<me>@mail:~$ cat /etc/init.d/iptables-firewall
#
# Firewall script based on iptables and
# http:/www.postfixbuch.de - fw script version 3.2 / 1.4.09
#
# Extended by <me>
#
# Server IP
ip_nr=<deine_ip>
# Path to iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting firewall..."
# Load ip_conntrack module
modprobe ip_conntrack
# Flush chains (remove rules)
$IPT -F
# Delete user-defined chains
$IPT -X
# Default policy (-P) is DROP
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
# Allow existing connections
$IPT -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow loopback traffic
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# Allow ICMP traffic
$IPT -A OUTPUT -p icmp -j ACCEPT
$IPT -A INPUT -p icmp -j ACCEPT
#
# Selectively allow services
#
# Allow DNS queries (TCP + UDP)
$IPT -A OUTPUT -p tcp -s $ip_nr --sport 1024: --dport 53 \
-m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p udp -s $ip_nr --sport 1024: --dport 53 \
-m state --state NEW -j ACCEPT
# Incoming mail (SMTP)
$IPT -A INPUT -p tcp -d $ip_nr --sport 1024: --dport 25 \
-m state --state NEW -j ACCEPT
# Outgoing mail (SMTP)
$IPT -A OUTPUT -p tcp -s $ip_nr --sport 1024: --dport 25 \
-m state --state NEW -j ACCEPT
# Allow IMAP, Submission, Sieve
$IPT -A INPUT -p tcp -d $ip_nr --sport 1024: -m multiport --dports 143,587,4190 \
-m state --state NEW -j ACCEPT
# Allow incoming HTTP, HTTPS
$IPT -A INPUT -p tcp -d $ip_nr --sport 1024: -m multiport --dports 80,443 \
-m state --state NEW -j ACCEPT
# Allow outgoing HTTP connections to Ubuntu update servers
$IPT -A OUTPUT -p tcp -s $ip_nr -d de.archive.ubuntu.com,security.ubuntu.com \
--sport 1024: --dport 80 \
-m state --state NEW -j ACCEPT
# Allow DHCP (UDP)
$IPT -A OUTPUT -p udp -s $ip_nr --sport 67:68 \
--dport 67:68 -m state --state NEW -j ACCEPT
# Allow NTP queries (UDP)
$IPT -A OUTPUT -p udp -s $ip_nr --sport ntp \
--dport ntp -m state --state NEW -j ACCEPT
# SSH using custom port 45723
$IPT -A INPUT -p tcp -d $ip_nr --sport 1024: --dport 45723 \
-m state --state NEW -j ACCEPT
;;
stop)
echo "Stopping firewall..."
# Flush chains (remove rules)
$IPT -F
# Delete user-defined chains
$IPT -X
# Default policy (-P) is ACCEPT
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
restart|reload|force-reload)
$0 stop
$0 start
;;
*)
echo "Usage: /etc/init.d/iptables-firewall (start|stop)"
exit 1
;;
esac
exit 0