Shell scripts to setup some basic iptables rules. Meant for dedicated servers and VPS where typically the place you bought it from opens up everything to that server.
- drop in and run to have a working minimal config (note that the script may need tweaks if your server is running OpenVZ).
- show that iptables isn't as scary or complicated as people may think
- to support that, heavily comment the script to help understand why certain things are being done a certain way
Aside from the usual files in base directory. The shell scripts are in subfolders to make it easy to add other custom ones at a later time. Curent folders and description:
Name | Description |
---|---|
01_common | Files you'd want in addition to others. Namely this is the reset script. |
ipv4_basic_ingress | Only permit some ingress traffic and allow all egress traffic. This is the original iptables-init. (IPv4 version) |
ipv6_basic_ingress | Only permit some ingress traffic and allow all egress traffic. This is the original iptables-init. (IPv6 version) |
These are for the ipv4_basic_ingress
rules which makes a good drop in if you want to quickly get the firewall going.
# Become root for these steps if you don't login to server as root
sudo su -
mkdir /root/iptables
cd /root/iptables
# These links can be obtained by viewing a file and then choose raw
# As of May 2014 these links are valid
wget https://raw.githubusercontent.com/vrillusions/iptables-init/master/01_common/iptables-reset.sh
wget https://raw.githubusercontent.com/vrillusions/iptables-init/master/ipv4_basic_ingress/iptables-init.sh
chmod 0700 iptables-reset.sh
chmod 0700 iptables-init.sh
- Edit
iptables-init.sh
as needed (by default it allows ssh (TCP/22
) and both http (TCP/80
) and https (TCP/443
). Also defaults may not work with some vps providers. See the file for more info. - Before running this make sure you have a way to recover, either the ability to power cycle the server or an admin console you can issue commands.
- Run
/root/iptables/iptables-init.sh
- If nothing works and you get kicked from server, restart the system or via console run
/root/iptables/iptables-reset.sh
to get back in. Adjust settings and try again. - If it does work then you can mark it as verified
cp iptables-init.sh iptables-init-verified.sh
echo "/root/iptables/iptables-init-verified.sh >/dev/null" >>/etc/rc.local
You'll want to view /etc/rc.local
and double check you don't see something like exit 0
. You can either remove it or move that line back to the bottome of the script.
From that point on your work flow should be first edit the iptables-init.sh
file. Then if after running that and are sure it works then copy it to iptables-init-verified.sh
. In this way you should always be able to restart the system and have previous settings.
The above process is for just IPv4. For IPv6 use ipv6_basic_ingress
. The process is the same other than the file is called ip6tables-init.sh
. You can use iptables-reset.sh
to reset both IPv4 and IPv6.
As root, run iptables -nvL
to get a list of all rules and their hit count.
By default any inbound traffic not handled by iptables is logged before being dropped. You can view this log by running dmesg
as root. If you run dmesg -c
it will print the kernel log and then clear it which makes it helpful to see what new log entries are being created. You can comment out that line if you don't care about logging everything (search for "-- log unhandled packets").
By default it will:
- allow incoming requests to TCP ports 80 and 443
- allow TCP/22 for ssh with a limiter (8 attempts/min)
- by default will allow all outgoing traffic and block all incoming
- some things will be logging and can be read with
dmesg
The file should be pretty self explanatory and be easy to add any more rules you need.
If the environment variable VERBOSE
exists and is 'true' it will print additional messages while it's running. Additionally if there is a DEBUG
that is 'true' it will print every line as it runs. Basically use VERBOSE
if everything works but just want more info and DEBUG
when things aren't working.
Gathered from far too many man pages and web sites to enumerate. This was also originally part of https://github.com/vrillusions/bash-scripts but split it off into it's own repo
- Make more user friendly. Currently need to modify things all throughout the file. Should have some variables at the top.
- Make ssh port one of those settings since a lot of people don't run it on a standard port
- Check for an environment variable like
IPTABLES_INIT_CONFIG
and source that file - Create some sort of generator process so I can set all the rules in one spot and spit out both
iptables
andip6tables
lines.
Primary license is the unlicense. If where you are located doesn't honor public domain dedications then you may instead license this project under the MIT license. Only required to use one of those licenses. See LICENSE.txt
for actual licenses.
Join the chat at https://gitter.im/vrillusions/iptables-init