#!/bin/sh

#fix for passive ftp connection tracking
/sbin/modprobe ip_conntrack_ftp

# Drop ICMP echo request messages sent to multicast or broadcast addresses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Drop source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable TCP SYS cookie (DoS) protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Don’t accept ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Don’t send ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Enable source address spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Log packets with crazy source addresses
#echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# Flush all chains
/sbin/iptables –flush

# Allow all loopback traffic
/sbin/iptables -A INPUT  -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT

# Set default policies to drop all traffic
/sbin/iptables –policy INPUT   DROP
#/sbin/iptables –policy OUTPUT  DROP
/sbin/iptables –policy FORWARD DROP

# Allow previously initiated and accepted exchanges to bypass rule checking
# Allow all outbound traffic
/sbin/iptables -A INPUT  -m state –state ESTABLISHED,RELATED     -j ACCEPT
/sbin/iptables -A OUTPUT -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

# Allow incoming port 22 (ssh) traffic
/sbin/iptables -A INPUT -p tcp –dport 22 -m state –state NEW -j ACCEPT

# Allow incoming snmp from 213.171.217.173 ( Monitoring )
/sbin/iptables -A INPUT -p udp –dport 161 -s 213.171.217.173 -m state –state NEW -j ACCEPT
/sbin/iptables -A INPUT -p udp –dport 161 -s 213.171.201.36  -m state –state NEW -j ACCEPT
/sbin/iptables -A INPUT -p udp –dport 161 -s 10.44.53.36     -m state –state NEW -j ACCEPT

# Allow incoming port 80 and 443 (http/s) traffic
/sbin/iptables -A INPUT -p tcp –dport 80  -m state –state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 443 -m state –state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 5901 -m state –state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 6001 -m state –state NEW -j ACCEPT

# Allow incoming port 53 (udp/tcp) dns traffic
/sbin/iptables -A INPUT -p udp –dport 53 -m state –state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 53 -m state –state NEW -j ACCEPT

/sbin/iptables -A INPUT -p udp –dport 69 -m state –state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 69 -m state –state NEW -j ACCEPT

# Allow incoming port 25 (tcp) SMTP traffic
/sbin/iptables -A INPUT -p tcp –dport 25 -m state –state NEW -j ACCEPT

# Allow incoming port 110 (tcp) POP3 traffic and 143 (tcp) Imap traffic
/sbin/iptables -A INPUT -p tcp –dport 110 -m state –state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 143 -m state –state NEW -j ACCEPT

# Allow incoming port 123 (udp) NTP traffic
/sbin/iptables -A INPUT -p udp –dport 123 -m state –state NEW -j ACCEPT

# Allow incoming ports 20 and 21 (tcp) FTP traffic
/sbin/iptables -A INPUT -p tcp –dport 20 -m state –state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 21 -m state –state NEW -j ACCEPT

# Allow incoming port 3306 (udp/tcp) MySQL traffic
/sbin/iptables -A INPUT -p tcp –dport 3306 -m state –state NEW -j ACCEPT
/sbin/iptables -A INPUT -p udp –dport 3306 -m state –state NEW -j ACCEPT

# Plesk rules
if [ -e /etc/psa ]; then
/sbin/iptables -A INPUT -p tcp –dport 8443 -m state –state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 8880 -m state –state NEW -j ACCEPT
/sbin/iptables -I INPUT -p tcp –dport 11444 -m state –state NEW -j ACCEPT
fi

# Drop all other inbound traffic

# Listeners required for build processes ( Should be removed post build )

# Drop all other inbound traffic
/sbin/iptables -A INPUT -j DROP

/sbin/iptables-save

Advertisements