#!/bin/sh # firewall script created by yannis tsopokis # easily manage your firewall configuration # visit http://tsopokis.gr for more info SSH_PORT=$(lsof | grep "sshd" | grep LISTEN | awk -F: '{print $2;'} | uniq | awk '{print $1;}') WWW_PORT=$(sudo lsof | grep "www-data" | grep LISTEN | awk -F: '{print $2;'} | uniq | awk '{print $1;}') #update-rc.d firewall start 57 2 3 4 5 . stop 57 0 1 6 . case "$1" in status) # Show iptables current config iptables -L ;; start) #Clear iptables entries iptables -F # Revert to default chains iptables -X # Drop packets marked for forwarding iptables -P FORWARD DROP # Drop incoming packets - will create rules later iptables -P INPUT DROP # Allow outgoing traffic iptables -P OUTPUT ACCEPT # Allow incoming traffic from localhost iptables -A INPUT -i lo -j ACCEPT # Allow ICMP echo-replies (pings) iptables -A INPUT -i eth0 -p icmp -j ACCEPT # Allow outbound DNS queries from the FW and the replies too iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 -j ACCEPT # Allow previously established connections iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i eth0 -p tcp #iptables -A INPUT -p tcp -i eth0 -d 192.168.131.102 -m state --state NEW -j ACCEPT # ssh connections iptables -A INPUT -p tcp -i eth0 --dport $SSH_PORT --sport 1024:65535 -m state --state NEW -j ACCEPT # torrents and msn etc iptables -A INPUT -p tcp -i eth0 --dport 6881 -m state --state NEW -j ACCEPT # web server #iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 -m state --state NEW -j ACCEPT #bootp #iptables -A INPUT -p udp -i eth0 --dport 67 -m state --state NEW -j ACCEPT # tftp #iptables -A INPUT -p udp -i eth0 --dport 69 -m state --state NEW -j ACCEPT ;; stop) #Clear iptables entries iptables -F # Revert to default chains iptables -X # Drop packets marked for forwarding iptables -P FORWARD ACCEPT # Drop incoming packets - will create rules later iptables -P INPUT ACCEPT ;; *) echo "Usage: /etc/init.d/firewall {start|stop|status}" exit 1 ;; esac exit 0