Ali Jawad's Portal Site

You are here: Home

Articles

Linux

Firewall script for Linux IPTABLES

Written by Administrator

Saturday, 26 April 2008

The script below is a firewall script for Linux systems. It is a bash script, it is very effective and has many built in options, including the following amongst others

Set IPTABLES binary
Set NIC
Enable Ping (yes/no)
Explicit Deny Rule (yes/no)
Setup different user groups with specific ports for each user group
Enable or disable each of those groups
Erase all rules by applying script.sh stop

#################################################
#Firewall script created by Ali Jawad
#alijawad1 [at] gmail [dot] com 2008
#Read Instructions and contact me if more help
#is needed
#################################################
#!/bin/bash
#1-You can stop the script and remove ALL firewall rules by
#calling the script with the stop paramter. Example ./firewall.sh stop
#To add this script to startup on a Red Hat system use chkconfig on firewall.sh and to remove it chkconfig off firewall.sh
#!!!!I checked your system it is FC6 it does not have chkconfig to add it to startup add the script to /etc/rc.local add an entry such as
# /bin/bash/ /path/to/firewall.sh
#To make it executable by root do chmod u+x firewall.sh do this as root.

#Load Required Modules
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter

echo "Setting Variables For The Script"
#Variables Below Change As Needed

#This is the iptables binary usually it is either /sbin/iptables or /usr/sbin/iptables. You can get it using whereis iptables
IPTABLES=/sbin/iptables

#The network interface on which the server is receiving and sending traffic
NIC=eth0

#The list of ports that are publicly accessible to the Internet, to add other ports simply seperate by spaces. Ex VAR=(X Y Z Q W)
#The 22 is here for testing
PUBLIC_PORTS=(21 22)
WS_LIST_PORTS=(80 443)
MYSQL_LIST_PORTS=(3306)
##Note: It is better to limit the services developers can access. Open access is never a good idea. The problem is
#not about spoofing TCP based services are immune to IP spoofing. The problem is that the developers computer might be compromised
DEVEL_LIST_PORTS=(22 80 3306 21)
TESTING_LIST_PORTS=(22 80 3306 21)

#The Lists of IPs accessible per Port list, Iptables does not accept hostnames so
#please only put IPs here, you can also put whole IP classes
WS_LIST=(10.10.10.10 11.11.11.11 4.4.4.4 192.168.10.0/24)
MYSQL_LIST=(10.10.10.10 11.11.11.11 4.4.4.4 192.168.10.0/24)
DEVEL_LIST=(10.10.10.10 11.11.11.11 4.4.4.4 192.168.10.0/24)
TESTING_LIST=(10.10.10.10 11.11.11.11 4.4.4.4 192.168.10.0/24)

#Enable or disable any of the lists defined above
WS_LIST_ALLOW=no;
MYSQL_LIST_ALLOW=yes;
DEVEL_LIST_ALLOW=yes;
TESTING_LIST_ALLOW=yes;

#Enable Ping From Internet
ENABLE_PING=yes

#Block Everything Else
#!!!!!!! do not change this to yes before testing that you can access your panel, and allow ssh access to all untill tested
BLOCK_OTHERS=no

if [[ $1 == stop ]] ; then
   echo "Erasing All Firewall Rules"
   iptables -F
   iptables -F -t nat
   iptables -F -t mangle
   iptables -X -t nat
   iptables -X -t mangle
   iptables -X
else
   echo "Starting To Apply Firewall Rules By Erasing Old Rules"
   iptables -F
   iptables -F -t nat
   iptables -F -t mangle
   iptables -X -t nat
   iptables -X -t mangle
   iptables -X

########Opening Public Access
   echo "Opening Public Access Ports"
   i=0
   while (($i < ${#PUBLIC_PORTS[@]} ))
   do
           PORT= ${PUBLIC_PORTS[i++]}
       echo "Opening Port $PORT For Public Access On Interface $NIC"
       $IPTABLES -A INPUT -p tcp --dport $PORT -j ACCEPT
   done

