{"id":125,"date":"2022-12-05T20:47:23","date_gmt":"2022-12-05T18:47:23","guid":{"rendered":"https:\/\/www.mutareb.com\/?p=125"},"modified":"2023-06-16T18:10:04","modified_gmt":"2023-06-16T16:10:04","slug":"a-script-to-secure-the-server-using-iptables-firewall","status":"publish","type":"post","link":"https:\/\/www.mutareb.com\/index.php\/2022\/12\/05\/a-script-to-secure-the-server-using-iptables-firewall\/","title":{"rendered":"A script to secure the server using IPtables firewall"},"content":{"rendered":"\n<p>Use this bash script to automate the configuration of the iptables firewall and persist rules over restarts.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#!\/bin\/sh\n# script written by aalmutareb\n\n#make sure to include the repeatoffeners list from fail2ban \/ make it persist a restart\nBLACKLIST=\/etc\/fail2ban\/blocklists\/ip.blocklist.repeatoffender\n\n\n# list the needed ports\nIN_ALLOWED_TCP=\"20 21 22 25 53 80 143 443 587 993 995\"\nOUT_ALLOWED_TCP=\"20 21 22 25 53 80 123 143 443 587 993 995\"\nIN_ALLOWED_UDP=\"53\"\nOUT_ALLOWED_UDP=\"53\"\nLOCAL_ALLOWED_TCP=\" \"\nIN_ALLOWED_ICMP=\" \"\nOUT_ALLOWED_IMCP=\" \"\n\n\ncase \"$1\" in\n   start)\n\n      # Stopping IP trap\n      \/etc\/init.d\/fail2ban stop\n      echo \"Stopping fail2ban IP trap ...\"\n\n      # Clear \/sbin\/iptables\n      \/sbin\/iptables -F\n\n      #Defaults\n      \/sbin\/iptables -P INPUT DROP\n      \/sbin\/iptables -P OUTPUT DROP\n      \/sbin\/iptables -P FORWARD DROP\n      \/sbin\/ip6tables -P INPUT DROP\n      \/sbin\/ip6tables -P OUTPUT DROP\n      \/sbin\/ip6tables -P FORWARD DROP\n\n\n      # loopback communication\n      \/sbin\/iptables -A INPUT -i lo -j ACCEPT\n      \/sbin\/iptables -A OUTPUT -o lo -j ACCEPT\n\n      # persist on connections\n      \/sbin\/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT\n      \/sbin\/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT\n\n      # Ban blacklisted IPs\n      for x in `grep -v ^# $BLACKLIST | awk '{print $1}'`; do\n        echo \"Blocking $x...\"\n        \/sbin\/iptables -A INPUT -t filter -s $x -j DROP\n      done\n\t  \n\t  # TCP rules in local\n      for port in $LOCAL_ALLOWED_TCP; do\n        echo \"Accepting TCP port $port\"\n        \/sbin\/iptables -A INPUT -t filter -p tcp -s localhost --dport $port -j ACCEPT\n      done\n\t  \n\n      # TCP rules in\n      for port in $IN_ALLOWED_TCP; do\n        echo \"Accepting TCP port $port\"\n        \/sbin\/iptables -A INPUT -t filter -p tcp --dport $port -j ACCEPT\n      done\n\n      # TCP rules out\n      for port in $OUT_ALLOWED_TCP; do\n        echo \"Allowing sending over TCP port $port\"\n        \/sbin\/iptables -A OUTPUT -t filter -p tcp --dport $port -j ACCEPT\n      done\n\n      # UDP rules in\n      for port in $IN_ALLOWED_UDP; do\n        echo \"Accepting UDP  port $port\"\n        \/sbin\/iptables -A INPUT -t filter -p udp --dport $port -j ACCEPT\n      done\n\t#\/sbin\/iptables -A INPUT -t filter -p udp -m udp --dport 1024:65535 --sport 6277 -j ACCEPT\n\n      # UDP  rules out\n      for port in $OUT_ALLOWED_UDP; do\n        echo \"Allowing sending over UDP port $port\"\n        \/sbin\/iptables -A OUTPUT -t filter -p udp --dport $port -j ACCEPT\n      done\n\t#\/sbin\/iptables -A OUTPUT -t filter -p udp -m udp --sport 6277 --dport 1023 -j ACCEPT\n\n      # ICMP rules in\n      for port in $IN_ALLOWED_ICMP; do\n        echo \"Accepting ICMP  port $port\"\n        \/sbin\/iptables -A INPUT -t filter -p icmp --dport $port -j ACCEPT\n      done\n\t\/sbin\/iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT\n\t\/sbin\/iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1\/s -i eth0 -j ACCEPT\n\t\/sbin\/iptables -A INPUT -p tcp --syn -m limit --limit 5\/s -i eth0 -j ACCEPT\n\n      # ICMP rules out\n      for port in $OUT_ALLOWED_ICMP; do\n        echo \"Allowing sending over ICMP port $port\"\n        \/sbin\/iptables -A OUTPUT -t filter -p icmp --dport $port -j ACCEPT\n      done\n\t\/sbin\/iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT\n\t\/sbin\/iptables -A OUTPUT -p icmp --icmp-type echo-request -m limit --limit 1\/s -j ACCEPT\n\t\/sbin\/iptables -A OUTPUT -p tcp --syn -m limit --limit 5\/s -j ACCEPT\n\n\n      # Dropping startup requests\n      \/sbin\/iptables -A INPUT -t filter -p tcp --syn -j DROP\n\n      # Restarting IP trap\n      \/etc\/init.d\/fail2ban start\n      echo \"Fire up IP trap again ...\"\n      ;;\n   stop)\n      \/etc\/init.d\/fail2ban stop\n      \/sbin\/iptables -F\n      \/sbin\/iptables -P INPUT ACCEPT\n      \/sbin\/iptables -P OUTPUT ACCEPT\n      echo \"Warning! Firewall is stopped, server is unprotected now!\"\n      ;;\n   restart)\n      $0 stop\n      sleep 1\n      $0 start\n      ;;\n   status)\n\ticmp_rule=$(\/sbin\/iptables-save | grep \"icmp-port-unreachable\")\n\tf2b_rule=$(\/sbin\/iptables-save | grep f2b )\n\tif &#91; ! -z \"$icmp_rule\" ]; then\n        \techo \"custom iptables rules are set\"\n\telse\n        \techo \"custom iptables rules missing!!\"\n\t       # echo \"\/etc\/init.d\/firewall start\"\n\tfi\n        if &#91; ! -z \"$f2b_rule\" ]; then\n                echo \"f2b rules are set\"\n        else\n                echo \"f2b rules missing!!\"\n               # echo \"\/etc\/init.d\/firewall start\"\n        fi\n\n\t\n\t;;\n      *)\n      echo \"Usage $0 {start|stop|restart|status}\"\n      ;;\nesac\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Use this bash script to automate the configuration of the iptables firewall and persist rules over restarts.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9,17],"tags":[29,27,12],"series":[7],"class_list":["post-125","post","type-post","status-publish","format-standard","hentry","category-it-security","category-linux-server","tag-firewall","tag-linux","tag-security","series-linux-server","entry"],"_links":{"self":[{"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/posts\/125","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/comments?post=125"}],"version-history":[{"count":1,"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/posts\/125\/revisions"}],"predecessor-version":[{"id":126,"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/posts\/125\/revisions\/126"}],"wp:attachment":[{"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/media?parent=125"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/categories?post=125"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/tags?post=125"},{"taxonomy":"series","embeddable":true,"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/series?post=125"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}