MarcelFox/iptables.sh

## iptables.sh
# flush iptable rules
iptables -F
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# Allowing DNS lookups (tcp, udp port 53)
iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT  -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT  -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

# Allow web traffic
iptables -A INPUT  -p tcp -m multiport --sports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT

# Allow smtp traffic
iptables -A OUTPUT -p tcp -m multiport --dports 25,465,587,2525  -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT  -p tcp -m multiport --sports 25,465,587,2525  -m state --state ESTABLISHED -j ACCEPT

# Allow IMAP traffic
iptables -A INPUT -p tcp -m multiport --dports 143,993 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --sports 143,993 -m state --state ESTABLISHED -j ACCEPT

# Allow POP3 traffic
iptables -A INPUT -p tcp -m multiport --dports 110,995 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --sports 110,995 -m state --state ESTABLISHED -j ACCEPT

# Allow outgoing SSH and RSYNC
iptables -A OUTPUT -p tcp -m multiport --dports 22,873 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT  -p tcp -m multiport --dports 22,873 -m state --state NEW,ESTABLISHED -j ACCEPT

# Allow outgoing icmp connections (pings,...)
iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT
iptables -A INPUT  -p icmp -m state --state ESTABLISHED,RELATED     -j ACCEPT

# Allow outgoing connections to port 123 (ntp syncs)
iptables -A OUTPUT -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT  -p udp --sport 123 -m state --state ESTABLISHED     -j ACCEPT

# allow everything on localhost (loopback)
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT  -i lo -j ACCEPT

# prevent DDOS on 80
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

# allow everything from my IP
#iptables -A INPUT  -s xxx.xxx.xxx.xxx -j ACCEPT

# Set default policy to 'DROP'
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j DROP
iptables -A INPUT -m conntrack -j ACCEPT --ctstate RELATED,ESTABLISHED
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -j DROP
	# flush iptable rules
	iptables -F
	iptables -t nat -F
	iptables -t nat -X
	iptables -t mangle -F
	iptables -t mangle -X

	# Allowing DNS lookups (tcp, udp port 53)
	iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -A INPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -A INPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

	# Allow web traffic
	iptables -A INPUT -p tcp -m multiport --sports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT

	# Allow smtp traffic
	iptables -A OUTPUT -p tcp -m multiport --dports 25,465,587,2525 -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -A INPUT -p tcp -m multiport --sports 25,465,587,2525 -m state --state ESTABLISHED -j ACCEPT

	# Allow IMAP traffic
	iptables -A INPUT -p tcp -m multiport --dports 143,993 -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -A OUTPUT -p tcp -m multiport --sports 143,993 -m state --state ESTABLISHED -j ACCEPT

	# Allow POP3 traffic
	iptables -A INPUT -p tcp -m multiport --dports 110,995 -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -A OUTPUT -p tcp -m multiport --sports 110,995 -m state --state ESTABLISHED -j ACCEPT

	# Allow outgoing SSH and RSYNC
	iptables -A OUTPUT -p tcp -m multiport --dports 22,873 -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -A INPUT -p tcp -m multiport --dports 22,873 -m state --state NEW,ESTABLISHED -j ACCEPT

	# Allow outgoing icmp connections (pings,...)
	iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT
	iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT

	# Allow outgoing connections to port 123 (ntp syncs)
	iptables -A OUTPUT -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -A INPUT -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT

	# allow everything on localhost (loopback)
	iptables -A OUTPUT -o lo -j ACCEPT
	iptables -A INPUT -i lo -j ACCEPT

	# prevent DDOS on 80
	iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

	# allow everything from my IP
	#iptables -A INPUT -s xxx.xxx.xxx.xxx -j ACCEPT

	# Set default policy to 'DROP'
	iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
	iptables -A OUTPUT -j DROP
	iptables -A INPUT -m conntrack -j ACCEPT --ctstate RELATED,ESTABLISHED
	iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
	iptables -A INPUT -j DROP
	iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
	iptables -A FORWARD -j DROP