228 lines
12 KiB
Bash
228 lines
12 KiB
Bash
#!/bin/bash
|
|
|
|
# prevent SYNC-floods:
|
|
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
|
|
|
|
# initialize:
|
|
iptables -F
|
|
iptables -X
|
|
iptables -Z
|
|
|
|
# config default policy's:
|
|
iptables -P INPUT DROP
|
|
iptables -P OUTPUT DROP
|
|
iptables -P FORWARD DROP
|
|
|
|
iptables -N LOGDROP
|
|
iptables -A LOGDROP -j LOG
|
|
iptables -A LOGDROP -j DROP
|
|
|
|
# kernel tweaks:
|
|
/bin/echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
|
|
/bin/echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
|
|
/bin/echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
|
|
/bin/echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
|
|
/bin/echo 0 > /proc/sys/net/ipv4/ip_forward
|
|
|
|
# allow loopback:
|
|
iptables -A INPUT -i lo -j ACCEPT
|
|
iptables -A OUTPUT -o lo -j ACCEPT
|
|
|
|
# allow asds.id.rug.nl
|
|
iptables -A INPUT -i br0 -s 129.125.2.50 -j ACCEPT
|
|
iptables -A OUTPUT -o br0 -d 129.125.2.50 -j ACCEPT
|
|
|
|
# allow vlan933:
|
|
iptables -A INPUT -i bond0.933 -j ACCEPT
|
|
iptables -A OUTPUT -o bond0.933 -j ACCEPT
|
|
|
|
# allow vlan934:
|
|
iptables -A INPUT -i bond0.934 -j ACCEPT
|
|
iptables -A OUTPUT -o bond0.934 -j ACCEPT
|
|
#allow outbound to databases:
|
|
|
|
iptables -A INPUT -p tcp -s 129.125.36.182 -j ACCEPT
|
|
iptables -A OUTPUT -p tcp -d 129.125.36.182 -j ACCEPT
|
|
|
|
iptables -A INPUT -p tcp -s 129.125.36.183 -j ACCEPT
|
|
iptables -A OUTPUT -p tcp -d 129.125.36.183 -j ACCEPT
|
|
|
|
iptables -A INPUT -p tcp -s 129.125.36.184 -j ACCEPT
|
|
iptables -A OUTPUT -p tcp -d 129.125.36.184 -j ACCEPT
|
|
|
|
iptables -A INPUT -p tcp -s 129.125.36.185 -j ACCEPT
|
|
iptables -A OUTPUT -p tcp -d 129.125.36.185 -j ACCEPT
|
|
|
|
iptables -A INPUT -p tcp -s 129.125.36.186 -j ACCEPT
|
|
iptables -A OUTPUT -p tcp -d 129.125.36.186 -j ACCEPT
|
|
|
|
iptables -A INPUT -p tcp -s 129.125.36.187 -j ACCEPT
|
|
iptables -A OUTPUT -p tcp -d 129.125.36.187 -j ACCEPT
|
|
|
|
iptables -A INPUT -p tcp -s 129.125.36.188 -j ACCEPT
|
|
iptables -A OUTPUT -p tcp -d 129.125.36.188 -j ACCEPT
|
|
|
|
iptables -A INPUT -p tcp -s 129.125.36.141 -j ACCEPT
|
|
iptables -A OUTPUT -p tcp -d 129.125.36.141 -j ACCEPT
|
|
|
|
iptables -A INPUT -p tcp -s 129.125.36.142 -j ACCEPT
|
|
iptables -A OUTPUT -p tcp -d 129.125.36.142 -j ACCEPT
|
|
|
|
iptables -A INPUT -p tcp -s 129.125.36.143 -j ACCEPT
|
|
iptables -A OUTPUT -p tcp -d 129.125.36.143 -j ACCEPT
|
|
|
|
iptables -A INPUT -p tcp -s 129.125.36.144 -j ACCEPT
|
|
iptables -A OUTPUT -p tcp -d 129.125.36.144 -j ACCEPT
|
|
|
|
iptables -A INPUT -p tcp -s 129.125.36.148 -j ACCEPT
|
|
iptables -A OUTPUT -p tcp -d 129.125.36.148 -j ACCEPT
|
|
|
|
iptables -A INPUT -p tcp -s 129.125.36.149 -j ACCEPT
|
|
