~cedric/dotfiles

ref: c791559c6a351f6c93009c6f9a4af6d10d109dd1 dotfiles/firewall/firewall-workstation.sh -rwxr-xr-x 2.4 KiB
c791559cCédric Bonhomme chg: [firewall] Reorder the rules. 1 year, 5 months ago
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
#!/bin/bash

# forget old rules
iptables -F
iptables -X
iptables -Z

# set default policy to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# drop invalid packets
iptables -A INPUT  -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP

# allow established, related packets we've already seen
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# output chain
iptables -A OUTPUT -p tcp -m tcp --dport 22 -m comment --comment "SSH" -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 53 -m comment --comment "DNS-TCP" -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 53 -m comment --comment "DNS-UDP" -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 67:68 -m comment --comment "DHCP" -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 80 -m comment --comment "HTTP" -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 443 -m comment --comment "HTTPS" -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 465 -m comment --comment "SMTPS" -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 587 -m comment --comment "SMTPS" -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 993 -m comment --comment "IMAPS" -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 995 -m comment --comment "POP3S" -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 465 -m comment --comment "SMTP SSL/TLS" -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 25 -m comment --comment "STARTLS" -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 137 -m comment --comment "NETBIOS Name Service" -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 138 -m comment --comment "NETBIOS Datagram Service" -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 139 -m comment --comment "NETBIOS session service" -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 145 -m comment --comment "Microsoft-DS" -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 5222 -m comment --comment "JABBER" -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 8001 -m comment --comment "IRC" -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 8010 -m comment --comment "JABBER FT" -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 8443 -m comment --comment "Unifi controller" -j ACCEPT

# allow icmp packets (e.g. ping...)
iptables -A INPUT -p icmp -m state --state NEW -j ACCEPT