Saturday, May 28, 2016

Script to generate iptables' rules

This script generates a file in the format that iptables-restore understands.

After copying and saving this script as iptables-gera-up.sh in some path, you need to give it the execution bit.
It prints in the stdout, so you just to run it redirecting to the file you want to use. For example:


root@raposa:~# chmod +x path/iptables-gera-up.sh
root@raposa:~# path/iptables-gera-up.sh > /etc/iptables.up.rules
root@raposa:~# /etc/init.d/iptables.sh restart

Here it is, the complete script: 
## By Dr Beco 2016-05-26  
 echo '#Generated by Dr Beco at '`date`  
 echo '*filter'  
 ## 1. Delete all existing rules  
 ##iptables -F  
   
 ## 2. Set default chain policies  
 echo ':INPUT DROP [0:0]'  
 echo ':FORWARD DROP [0:0]'  
 echo ':OUTPUT DROP [0:0]'  
   
 ##------------------------ Input traffic  
   
 ## HTTPS can communicate back  
 echo '-A INPUT -i wlan0 -p tcp -m tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT'  
 echo '-A INPUT -i eth0 -p tcp -m tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT'  
 ## HTTP can communicate back  
 echo '-A INPUT -i wlan0 -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT'  
 echo '-A INPUT -i eth0 -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT'  
 ## HTTP allow incomming: accepts new connections from outside (HTTP server)  
 #echo '-A INPUT -i wlan0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT'  
 #echo '-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT'  
   
 ## PING from inside: get back pong  
 echo '-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT'  
 ## PING from outside: allow a ping in (server)  
 #echo '-A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT'  
   
 ## localhost accepts traffic comming from local  
 echo '-A INPUT -i lo -j ACCEPT'  
   
 ## DNS allow outbound: we can get back the IP of a domain  
 echo '-A INPUT -i wlan0 -p udp -m udp --sport 53 -j ACCEPT'  
 echo '-A INPUT -i eth0 -p udp -m udp --sport 53 -j ACCEPT'  
   
 ## SSH allow incomming: accepts new connections from outside (SSH server)  
 #echo '-A INPUT -i wlan0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT'  
 #echo '-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT'  
 ## SSH communicates back to the world  
 echo '-A INPUT -i wlan0 -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT'  
 echo '-A INPUT -i eth0 -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT'  
   
 ## FTP accepts new connections from outside (FTP server)  
 #echo '-A INPUT -i wlan0 -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT'  
 #echo '-A INPUT -i eth0 -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT'  
   
 ## NTP server, we get back the time (we are client)  
 echo '-A INPUT -p udp -m udp --sport 123 -j ACCEPT'  
   
 ## Allow bittorent incomming client request (server)  
 #echo '-A INPUT -i wlan0 -p tcp -m tcp --dport 6881:8881 -m state --state NEW,ESTABLISHED -j ACCEPT'  
 #echo '-A INPUT -i eth0 -p tcp -m tcp --dport 6881:8881 -m state --state NEW,ESTABLISHED -j ACCEPT'  
 #echo '-A INPUT -i wlan0 -p udp -m udp --dport 7881 -m state --state NEW,ESTABLISHED -j ACCEPT'  
 #echo '-A INPUT -i eth0 -p udp -m udp --dport 7881 -m state --state NEW,ESTABLISHED -j ACCEPT'  
   
 ## Allow bittorent incomming client request (client)  
 #echo '-A INPUT -i wlan0 -p tcp -m tcp --sport 6881:8881 -m state --state NEW,ESTABLISHED -j ACCEPT'  
 #echo '-A INPUT -i eth0 -p tcp -m tcp --sport 6881:8881 -m state --state NEW,ESTABLISHED -j ACCEPT'  
 #echo '-A INPUT -i wlan0 -p udp -m udp --sport 7881 -m state --state NEW,ESTABLISHED -j ACCEPT'  
 #echo '-A INPUT -i eth0 -p udp -m udp --sport 7881 -m state --state NEW,ESTABLISHED -j ACCEPT'  
   
   
   
 ##------------------------ Output traffic  
   
 ## HTTPS can ask for new connections to the world  
 echo '-A OUTPUT -o wlan0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT'  
 echo '-A OUTPUT -o eth0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT'  
 ## HTTP can ask for new connections to the world  
 echo '-A OUTPUT -o wlan0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT'  
 echo '-A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT'  
 ## HTTP allow incomming: we answer back connections (HTTP server)  
 #echo '-A OUTPUT -o wlan0 -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT'  
 #echo '-A OUTPUT -eth0 wlan0 -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT'  
   
