PATH=/sbin:/usr/sbin:/bin:/usr/bin export PATH # flush all chains iptables -F # set the default policy for each of the pre-defined chains iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP #qemu, kvm iptables -A POSTROUTING -s 192.168.122.0/24 -d ! 192.168.122.0/24 -j MASQUERADE #create a new chain for reporting droped packets iptables -N LOGDROP iptables -A LOGDROP -j LOG iptables -A LOGDROP -j DROP # allow establishment of connections initialised by my outgoing packets iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT #qemu, kvm iptables -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT iptables -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT iptables -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT iptables -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT iptables -A INPUT -p tcp --dport 111 -j DROP # accept anything on localhost iptables -A INPUT -i lo -j ACCEPT #!!!!#drop everything else iptables -A INPUT -j LOGDROP #qemu, kvm iptables -A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT iptables -A FORWARD -i virbr0 -o virbr0 -j ACCEPT iptables -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable iptables -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable #!!!!#drop everything else iptables -A OUTPUT -p tcp -m tcp --dport 5432 -j DROP iptables -A OUTPUT -p tcp -m tcp --dport 8443 -j DROP iptables -A OUTPUT -p tcp -m tcp --dport 5432 -j DROP iptables -A OUTPUT -p tcp -m tcp --dport 8080 -j DROP iptables -A OUTPUT -p tcp -m tcp --dport 1900 -j DROP iptables -A OUTPUT -p tcp -m tcp --dport 135 -j DROP iptables -A OUTPUT -p tcp -m tcp --dport 435 -j DROP iptables -A OUTPUT -p tcp -m tcp --dport 631 -j DROP iptables -A OUTPUT -p tcp -m tcp --dport 111 -j DROP iptables -A OUTPUT -p tcp -m tcp --dport 25 -j DROP iptables -A OUTPUT -p tcp -m tcp --dport 4444 -j DROP iptables -A OUTPUT -p tcp -m tcp --dport 8099 -j DROP iptables -A OUTPUT -p tcp -m tcp --dport 6000 -j DROP iptables -A OUTPUT -p tcp -m tcp --dport 2049 -j DROP iptables -A OUTPUT -p tcp -m tcp --dport 5901 -j ACCEPT iptables -A OUTPUT -j ACCEPT #iptables -A LOGDROP -m limit --limit 1/sec -j LOG --log-prefix "iptables denied: " --log-level 7 #iptables -A LOGDROP -j DROP
A sample IPtables configuration script
Posted by marian
on November 01, 2009