iptables -A OUTPUT -p tcp -d 129.125.36.149 -j ACCEPT
|
|
|
|
iptables -A INPUT -p tcp -s 129.125.36.150 -j ACCEPT
|
|
iptables -A OUTPUT -p tcp -d 129.125.36.150 -j ACCEPT
|
|
|
|
iptables -A INPUT -p tcp -s 129.125.50.147 -j ACCEPT
|
|
iptables -A OUTPUT -p tcp -d 129.125.50.147 -j ACCEPT
|
|
|
|
iptables -A INPUT -p tcp -s 129.125.36.71 -j ACCEPT
|
|
iptables -A OUTPUT -p tcp -d 129.125.36.71 -j ACCEPT
|
|
|
|
# allow munin-statieken-server:
|
|
iptables -A INPUT -p tcp -s 129.125.50.91 -j ACCEPT
|
|
iptables -A OUTPUT -p tcp -d 129.125.50.91 -j ACCEPT
|
|
|
|
# allow agenda:
|
|
iptables -A INPUT -p tcp -s 129.125.2.116 -j ACCEPT
|
|
iptables -A OUTPUT -p tcp -d 129.125.2.116 -j ACCEPT
|
|
|
|
# allow imap.google.com:
|
|
iptables -A INPUT -p tcp -s 74.125.136/24 -j ACCEPT
|
|
iptables -A OUTPUT -p tcp -d 74.125.136/24 -j ACCEPT
|
|
|
|
# allow imap.rug.nl:
|
|
|
|
iptables -A INPUT -p tcp -s 129.125.2.81/32 -j ACCEPT
|
|
iptables -A OUTPUT -p tcp -d 129.125.2.81/32 -j ACCEPT
|
|
|
|
# allow more google:
|
|
iptables -A INPUT -p tcp -s 173.194.65.0/24 -j ACCEPT
|
|
iptables -A OUTPUT -p tcp -d 173.194.65.0/24 -j ACCEPT
|
|
|
|
# new tcp packets sync packets:
|
|
iptables -A INPUT -i br0 -p tcp ! --syn -m state --state NEW -j DROP
|
|
|
|
# refuse loopback pacts incoming eth0:
|
|
iptables -A INPUT -i br0 -d 127.0.0.0/8 -j DROP
|
|
|
|
# allow dns outbound to/from DNS server:
|
|
iptables -A INPUT -i br0 -p udp --sport 53 -j ACCEPT
|
|
iptables -A OUTPUT -o br0 -p udp --dport 53 -j ACCEPT
|
|
|
|
# allow www outbound to 80:
|
|
iptables -A INPUT -i br0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
|
|
iptables -A OUTPUT -o br0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
|
|
|
|
# allow www outbound to 443:
|
|
iptables -A INPUT -i br0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
|
|
iptables -A OUTPUT -o br0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
|
|
|
|
# allow smtp outbound:
|
|
iptables -A INPUT -i br0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
|
|
iptables -A OUTPUT -o br0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
|
|
|
|
# allow ssh from BWP:
|
|
iptables -A INPUT -i br0 -p tcp -s 129.125.249.0/24 -m state --state NEW,ESTABLISHED -j ACCEPT
|
|
iptables -A OUTPUT -o br0 -p tcp -d 129.125.249.0/24 -m state --state ESTABLISHED -j ACCEPT
|
|
|
|
# log/drop the rest:
|
|
iptables -A INPUT -i br0 -s 129.125.0.0/16 -d 129.125.36.121/32 -j LOGDROP
|
|
|
|
#zabbix monitorings
|
|
iptables -A INPUT -i br0 -s 129.125.50.238 -j ACCEPT
|
|
iptables -A OUTPUT -o br0 -d 129.125.50.238 -j ACCEPT
|
|
|
|
# allow 9080 inbound:
|
|
iptables -A INPUT -i br0 -p tcp --dport 9080 -j ACCEPT
|
|
iptables -A OUTPUT -o br0 -p tcp --sport 9080 -j ACCEPT
|
|
|
|
# allow 2222 inbound:
|
|
