INPUT
#$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT
# POP3S INPUT
#$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT
# SMTP INPUT
#$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT
# SSH INPUT
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
# FTP INPUT
#modprobe ip_conntrack_ftp
#$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
# FTPS INPUT (ebenfalls FTP erlauben)
# Port-Range ist konfigurationsabhaengig (s. /etc/proftpd/proftpd.conf, PassivePorts)
#$IPTABLES -A INPUT -p tcp --sport 1024: --dport 52500:52510 -m state --state NEW -j ACCEPT
#$IPTABLES -A OUTPUT -p tcp --sport 52500:52510 --dport 1024: -m state --state NEW -j ACCEPT
# SMB INPUT
#$IPTABLES -A INPUT -p udp -m multiport --destination-port 137,138 -s 192.168.1.0/24 -j ACCEPTLOG
#$IPTABLES -A INPUT -p tcp -m multiport --destination-port 139,445 -s 192.168.1.0/24 -j ACCEPTLOG
# NFS INPUT
# Achtung: Erfordert Rekonfiguration der Dienste (s. https://wiki.debian.org/SecuringNFS)
#$IPTABLES -A INPUT -p udp -m multiport --dport 111 -s 192.168.1.0/24 -j ACCEPT
#$IPTABLES -A INPUT -p tcp -m multiport --dport 111 -s 192.168.1.0/24 -j ACCEPT
#$IPTABLES -A INPUT -p udp -m multiport --dport 2049 -s 192.168.1.0/24 -j ACCEPT
#$IPTABLES -A INPUT -p tcp -m multiport --dport 2049 -s 192.168.1.0/24 -j ACCEPT
#$IPTABLES -A INPUT -p udp -m multiport --dport 32764:32769 -s 192.168.1.0/24 -j ACCEPT
#$IPTABLES -A INPUT -p tcp -m multiport --dport 32764:32769 -s 192.168.1.0/24 -j ACCEPT
# Mumble INPUT
#$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 64738 -j ACCEPT
#$IPTABLES -A INPUT -m state --state NEW -p udp --dport 64738 -j ACCEPT
# MySQL INPUT
#$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 3306 -j ACCEPT
# rsync INPUT (pruefen)
#$IPTABLES -A INPUT -p tcp --dport 873 -m state --state NEW,ESTABLISHED -s 192.168.1.0/24 -j ACCEPT
# DHCP INPUT
#$IPTABLES -A INPUT -p udp --dport 67 -J ACCEPTLOG
# Explicitly log and reject everything else.
#------------------------------------------------------------------------------
# Use REJECT instead of REJECTLOG if you don't need/want logging.
$IPTABLES -A INPUT -j REJECT
$IPTABLES -A OUTPUT -j REJECT
$IPTABLES -A FORWARD -j REJECT
# Exit gracefully.
#------------------------------------------------------------------------------
echo "Firewall initialized and active."
;;
stop)
echo "Flushing iptables rules..."
sleep 1
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
echo "Firewall stopped."
;;
*)
echo "Usage: /etc/init.d/iptables_init {start|stop}"
exit 2
esac
exit 0