#!/bin/bash source firewall_vars.sh #default_policy=ACCEPT default_policy=DROP #ipv6_policy=ACCEPT ipv6_policy=DROP enable_forwarding=1 any_ip=0.0.0.0/0 any_port=0:65535 lo_network=127.0.0.0/8 non_routable_ips='10.0.0.0/8','172.16.0.0/12','192.168.0.0/16','169.254.0.0/16' modprobe ip_conntrack_ftp #modprobe nf_conntrack_ftp #modprobe ipt_iprange #modprobe xt_iprange &> /dev/null #modprobe ip6t_rt &> /dev/null #modprobe ip6table_filter &> /dev/null # Set default policy iptables -P INPUT "$default_policy" iptables -P OUTPUT "$default_policy" iptables -P FORWARD "$default_policy" # Flush everything iptables -F iptables -t nat -F iptables -X ip6tables -P INPUT "$ipv6_policy" ip6tables -P OUTPUT "$ipv6_policy" ip6tables -P FORWARD "$ipv6_policy" ip6tables -F #ip6tables -t nat -F ip6tables -X echo "$enable_forwarding" > /proc/sys/net/ipv4/ip_forward # Chain for stuff headed to internet iptables -N DEST_INET iptables -A DEST_INET -d '10.0.0.0/8' -j RETURN iptables -A DEST_INET -d '172.16.0.0/12' -j RETURN iptables -A DEST_INET -d '192.168.0.0/16' -j RETURN iptables -A DEST_INET -d '169.254.0.0/16' -j RETURN iptables -N POST_NORMAL_OUT iptables -A POST_NORMAL_OUT -j DEST_INET # Begin normal checks iptables -N NORMAL iptables -A NORMAL -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Allow pings iptables -A NORMAL -p icmp --icmp-type echo-request -m conntrack --ctstate NEW -j ACCEPT iptables -N NORMAL_IN iptables -N NORMAL_OUT # Allow loopback #iptables -A INPUT -i lo -j ACCEPT #iptables -A OUTPUT -o lo -j ACCEPT iptables -N PRE_NORMAL iptables -A INPUT -j PRE_NORMAL iptables -A INPUT -j NORMAL_IN iptables -A INPUT -j NORMAL iptables -A OUTPUT -j PRE_NORMAL iptables -A OUTPUT -j NORMAL_OUT iptables -A OUTPUT -j NORMAL iptables -A OUTPUT -j POST_NORMAL_OUT iptables -A FORWARD -j PRE_NORMAL iptables -A FORWARD -j NORMAL_IN iptables -A FORWARD -j NORMAL_OUT iptables -A FORWARD -j NORMAL iptables -A FORWARD -j POST_NORMAL_OUT function accept_new () { iptables -A "$1" -m conntrack --ctstate NEW -m multiport -p "$4" --dports "$5" \ -s "$2" -d "$3" -j ACCEPT } # template # accept_new