Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

instantni-vps/salt/iptables/firewall

Go to file
 
 
Cannot retrieve contributors at this time
108 lines (92 sloc) 3.24 KB
Raw Blame
Open in GitHub Desktop
#!/bin/bash
# Start/stop/restart firewall
### BEGIN INIT INFO
# Provides: firewall
# Required-Start: $network
# Required-Stop: $network
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: iptables
# Description: iptables
### END INIT INFO
IPT=/sbin/iptables
IPT6=/sbin/ip6tables
firewall_start() {
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
# Set default policy to DROP
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP
$IPT6 -P INPUT DROP
$IPT6 -P OUTPUT ACCEPT
$IPT6 -P FORWARD DROP
# Flush old rules
$IPT -F
$IPT6 -F
# Allow loopback traffic
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT6 -A INPUT -i lo -j ACCEPT
$IPT6 -A OUTPUT -o lo -j ACCEPT
# icmp
$IPT -A INPUT -p icmp --icmp-type 8 -s 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type 0 -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT6 -A INPUT -p ipv6-icmp -j ACCEPT
{%- for iface in grains['ip_interfaces'].keys() %}
{% if iface != "lo" %}
#Interface "{{ iface }}"
$IPT -A INPUT -i {{ iface }} -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT6 -A INPUT -i {{ iface }} -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow services
$IPT -A INPUT -i {{ iface }} -p tcp --destination-port 25 -m state --state NEW -j ACCEPT
$IPT -A INPUT -i {{ iface }} -p tcp --destination-port 80 -m state --state NEW -j ACCEPT
$IPT -A INPUT -i {{ iface }} -p tcp --destination-port 443 -m state --state NEW -j ACCEPT
$IPT -A INPUT -i {{ iface }} -p tcp --destination-port 465 -m state --state NEW -j ACCEPT
$IPT -A INPUT -i {{ iface }} -p tcp --destination-port 587 -m state --state NEW -j ACCEPT
$IPT -A INPUT -i {{ iface }} -p tcp --destination-port 993 -m state --state NEW -j ACCEPT
$IPT -A INPUT -i {{ iface }} -p tcp --destination-port {{ pillar.ssh_port }} -m state --state NEW -j ACCEPT
$IPT6 -A INPUT -i {{ iface }} -p tcp --destination-port 25 -m state --state NEW -j ACCEPT
$IPT6 -A INPUT -i {{ iface }} -p tcp --destination-port 80 -m state --state NEW -j ACCEPT
$IPT6 -A INPUT -i {{ iface }} -p tcp --destination-port 443 -m state --state NEW -j ACCEPT
$IPT6 -A INPUT -i {{ iface }} -p tcp --destination-port 465 -m state --state NEW -j ACCEPT
$IPT6 -A INPUT -i {{ iface }} -p tcp --destination-port 587 -m state --state NEW -j ACCEPT
$IPT6 -A INPUT -i {{ iface }} -p tcp --destination-port 993 -m state --state NEW -j ACCEPT
$IPT6 -A INPUT -i {{ iface }} -p tcp --destination-port {{ pillar.ssh_port }} -m state --state NEW -j ACCEPT
{% endif %}
{%- endfor %}
}
firewall_stop() {
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT6 -F
$IPT6 -X
$IPT6 -P INPUT ACCEPT
$IPT6 -P OUTPUT ACCEPT
$IPT6 -P FORWARD ACCEPT
}
firewall_restart() {
firewall_stop
firewall_start
}
case "$1" in
'start')
firewall_start
;;
'stop')
firewall_stop
;;
'restart')
firewall_restart
;;
*)
firewall_start
esac