#!/bin/bash /sbin/iptables --flush #/sbin/iptables -t nat --flush /sbin/iptables -t mangle --flush # Allow unlimited traffic on the loopback interface /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A OUTPUT -o lo -j ACCEPT # Set the default policy to DROP #/sbin/iptables --policy INPUT DROP #/sbin/iptables --policy OUTPUT DROP /sbin/iptables -A INPUT -i + -p tcp --destination-port ! 22 -j DROP /sbin/iptables -A INPUT -i + -p udp --destination-port ! 22 -j DROP /sbin/iptables -A OUTPUT -i + -p tcp --destination-port ! 22 -j DROP /sbin/iptables -A OUTPUT -i + -p udp --destination-port ! 22 -j DROP /sbin/iptables --policy FORWARD DROP #/sbin/iptables -t nat --policy PREROUTING ACCEPT #/sbin/iptables -t nat --policy OUTPUT ACCEPT #/sbin/iptables -t nat --policy POSTROUTING ACCEPT /sbin/iptables -t mangle --policy PREROUTING ACCEPT /sbin/iptables -t mangle --policy OUTPUT ACCEPT # Remove any pre-existing user-defined chains /sbin/iptables --delete-chain #/sbin/iptables -t nat --delete-chain /sbin/iptables -t mangle --delete-chain # All of the bits are cleared /sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # SYN and FIN are both set /sbin/iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP # SYN and RST are both set /sbin/iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP # FIN and RST are both set /sbin/iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP # FIN is the only bit set, without the expected accompanying ACK /sbin/iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP # PSH is the only bit set, without the expected accompanying ACK /sbin/iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP # URG is the only bit set, without the expected accompanying ACK /sbin/iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP # Refuse packets claiming to be from a Class A private network /sbin/iptables -A INPUT -i venet0 -s 10.0.0.0/8 -j DROP # Refuse packets claiming to be from a Class B private network /sbin/iptables -A INPUT -i venet0 -s 172.16.0.0/12 -j DROP # Refuse packets claiming to be from a Class C private network #/sbin/iptables -A INPUT -i venet0 -s 192.168.0.0/16 -j DROP # Refuse packets claiming to be from the loopback interface /sbin/iptables -A INPUT -i venet0 -s 127.0.0.0/8 -j DROP # Refuse malformed broadcast packets /sbin/iptables -A INPUT -i venet0 -s 255.255.255.255 -j DROP /sbin/iptables -A INPUT -i venet0 -d 0.0.0.0 -j DROP # Refuse limited broadcasts /sbin/iptables -A INPUT -i venet0 -d 255.255.255.255 -j DROP /sbin/iptables -A INPUT -i venet0 -s 224.0.0.0/4 -j DROP /sbin/iptables -A INPUT -i venet0 -p udp -d 224.0.0.0/4 -j ACCEPT /sbin/iptables -A INPUT -i venet0 -p 2 -d 224.0.0.0/4 -j ACCEPT /sbin/iptables -A INPUT -i venet0 -p all -d 224.0.0.0/4 -j DROP /sbin/iptables -A INPUT -i venet0 -s 240.0.0.0/4 -j DROP /sbin/iptables -A INPUT -i venet0 -s 0.0.0.0/8 -j DROP /sbin/iptables -A INPUT -i venet0 -s 169.254.0.0/16 -j DROP /sbin/iptables -A INPUT -i venet0 -s 192.0.2.0/24 -j DROP if [ "$(echo $IN_PORTS | tr ',' '\n' | grep -w 113)" == "" ]; then /sbin/iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 113 -j REJECT /sbin/iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 113 -j