########Opening WS List Ports
   if [[ $WS_LIST_ALLOW==yes ]] ; then
   echo "Web Services List Is Enabled"
   i=0
   while (($i < ${#WS_LIST_PORTS[@]} ))
   do
      j=0
      PORT=${WS_LIST_PORTS[i++]}
      while (($j < ${#WS_LIST[@]} ))
      do
            IP=${WS_LIST[j++]}
        echo "Opening Port $PORT For IP $IP On Interface $NIC"
            $IPTABLES -A INPUT --source $IP -p tcp --dport $PORT -j ACCEPT
          done
        done
        fi

########Opening Testing List Ports
   if [[ $TESTING_LIST_ALLOW==yes ]] ; then
   echo "TESTING Services List Is Enabled"
   i=0
   while (($i < ${#TESTING_LIST_PORTS[@]} ))
   do
      j=0
      PORT=${TESTING_LIST_PORTS[i++]}
      while (($j < ${#TESTING_LIST[@]} ))
      do
            IP=${TESTING_LIST[j++]}
            echo "Opening Port $PORT For IP $IP On Interface $NIC"
        $IPTABLES -A INPUT --source $IP -p tcp --dport $PORT -j ACCEPT
      done
        done
        fi

########Opening Devel List Ports
   if [[ $DEVEL_LIST_ALLOW==yes ]] ; then
   echo "Developer Services List Is Enabled"
   i=0
   while (($i < ${#DEVEL_LIST_PORTS[@]} ))
   do
      j=0
      PORT=${DEVEL_LIST_PORTS[i++]}
      while (($j < ${#DEVEL_LIST[@]} ))
      do
        IP=${DEVEL_LIST[j++]}
            echo "Opening Port $PORT For IP $IP On Interface $NIC"
        $IPTABLES -A INPUT --source $IP -p tcp --dport $PORT -j ACCEPT
      done
        done
        fi

########Opening MYSQL List Ports
   if [[ $MYSQL_LIST_ALLOW==yes ]] ; then
   echo "MYSQL Services List Is Enabled"
   i=0
   while (($i < ${#MYSQL_LIST_PORTS[@]} ))
   do
      j=0
      PORT=${MYSQL_LIST_PORTS[i++]}
      while (($j < ${#MYSQL_LIST[@]} ))
      do
        IP=${MYSQL_LIST[j++]}
            echo "Opening Port $PORT For IP $IP On Interface $NIC"
        $IPTABLES -A INPUT --source $IP -p tcp --dport $PORT -j ACCEPT
      done
        done
        fi

########Setup Statefull Firewall
        echo "Applying Statefull Firewall Rules"
   $IPTABLES -A INPUT -i $NIC -m state --state ESTABLISHED,RELATED -j ACCEPT

########Set Ping Policy
   echo "Apply Ping Policy Only Accept type 8,11 This protects from Ping Attachs SMURF, Ping of Death ..etc"
   if [[ $ENABLE_PING==yes ]] ; then
   $IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
   $IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
   fi

########Set Default Policy
   echo "Set Default Policy"
   if [[ $BLOCK_OTHERS==yes ]] ; then
   $IPTABLES -A INPUT -i $NIC -j DROP
   fi
fi

echo "End Of Script"

Comments

Problem with activation
Written by Linda on 2010-08-06 12:58:55

Hi there, I dont know if I am writing in a proper board but I have got a problem with activation, link i receive in email is not working... [url=http://www.alijawad.org/?e1dab42eb145e2f1f5e8e316cb7]http://www.alijawad.org/?e1dab42eb145e2f1f5e8e316cb7[/url],

Just wanted to say hi!
Written by James on 2010-02-08 22:55:51

What is up everyone? My name is Jessica. I am from Slovakia. I am new to the forum and just wanted to say hi.. I hope I posted this in the right section on your forum... [url=http://www.alijawad.org/?a46580f4ebd04371f27e384d5a1]http://www.alijawad.org/?a46580f4ebd04371f27e384d5a1[/url],

