iptables startup script

abourke · 09-30-2015, 04:16 AM

Hi,

Im trying to run iptables rules as startup script.

Code:

#!/bin/bash
# A sample firewall shell script
#IPT="/sbin/iptables"
#SPAMLIST="blockedip"
#SPAMDROPMSG="BLOCKED IP DROP"
SYSCTL="/sbin/sysctl"
#BLOCKEDIPS="/root/scripts/blocked.ips.txt"

# Stop certain attacks
echo "Setting sysctl IPv4 settings..."
$SYSCTL net.ipv4.ip_forward=0
$SYSCTL net.ipv4.conf.all.send_redirects=0
$SYSCTL net.ipv4.conf.default.send_redirects=0
$SYSCTL net.ipv4.conf.all.accept_source_route=0
$SYSCTL net.ipv4.conf.all.accept_redirects=0
$SYSCTL net.ipv4.conf.all.secure_redirects=0
$SYSCTL net.ipv4.conf.all.log_martians=1
$SYSCTL net.ipv4.conf.default.accept_source_route=0
$SYSCTL net.ipv4.conf.default.accept_redirects=0
$SYSCTL net.ipv4.conf.default.secure_redirects=0
$SYSCTL net.ipv4.icmp_echo_ignore_broadcasts=1
#$SYSCTL net.ipv4.icmp_ignore_bogus_error_messages=1
$SYSCTL net.ipv4.tcp_syncookies=1
$SYSCTL net.ipv4.conf.all.rp_filter=1
$SYSCTL net.ipv4.conf.default.rp_filter=1
#$SYSCTL kernel.exec-shield=1
$SYSCTL kernel.randomize_va_space=1

#clear iptables
iptables -F
iptables -X

#set default policy to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#accept everything no matter port on localhost
iptables -A INPUT -i lo -j ACCEPT

#allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#allow input on port 22
#iptables -A INPUT -p tcp --dport 22 -j ACCEPT

#allow traffic going to specific outbound ports
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 993 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 465 -j ACCEPT

#drop anything that doesnt match the rules above
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j DROP

#clear ip6tables
ip6tables -F
ip6tables -X

#set default policy to drop
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP

#drop anything that doesnt match the rules above
ip6tables -A INPUT -j DROP
ip6tables -A OUTPUT -j DROP
ip6tables -A FORWARD -j DROP

I placed my fw.sh (firewall script) in /etc/init.d

I then added a link to /etc/rc5.d like so:

Code:

ln -s /etc/init.d/fw.sh /etc/rc5.d/S99fw

On reboot it works sometimes. I don't know what I'm doing wrong. Can anyone help?

iptables is set to run automatically via

Code:

chkconfig --level 345 iptables on
chkconfig --level 345 ip6tables on

Gary Baker · 09-30-2015, 06:32 AM

Maybe I am wrong but don't you want to flush the rules before adding rules.

lazydog · 09-30-2015, 07:49 AM

Quote:

Originally Posted by Gary Baker

Maybe I am wrong but don't you want to flush the rules before adding rules.

OP is already doing this with

Code:

iptables -F

OP can you explain a bit more what is not working. I see some changes I would make to your rules but want to ensure what is not working.

michaelk · 09-30-2015, 08:03 AM

Depends on distribution and version but normally one does not need a separate start up script. You would put the sysctl directives in the /etc/sysctl.conf file. Load your rules using your script then save them with the service iptables save command.

You can run something like fail2ban which will add IPs to a blocked list if making to many failed login attempts.

landysaccount · 10-01-2015, 03:44 PM

On Debian I do it by simply adding it to rc.local:

Edit /etc/rc.local

and add the complete path to the script, for example, /root/myfw.sh.

myfw.sh needs to be executable: chmod +x /root/fw.sh

Hope that helps.

Rinndalir · 10-01-2015, 03:56 PM

I usually get all the rules into iptables then I do

Code:

iptables-save > /etc/iptables-start-rules

then this command on boot

iptables-restore < /etc/iptables-start-rules