Hi,
Im trying to run iptables rules as startup script.
Code:
#!/bin/bash
# A sample firewall shell script
#IPT="/sbin/iptables"
#SPAMLIST="blockedip"
#SPAMDROPMSG="BLOCKED IP DROP"
SYSCTL="/sbin/sysctl"
#BLOCKEDIPS="/root/scripts/blocked.ips.txt"
# Stop certain attacks
echo "Setting sysctl IPv4 settings..."
$SYSCTL net.ipv4.ip_forward=0
$SYSCTL net.ipv4.conf.all.send_redirects=0
$SYSCTL net.ipv4.conf.default.send_redirects=0
$SYSCTL net.ipv4.conf.all.accept_source_route=0
$SYSCTL net.ipv4.conf.all.accept_redirects=0
$SYSCTL net.ipv4.conf.all.secure_redirects=0
$SYSCTL net.ipv4.conf.all.log_martians=1
$SYSCTL net.ipv4.conf.default.accept_source_route=0
$SYSCTL net.ipv4.conf.default.accept_redirects=0
$SYSCTL net.ipv4.conf.default.secure_redirects=0
$SYSCTL net.ipv4.icmp_echo_ignore_broadcasts=1
#$SYSCTL net.ipv4.icmp_ignore_bogus_error_messages=1
$SYSCTL net.ipv4.tcp_syncookies=1
$SYSCTL net.ipv4.conf.all.rp_filter=1
$SYSCTL net.ipv4.conf.default.rp_filter=1
#$SYSCTL kernel.exec-shield=1
$SYSCTL kernel.randomize_va_space=1
#clear iptables
iptables -F
iptables -X
#set default policy to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#accept everything no matter port on localhost
iptables -A INPUT -i lo -j ACCEPT
#allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#allow input on port 22
#iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#allow traffic going to specific outbound ports
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 993 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 465 -j ACCEPT
#drop anything that doesnt match the rules above
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j DROP
#clear ip6tables
ip6tables -F
ip6tables -X
#set default policy to drop
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
#drop anything that doesnt match the rules above
ip6tables -A INPUT -j DROP
ip6tables -A OUTPUT -j DROP
ip6tables -A FORWARD -j DROP
I placed my fw.sh (firewall script) in /etc/init.d
I then added a link to /etc/rc5.d like so:
Code:
ln -s /etc/init.d/fw.sh /etc/rc5.d/S99fw
On reboot it works sometimes. I don't know what I'm doing wrong. Can anyone help?
iptables is set to run automatically via
Code:
chkconfig --level 345 iptables on
chkconfig --level 345 ip6tables on