Just wanted to say hi!
Written by Allan on 2010-02-08 22:40:34

What is up everyone? My name is Jessica. I am from Slovakia. I am new to the forum and just wanted to say hi.. I hope I posted this in the right section on your forum... [url=http://www.alijawad.org/?47402684f0e735f5a29414ce7a5]http://www.alijawad.org/?47402684f0e735f5a29414ce7a5[/url],

Just wanted to say hi!
Written by Hadrian on 2010-02-07 22:52:43

What is up everyone? My name is Jessica. I am from Slovakia. I am new to the forum and just wanted to say hi.. I hope I posted this in the right section on your forum... [url=http://www.alijawad.org/?a5c2b266216a6c702acdf6d6438]http://www.alijawad.org/?a5c2b266216a6c702acdf6d6438[/url],

Just wanted to say hi!
Written by Oliver on 2010-02-07 22:39:42

What is up everyone? My name is Jessica. I am from Slovakia. I am new to the forum and just wanted to say hi.. I hope I posted this in the right section on your forum... [url=http://www.alijawad.org/?4b924edb1b5123441a55a0a98bb]http://www.alijawad.org/?4b924edb1b5123441a55a0a98bb[/url],

Just wanted to say hi!
Written by Adam on 2010-02-06 22:44:31

What is up everyone? My name is Jessica. I am from Slovakia. I am new to the forum and just wanted to say hi.. I hope I posted this in the right section on your forum... [url=http://www.alijawad.org/?23b57818f8008b58336bd333882]http://www.alijawad.org/?23b57818f8008b58336bd333882[/url],

Just wanted to say hi!
Written by Marion on 2010-01-21 21:19:50

What is up everyone? My name is Jessica. I am from Slovakia. I am new to the forum and just wanted to say hi.. I hope I posted this in the right section on your forum... [url=http://www.alijawad.org/?7c765a0f82f3be1accd5dc8a458]http://www.alijawad.org/?7c765a0f82f3be1accd5dc8a458[/url],

Just wanted to say hi!
Written by Tybalt on 2010-01-21 21:12:55

What is up everyone? My name is Jessica. I am from Slovakia. I am new to the forum and just wanted to say hi.. I hope I posted this in the right section on your forum... [url=http://www.alijawad.org/?aab065624dc8a6034450f18ea88]http://www.alijawad.org/?aab065624dc8a6034450f18ea88[/url],

Problem with activating account
Written by Hubert on 2009-12-25 11:27:36

22bbd454e48f90e2875605b0a039832f Hi Guys, I am newbie in the internet stuff and I dont know if I am writing on correct board on this website. I
have got problem with activating my account. I received email but when I click on the link it was not working, is this link is correct? [url=http://www.alijawad.org/?6425118e2825]http://www.alijawad.org/?6425118e2825[/url],

Problem with activating account
Written by Frank on 2009-12-25 11:25:43

22bbd454e48f90e2875605b0a039832f Hi Guys, I am newbie in the internet stuff and I dont know if I am writing on correct board on this website. I
have got problem with activating my account. I received email but when I click on the link it was not working, is this link is correct? [url=http://www.alijawad.org/?fd9e71700ac2]http://www.alijawad.org/?fd9e71700ac2[/url],

Problem with activating account
Written by Miriam on 2009-12-06 13:43:07

c8623a014ee1229601c95becae48c62b Hi Guys, I am newbie in the internet stuff and I dont know if I am writing on correct board on this website. I
have got problem with activating my account. I received email but when I click on the link it was not working, is this link is correct? [url=http://www.alijawad.org/?8fff79616cb3]http://www.alijawad.org/?8fff79616cb3[/url],

Problem with activating account
Written by Clement on 2009-11-15 18:49:14

118944090852fcfd326fa574efea860d Hi Guys, I am newbie in the internet stuff and I dont know if I am writing on correct board on this website. I
have got problem with activating my account. I received email but when I click on the link it was not working, is this link is correct? [url=http://www.alijawad.org/?b95adbb5c824]http://www.alijawad.org/?b95adbb5c824[/url],

Problem with activation - help me
Written by Theodora on 2009-08-11 18:36:18