 ## PING from inside: send ping  
 echo '-A OUTPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT'  
 ## PING from outside: give back a pong (server)  
 #echo '-A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT'  
 ## localhost can send traffic to local  
 echo '-A OUTPUT -o lo -j ACCEPT'  
 ## DNS allow outbound: we can ask the IP of a domain  
 echo '-A OUTPUT -o wlan0 -p udp -m udp --dport 53 -j ACCEPT'  
 echo '-A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT'  
   
 ## SSH allow incomming: answer back connections from outside (SSH server)  
 #echo '-A OUTPUT -o wlan0 -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT'  
 #echo '-A OUTPUT -eth0 wlan0 -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT'  
 ## SSH we can ask for new connections to the world  
 echo '-A OUTPUT -o wlan0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT'  
 echo '-A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT'  
   
 ## FTP server will answer back (FTP server)  
 #echo '-A OUTPUT -o wlan0 -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT'  
 #echo '-A OUTPUT -eth0 wlan0 -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT'  
   
 ## NTP server, we can ask the time (we are client)  
 echo '-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT'  
   
 ## Allow bittorent outgoing client request (server)  
 #echo '-A OUTPUT -o wlan0 -p tcp -m tcp --sport 6881:8881 -m state --state NEW,ESTABLISHED -j ACCEPT'  
 #echo '-A OUTPUT -o eth0 -p tcp -m tcp --sport 6881:8881 -m state --state NEW,ESTABLISHED -j ACCEPT'  
 #echo '-A OUTPUT -o wlan0 -p udp -m udp --sport 7881 -m state --state NEW,ESTABLISHED -j ACCEPT'  
 #echo '-A OUTPUT -o eth0 -p udp -m udp --sport 7881 -m state --state NEW,ESTABLISHED -j ACCEPT'  
   
 ## Allow bittorent outgoing client request (client)  
 #echo '-A OUTPUT -o wlan0 -p tcp -m tcp --dport 6881:8881 -m state --state NEW,ESTABLISHED -j ACCEPT'  
 #echo '-A OUTPUT -o eth0 -p tcp -m tcp --dport 6881:8881 -m state --state NEW,ESTABLISHED -j ACCEPT'  
 #echo '-A OUTPUT -o wlan0 -p udp -m udp --dport 7881 -m state --state NEW,ESTABLISHED -j ACCEPT'  
 #echo '-A OUTPUT -o eth0 -p udp -m udp --dport 7881 -m state --state NEW,ESTABLISHED -j ACCEPT'  
   
 echo 'COMMIT'  
 echo '#Done '`date`

Happy hacking.
Posted by at No comments:

iptables - minimum setup

This is really all a home user need:

  • HTTP / HTTPS (to use your browser)
  • PING (to outside only)
  • localhost needs to be able to communicate
  • DNS (domain name server - to understand ip/domain)
  • NTP (to update the clock)
  • Optional: SSH (port 22) only to outside.


$./iptables-gera-up.sh                                                                  
                                                                                        
#Generated by Dr Beco at Sat May 28 00:12:52 BRT 2016                                   
*filter                                                                                 
:INPUT DROP [0:0]                                                                       
:FORWARD DROP [0:0]                                                                     
:OUTPUT DROP [0:0]                                                                      
-A INPUT -i wlan0 -p tcp -m tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT      
-A INPUT -i eth0 -p tcp -m tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT       
-A INPUT -i wlan0 -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT       
-A INPUT -i eth0 -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT        
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT                               
-A INPUT -i lo -j ACCEPT                                                                
-A INPUT -i wlan0 -p udp -m udp --sport 53 -j ACCEPT                                    
-A INPUT -i eth0 -p udp -m udp --sport 53 -j ACCEPT                                     
-A INPUT -i wlan0 -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT       
-A INPUT -i eth0 -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT        
-A INPUT -p udp -m udp --sport 123 -j ACCEPT                                            
-A OUTPUT -o wlan0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT  
-A OUTPUT -o wlan0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT  
-A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT   
-A OUTPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT                            
-A OUTPUT -o lo -j ACCEPT                                                               
-A OUTPUT -o wlan0 -p udp -m udp --dport 53 -j ACCEPT                                   
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT                                    
-A OUTPUT -o wlan0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT  
-A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT   
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT                                           
COMMIT                                                                                  
#Done Sat May 28 00:12:52 BRT 2016                                                      

Posted by at No comments:
Subscribe to: Posts (Atom)