Wrapper scripts for iptables

Sunday, January 17, 2016 » Firewall iptables

Flushing everything:

iptflush.sh:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
#!/bin/bash
echo "Stopping firewall and allowing everyone..."
IPT4=$(which iptables)
IPT6=$(which ip6tables)
IPT4AND6=(${IPT4} ${IPT6})
for IPT in ${IPT4AND6[@]}; do
  [ ! -x "${IPT}" ] && { echo "$0: \"${IPT}\" command not found."; exit 1; }
  echo "Flushing ${IPT} rules ..."
  echo "   Setting all hooks to ACCEPT ..."
  ${IPT} -P INPUT ACCEPT
  ${IPT} -P FORWARD ACCEPT
  ${IPT} -P OUTPUT ACCEPT
  echo "   Flushing filter chain ..."
  ${IPT} -F
  ${IPT} -X
  echo "   Flushing mangle chain ..."
  ${IPT} -t mangle -F
  ${IPT} -t mangle -X
  if [[ ! ${IPT} =~ "ip6tables" ]]; then
    echo "   Flushing nat chain ..."
    ${IPT} -t nat -F
    ${IPT} -t nat -X
    echo "   Flushing raw chain ..."
    ${IPT} -t raw -F
    ${IPT} -t raw -X
  fi
  echo "All done!"
done

The standard set:

iptdefault.sh:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#!/usr/bin/env bash
IPT4=$(which iptables)
IPT6=$(which ip6tables)
IPT4AND6=(${IPT4} ${IPT6})

./iptflush.sh

for IPT in ${IPT4AND6[@]}; do
  [ ! -x "${IPT}" ] && { echo "$0: \"${IPT}\" command not found."; exit 1; }
  ${IPT} -P INPUT DROP
  ${IPT} -P FORWARD DROP
  ${IPT} -P OUTPUT ACCEPT
  ${IPT} -N TCP
  ${IPT} -N UDP
  ${IPT} -A INPUT -i lo -j ACCEPT
  ${IPT} -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  ${IPT} -A INPUT -m conntrack --ctstate INVALID -j DROP
  if [[ ! ${IPT} =~ "ip6tables" ]]; then
    ${IPT} -A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
  elif [[ ! ${IPT} =~ "iptables" ]]; then
    ${IPT} -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 8 -m conntrack --ctstate NEW \
      -j ACCEPT
  fi
  ${IPT} -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
  ${IPT} -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
  if [[ ! ${IPT} =~ "ip6tables" ]]; then
    ${IPT} -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
  elif [[ ! ${IPT} =~ "iptables" ]]; then
    ${IPT}-A INPUT -p udp -j REJECT --reject-with icmp6-port-unreachable
  fi
  ${IPT} -A INPUT -p tcp -j REJECT --reject-with tcp-reset
  if [[ ! ${IPT} =~ "ip6tables" ]]; then
    ${IPT} -A INPUT -j REJECT --reject-with icmp-proto-unreachable
  fi
done

Allowing a service:

iptaccept.sh:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
#!/usr/bin/env bash
# requires Bash 4.x+ for upper- and lowercase handling

PROTOCOL=${1,,}
PORT=$2

IPT4=$(which iptables)
IPT6=$(which ip6tables)
IPT4AND6=(${IPT4} ${IPT6})

function usage() {
  cat << EOF
Usage: $0 protocol portnumber_or_name

  protocol: "TCP" or "UDP"
  portnumber_or_name: ex. "22" or "ssh"
EOF
}

if [ ! $# == 2 ]; then
  usage
  exit
fi

if [[ ! ${PORT} =~ "^[0-9]+$" ]]; then
  known_services=$(awk '!(/(^$|^#)/) {print $1}' /etc/services)
  if [[ ! ${known_services[@]} =~ ${PORT} ]]; then
    echo "Unknown service: ${PORT}"
    exit
  fi
fi

known_protocols=("tcp" "udp")
if [[ ! ${known_protocols}[@] =~ ${PROTOCOL} ]]; then
  echo "Unknown protocol: ${PROTOCOL}"
  exit
fi

for IPT in ${IPT4AND6[@]}; do
  [ ! -x "${IPT}" ] && { echo "$0: \"${IPT}\" command not found."; exit 1; }
   echo "${IPT} -A ${PROTOCOL^^} -p ${PROTOCOL,,} -m ${PROTOCOL,,} --dport " \
     "${PORT} -j ACCEPT"
   ${IPT} -A ${PROTOCOL^^} -p ${PROTOCOL,,} -m ${PROTOCOL,,} --dport ${PORT} \
     -j ACCEPT
done