IPTables firewall rules management script

A great firewall in Ubuntu Linux Server is IPTABLES. Here is a procedure to make your firewall rules available every time the server is started.

IPTables firewall rules management script

firewall

Github https://github.com/garanet/iptables_script.git

Create the startup file in /etc/init.d/ and name it firewall.sh.

~:$ sudo vi /etc/init.d/firewall.sh

Paste the following code, save the file, and exit.


#!/bin/bash
# www.garanet.net
RETVAL=0

# To start the firewall
start() {
  echo -n "IPTables rules creation: "
  /usr/local/bin/iptables.sh
  RETVAL=0
}

# To stop the firewall
stop() {
  echo -n "Removing all iptables rules: "
  /sbin/iptables -F
  RETVAL=0
}

case $1 in
  start)
    start
    ;;
  stop)
    stop
    ;;
  restart)
    stop
    start
    ;;
  status)
    /sbin/iptables -L
    /sbin/iptables -t nat -L
    RETVAL=0
    ;;
  *)
    echo "Usage: firewall {start|stop|restart|status}"
    RETVAL=1
esac

exit

Assign execute privileges to the newly created file:

:$ sudo chmod a+x /etc/init.d/firewall.sh

Now you can create the iptables rules file

sudo vi /usr/local/bin/iptables.sh

Paste the following code, customize the rules as you like, save the file, and exit.
Change ‘XXX.XXX.XXX.XXX’ with the external IP authorized to access the services of your server.


#!/bin/bash
# www.garanet.net
# No spoofing
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $filtre
done
fi

# No icmp
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#load some modules you may need
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe iptable_filter
modprobe iptable_nat
modprobe ip_conntrack_irc
modprobe ip_conntrack_ftp

# Remove all rules and chains
iptables -F
iptables -X

# ALLOW NAGIOS
sudo iptables -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 5666 -j ACCEPT
sudo iptables -A INPUT -s XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 5666 -j ACCEPT
# ALLOW FTP FILTERED
sudo iptables -A INPUT -s XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 21 -j ACCEPT
sudo iptables -A INPUT -s XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 21 -j ACCEPT
# ALLOW SSH FILTERED
sudo iptables -A INPUT -s XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -s XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 22 -j ACCEPT
# ALLOW MYSQL FILTERED
sudo iptables -A INPUT -s XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 3306 -j ACCEPT
sudo iptables -A INPUT -s XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 3306 -j ACCEPT
# ALLOW TOMCAT LOCALHOST
sudo iptables -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 8009 -j ACCEPT
sudo iptables -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 8080 -j ACCEPT
# ALLOW PING ICMP FILTERED
sudo iptables -A INPUT -s XXX.XXX.XXX.XXX -p icmp --icmp-type echo-request -j ACCEPT
# ALLOW HTTP AND HTTPS FROM ALL
sudo iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
# REJECT THE REST
sudo iptables -A INPUT -p tcp -m tcp --dport 5666 -j REJECT --reject-with icmp-port-unreachable
sudo iptables -A INPUT -p tcp -m tcp --dport 21 -j REJECT --reject-with icmp-port-unreachable
sudo iptables -A INPUT -p tcp -m tcp --dport 3306 -j REJECT --reject-with icmp-port-unreachable
sudo iptables -A INPUT -p tcp -m tcp --dport 8080 -j REJECT --reject-with icmp-port-unreachable
sudo iptables -A INPUT -p tcp -m tcp --dport 8009 -j REJECT --reject-with icmp-port-unreachable
sudo iptables -A INPUT -p tcp -m tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT
sudo iptables -A INPUT -p tcp -m tcp --dport 111 -j REJECT
echo " [End iptables rules setting]"
# END SCRIPT

Assign execute privileges to the newly created file:

~:$ sudo chmod a+x /usr/local/bin/iptables.sh

To enable the rules every time the server starts, run the following command:

~:$ sudo update-rc.d /etc/init.d/firewall.sh defaults