1 IPTABLES=/sbin/iptables
2 PATH=/sbin:/bin:/usr/sbin:/usr/bin
7 # Allow everything from this host
8 $IPTABLES -A INPUT -s $MYIP -j ACCEPT
11 $IPTABLES -A INPUT -d $MYIP -p icmp -j ACCEPT
14 $IPTABLES -A INPUT -d $MYIP -p tcp --dport 1024: ! --syn -j ACCEPT
15 $IPTABLES -A INPUT -d $MYIP -p udp --dport 1024: -j ACCEPT
19 # Allow everything from localhost
20 $IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT
22 # Specifically block access to NFS and XWindows. Neccessary because these are ports >1024
23 $IPTABLES -A INPUT -p tcp --dport 2049 -j DROP
24 $IPTABLES -A INPUT -p udp --dport 2049 -j DROP
25 $IPTABLES -A INPUT -p tcp --dport 6000:6063 -j DROP
26 $IPTABLES -A INPUT -p udp --dport 6000:6063 -j DROP
28 # Allow incoming ssh, smtp, dns, dhcp, www, ident, ntp, smb, OpenVPN, git-daemon
29 $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
30 $IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT
31 $IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
32 $IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
33 $IPTABLES -A INPUT -p udp --sport 53 --dport 1024: -j ACCEPT
34 $IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
35 $IPTABLES -A INPUT -p tcp --dport 113 -j ACCEPT
36 $IPTABLES -A INPUT -p tcp --dport 123 -j ACCEPT
37 $IPTABLES -A INPUT -p udp --dport 123 -j ACCEPT
38 $IPTABLES -A INPUT -p tcp --dport 137:139 -j ACCEPT
39 $IPTABLES -A INPUT -p udp --dport 137:139 -j ACCEPT
40 $IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
41 $IPTABLES -A INPUT -p tcp --dport 445 -j ACCEPT
42 $IPTABLES -A INPUT -p udp --dport 1194 -j ACCEPT
43 $IPTABLES -A INPUT -p tcp --dport 9418 -j ACCEPT
46 $IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
47 $IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
48 # Allow ftp-data for active connections
49 #$IPTABLES -A INPUT -p tcp --sport 20 --dport 1024: -j ACCEPT
51 # Track FTP connections to allow active and passive mode FTP
52 $IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
53 $IPTABLES -A INPUT -p tcp --dport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
54 $IPTABLES -A INPUT -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
55 $IPTABLES -A INPUT -p tcp --dport 21 -m state --state ESTABLISHED,RELATED -j ACCEPT
56 $IPTABLES -A INPUT -p tcp --sport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
57 $IPTABLES -A INPUT -p tcp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
59 MY_IP=$(ip -o -4 addr show up | awk '{split($4,a,/\//); if (a[1] != "127.0.0.1") print a[1]}')
60 for ip in $MY_IP; do my_ip "$ip"; done