#!/bin/sh # Path to your 'iptables' IPT="/sbin/iptables" # Your list of name servers DNS_SERVER="127.0.0.1 127.0.0.1" # Switch of source routing echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_source_route # Do source validation by reversed path, as specified in RFC1812 echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter # >>>>>>> Flush old rules and old custom chains <<<<<<< # $IPT --flush $IPT --delete-chain # >>>>>>> Set default policies for default chains <<<<<<< # $IPT -P INPUT DROP $IPT -P FORWARD DROP $IPT -P OUTPUT DROP # >>>>>>> Few restrictions on loopback interfaces <<<<<<< # $IPT -A INPUT -i lo -j ACCEPT # # Make sure local user cannot use SMTP to avoid sendmail # $IPT -A OUTPUT -o lo -p tcp --dport 25 -m state --state NEW -m owner --uid-owner postfix -j ACCEPT $IPT -A OUTPUT -o lo -p tcp --dport 25 -m state --state NEW -m owner --uid-owner root -j ACCEPT $IPT -A OUTPUT -o lo -p tcp --dport 25 -j LOG --log-level info --log-uid --log-prefix "Iptables TCP denied " $IPT -A OUTPUT -o lo -p tcp --dport 25 -j DROP # # Input Postfix -> Filter on 10025 only from postfix # $IPT -A OUTPUT -o lo -p tcp --dport 10025 -m state --state NEW -m owner --uid-owner postfix -j ACCEPT $IPT -A OUTPUT -o lo -p tcp --dport 10025 -j LOG --log-level info --log-uid --log-prefix "Iptables TCP denied " $IPT -A OUTPUT -o lo -p tcp --dport 10025 -j DROP # # Input Filter -> Postfix (10026) only from filter UID # $IPT -A OUTPUT -o lo -p tcp --dport 10026 -m state --state NEW -m owner --uid-owner spampd -j ACCEPT $IPT -A OUTPUT -o lo -p tcp --dport 10026 -j LOG --log-level info --log-uid --log-prefix "Iptables TCP denied " $IPT -A OUTPUT -o lo -p tcp --dport 10026 -j DROP # # Allow connections on other ports # $IPT -A OUTPUT -o lo -j ACCEPT # >>>>>>> All TCP sessions must begin with SYN <<<<<<< # $IPT -A INPUT -p tcp ! --syn -m state --state NEW -s 0.0.0.0/0 -j DROP # >>>>>>> Accept inbound TCP packets for services <<<<<<< # $IPT -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT # ssh $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT # smtp $IPT -A INPUT -p tcp --dport 25 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT # http $IPT -A INPUT -p tcp --dport 80 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT # https $IPT -A INPUT -p tcp --dport 443 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT # smtps $IPT -A INPUT -p tcp --dport 465 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT # pop3s $IPT -A INPUT -p tcp --dport 995 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT # >>>>>>> Accept inbound UDP packets for services <<<<<<< # $IPT -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT # >>>>>>> Accept some ICMP messages <<<<<<< # # ICMP error messages related to connections # $IPT -A INPUT -p icmp --icmp-type destination-unreachable -m state --state RELATED -j ACCEPT $IPT -A INPUT -p icmp --icmp-type fragmentation-needed -m state --state RELATED -j ACCEPT # # Allow ping from outside # $IPT -A INPUT -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT # >>>>>>> Accept some outbound packets <<<<<<< # $IPT -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT # # DNS - List of name servers in DNS_SERVER # for ip in $DNS_SERVER do $IPT -A OUTPUT -p udp -d $ip --dport 53 -m state --state NEW -j ACCEPT $IPT -A OUTPUT -p tcp -d $ip --dport 53 -m state --state NEW -j ACCEPT done # # smtp $IPT -A OUTPUT -p tcp --dport 25 -m state --state NEW -m owner --uid-owner postfix -j ACCEPT # # for apt-get and spampd $IPT -A OUTPUT -p tcp --dport 80 -m state --state NEW -m owner --uid-owner root -j ACCEPT $IPT -A OUTPUT -p tcp --dport 80 -m state --state NEW -m owner --uid-owner spampd -j ACCEPT # # ntp $IPT -A OUTPUT -p tcp --dport 123 -m state --state NEW -m owner --uid-owner ntpd -j ACCEPT $IPT -A OUTPUT -p udp --dport 123 -m state --state NEW -m owner --uid-owner ntpd -j ACCEPT # # razor $IPT -A OUTPUT -p tcp --dport 2703 -m state --state NEW -m owner --uid-owner spampd -j ACCEPT $IPT -A OUTPUT -p tcp --dport 2703 -m state --state NEW -m owner --uid-owner root -j ACCEPT # # pyzor $IPT -A OUTPUT -p udp --dport 24441 -m state --state NEW -m owner --uid-owner spampd -j ACCEPT $IPT -A OUTPUT -p udp --dport 24441 -m state --state NEW -m owner --uid-owner root -j ACCEPT # >>>>>>> Drop invalid packets <<<<<<< # $IPT -A OUTPUT -p tcp -m state --state INVALID -j DROP # # Spurious packets # $IPT -A OUTPUT -p tcp --source-port 25 --tcp-flags SYN,ACK ACK -j DROP $IPT -A OUTPUT -p tcp --source-port 80 --tcp-flags SYN,ACK ACK -j DROP # >>>>>>> Log other outbound packets <<<<<<< # $IPT -A OUTPUT -p udp -j LOG --log-level info --log-prefix "Iptables UDP denied " # $IPT -A OUTPUT -p tcp -j LOG --log-level info --log-prefix "Iptables TCP denied "