![]() $ sudo chown root:root /sbin/iptables-firewall.shĮnsure that script is executable. Iptables -A FORWARD -j chain-incoming-log-and-dropĮnsure that shell script owned by root. Iptables -A OUTPUT -j chain-outgoing-log-and-drop Iptables -A OUTPUT -p tcp -dport 22 -j ACCEPT Iptables -A OUTPUT -p tcp -dport 443 -j ACCEPT Iptables -A OUTPUT -p tcp -dport 80 -j ACCEPT Iptables -A OUTPUT -p udp -dport 123 -j ACCEPT Iptables -A OUTPUT -p tcp -dport 123 -j ACCEPT Iptables -A OUTPUT -p udp -dport 53 -j ACCEPT Iptables -A OUTPUT -p tcp -dport 53 -j ACCEPT Iptables -A OUTPUT -m conntrack -ctstate ESTABLISHED,RELATED -j ACCEPT # Accept outgoing packets for established connections Iptables -A INPUT -p tcp -dport 22 -j chain-incoming-ssh Iptables -A INPUT -m conntrack -ctstate ESTABLISHED,RELATED -j ACCEPT # ACCEPT incoming packets for established connections Iptables -A INPUT -m conntrack -ctstate INVALID -j chain-incoming-log-and-drop Iptables -A chain-outgoing-log-and-drop -j DROP Iptables -A chain-outgoing-log-and-drop -j LOG -log-prefix " " -m limit -limit 6/min -limit-burst 4 # Define chain to log and drop outgoing packets Iptables -A chain-incoming-log-and-drop -j DROP Iptables -A chain-incoming-log-and-drop -j LOG -log-prefix " " -m limit -limit 6/min -limit-burst 4 # Define chain to log and drop incoming packets Iptables -A chain-incoming-ssh -p tcp -dport 22 -j LOG -log-prefix " " -m limit -limit 6/min -limit-burst 4 Iptables -A chain-incoming-ssh -s 192.168.1.149 -j ACCEPT -m comment -comment "local access" # Define chain to allow particular source addresses Edit firewall_start function to apply custom iptables configuration. Shell script #Ĭreate /sbin/iptables-firewall.sh shell script. ![]() Make iptables configuration persistent using systemd file with additional possibility to disable firewall after defined period of time.
0 Comments
Leave a Reply. |