REJECT fi # TCP IN #64.20.41.156 #64.20.41.157 /sbin/iptables -A INPUT -i venet0 -s 0/0 -d 64.20.41.156 -p tcp --sport 1024:65535 --dport 20 -j ACCEPT /sbin/iptables -A INPUT -i venet0 -s 0/0 -d 64.20.41.156 -p tcp --sport 1024:65535 --dport 21 -j ACCEPT /sbin/iptables -A INPUT -i venet0 -s 0/0 -d 64.20.41.156 -p tcp --sport 1024:65535 --dport 22 -j ACCEPT /sbin/iptables -A INPUT -i venet0 -s 0/0 -d 64.20.41.156 -p tcp --sport 1024:65535 --dport 25 -j ACCEPT /sbin/iptables -A INPUT -i venet0 -s 0/0 -d 64.20.41.156 -p tcp --sport 1024:65535 --dport 53 -j ACCEPT /sbin/iptables -A INPUT -i venet0 -s 0/0 -d 64.20.41.156 -p tcp --sport 1024:65535 --dport 80 -j ACCEPT /sbin/iptables -A INPUT -i venet0 -s 0/0 -d 64.20.41.156 -p tcp --sport 1024:65535 --dport 110 -j ACCEPT /sbin/iptables -A INPUT -i venet0 -s 0/0 -d 64.20.41.156 -p tcp --sport 1024:65535 --dport 143 -j ACCEPT /sbin/iptables -A INPUT -i venet0 -s 0/0 -d 64.20.41.156 -p tcp --sport 1024:65535 --dport 3306 -j ACCEPT /sbin/iptables -A INPUT -i venet0 -s 0/0 -d 64.20.41.157 -p tcp --sport 1024:65535 --dport 20 -j ACCEPT /sbin/iptables -A INPUT -i venet0 -s 0/0 -d 64.20.41.157 -p tcp --sport 1024:65535 --dport 21 -j ACCEPT /sbin/iptables -A INPUT -i venet0 -s 0/0 -d 64.20.41.157 -p tcp --sport 1024:65535 --dport 22 -j ACCEPT /sbin/iptables -A INPUT -i venet0 -s 0/0 -d 64.20.41.157 -p tcp --sport 1024:65535 --dport 25 -j ACCEPT /sbin/iptables -A INPUT -i venet0 -s 0/0 -d 64.20.41.157 -p tcp --sport 1024:65535 --dport 53 -j ACCEPT /sbin/iptables -A INPUT -i venet0 -s 0/0 -d 64.20.41.157 -p tcp --sport 1024:65535 --dport 80 -j ACCEPT /sbin/iptables -A INPUT -i venet0 -s 0/0 -d 64.20.41.157 -p tcp --sport 1024:65535 --dport 110 -j ACCEPT /sbin/iptables -A INPUT -i venet0 -s 0/0 -d 64.20.41.157 -p tcp --sport 1024:65535 --dport 143 -j ACCEPT /sbin/iptables -A INPUT -i venet0 -s 0/0 -d 64.20.41.157 -p tcp --sport 1024:65535 --dport 3306 -j ACCEPT # TCP OUT /sbin/iptables -A OUTPUT -o venet0 -p tcp --sport 1024:65535 --dport 21 -j ACCEPT /sbin/iptables -A OUTPUT -o venet0 -p tcp --sport 1024:65535 --dport 22 -j ACCEPT /sbin/iptables -A OUTPUT -o venet0 -p tcp --sport 1024:65535 --dport 25 -j ACCEPT /sbin/iptables -A OUTPUT -o venet0 -p tcp --sport 1024:65535 --dport 37 -j ACCEPT /sbin/iptables -A OUTPUT -o venet0 -p tcp --sport 1024:65535 --dport 43 -j ACCEPT /sbin/iptables -A OUTPUT -o venet0 -p tcp --sport 1024:65535 --dport 53 -j ACCEPT /sbin/iptables -A OUTPUT -o venet0 -p tcp --sport 1024:65535 --dport 80 -j ACCEPT # UDP IN /sbin/iptables -A INPUT -i venet0 -s 0/0 -d 64.20.41.156 -p udp --sport 1024:65535 --dport 53 -j ACCEPT /sbin/iptables -A INPUT -i venet0 -s 0/0 -d 64.20.41.157 -p udp --sport 1024:65535 --dport 53 -j ACCEPT # UDP OUT /sbin/iptables -A OUTPUT -o venet0 -p udp --sport 1024:65535 --dport 53 -j ACCEPT /sbin/iptables -A INPUT -i venet0 -p udp --sport 53 --dport 53 -j ACCEPT /sbin/iptables -A INPUT -i venet0 -p tcp --sport 53 --dport 53 -j ACCEPT /sbin/iptables -A OUTPUT -o venet0 -p udp --sport 53 --dport 53 -j ACCEPT /sbin/iptables -A OUTPUT -o venet0 -p tcp --sport 53 --dport 53 -j ACCEPT exit 0 #/sbin/iptables -A INPUT -i venet0 -p tcp --syn --destination-port ! 22 -j DROP