iptables -A INPUT -i br0 -p tcp -s 129.125.249.0/24 --dport 2222 -j ACCEPT
|
|
iptables -A OUTPUT -o br0 -p tcp -d 129.125.249.0/24 --sport 2222 -j ACCEPT
|
|
|
|
# inbound gadgets:
|
|
iptables -A INPUT -i br0 -p tcp -m state --state ESTABLISHED -j ACCEPT
|
|
iptables -A OUTPUT -o br0 -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
|
|
|
|
# allow from operator:
|
|
iptables -A INPUT -i br0 -s 129.125.50.41/32 -j ACCEPT
|
|
iptables -A OUTPUT -o br0 -d 129.125.50.41/32 -j ACCEPT
|
|
|
|
# allow from/to ldap:
|
|
iptables -A INPUT -i br0 -s 129.125.68.50/32 -j ACCEPT
|
|
iptables -A OUTPUT -o br0 -d 129.125.68.50/32 -j ACCEPT
|
|
|
|
# ldaps outbound:
|
|
iptables -A INPUT -i br0 -p tcp --sport 636 -m state --state ESTABLISHED -j ACCEPT
|
|
iptables -A OUTPUT -o br0 -p tcp --dport 636 -m state --state NEW,ESTABLISHED -j ACCEPT
|
|
|
|
# allow nfs:
|
|
iptables -A INPUT -i br0 -s 129.125.50.171/32 -j ACCEPT
|
|
iptables -A OUTPUT -o br0 -d 129.125.50.171/32 -j ACCEPT
|
|
|
|
|
|
# allow ntp
|
|
iptables -A INPUT -i br0 -p tcp --sport 123 -j ACCEPT
|
|
iptables -A OUTPUT -o br0 -p tcp --dport 123 -j ACCEPT
|
|
iptables -A INPUT -i br0 -p udp --sport 123 -j ACCEPT
|
|
iptables -A OUTPUT -o br0 -p udp --dport 123 -j ACCEPT
|
|
|
|
# allow charanga:
|
|
iptables -A INPUT -i br0 -p tcp -s 129.125.60.94/32 --dport 22 -j ACCEPT
|
|
iptables -A OUTPUT -o br0 -p tcp -d 129.125.60.94/32 --sport 22 -j ACCEPT
|
|
|
|
# charanga 129.125.60.94 port 2222:
|
|
iptables -A INPUT -i br0 -p tcp -s 129.125.60.94/32 --dport 2222 -j ACCEPT
|
|
iptables -A OUTPUT -o br0 -p tcp -d 129.125.60.94/32 --sport 2222 -j ACCEPT
|
|
|
|
|
|
# allow imaps:
|
|
iptables -A INPUT -p tcp --sport 993 -j ACCEPT
|
|
iptables -A OUTPUT -p tcp --dport 993 -j ACCEPT
|
|
|
|
# Flush & default
|
|
ip6tables -F INPUT
|
|
ip6tables -F OUTPUT
|
|
ip6tables -F FORWARD
|
|
|
|
# setup log-chain:
|
|
ip6tables -N LOGREJECT
|
|
ip6tables -A LOGREJECT -j LOG
|
|
ip6tables -A LOGREJECT -j REJECT
|
|
|
|
# Set the default policy to drop
|
|
ip6tables -P INPUT DROP
|
|
ip6tables -P OUTPUT DROP
|
|
ip6tables -P FORWARD DROP
|
|
|
|
# rules:
|
|
ip6tables -A INPUT -i lo -j ACCEPT
|
|
ip6tables -A INPUT -j REJECT
|
|
ip6tables -A OUTPUT -j REJECT
|
|
|
|
# allow ganglia-statieken-server:
|
|
iptables -A INPUT -p tcp -s 129.125.60.89 -j ACCEPT
|
|
iptables -A OUTPUT -p tcp -d 129.125.60.89 -j ACCEPT
|
|
|
|
iptables -A INPUT -p tcp -s 129.125.36.191 -j ACCEPT
|
|
iptables -A OUTPUT -p tcp -d 129.125.36.191 -j ACCEPT
|
|
|
|
# open up port 9100 prometues:
|
|
iptables -A INPUT -i br0 -p tcp -s 129.125.2.233/32 --dport 9100 -j ACCEPT
|
|
iptables -A OUTPUT -o br0 -p tcp -d 129.125.2.233/32 --sport 9100 -j ACCEPT
|
|
|
|
# allow icmp:
|
|
iptables -A INPUT -p icmp -j ACCEPT
|
|
iptables -A OUTPUT -p icmp -j ACCEPT
|