Linux Iptables Firewall Shell Script For Standalone Server

by on February 28, 2009 · 12 comments

A shell script on iptables rules for a webserver (no need to use APF or CSF) just run this script from /etc/rc.local and you are done. Save following script as /root/scripts/fw.start:

  1. #!/bin/bash
  2. # A Linux Shell Script with common rules for IPTABLES Firewall.
  3. # By default this script only open port 80, 22, 53 (input)
  4. # All outgoing traffic is allowed (default - output)
  5. # -------------------------------------------------------------------------
  6. # Copyright (c) 2004 nixCraft project <http://cyberciti.biz/fb/>
  7. # This script is licensed under GNU GPL version 2.0 or above
  8. # -------------------------------------------------------------------------
  9. # This script is part of nixCraft shell script collection (NSSC)
  10. # Visit http://bash.cyberciti.biz/ for more information.
  11. # -------------------------------------------------------------------------
  12.  
  13. IPT="/sbin/iptables"
  14. SPAMLIST="blockedip"
  15. SPAMDROPMSG="BLOCKED IP DROP"
  16.  
  17. echo "Starting IPv4 Wall..."
  18. $IPT -F
  19. $IPT -X
  20. $IPT -t nat -F
  21. $IPT -t nat -X
  22. $IPT -t mangle -F
  23. $IPT -t mangle -X
  24. modprobe ip_conntrack
  25.  
  26. [ -f /root/scripts/blocked.ips.txt ] && BADIPS=$(egrep -v -E "^#|^$" /root/scripts/blocked.ips.txt)
  27.  
  28. PUB_IF="eth0"
  29.  
  30. #unlimited
  31. $IPT -A INPUT -i lo -j ACCEPT
  32. $IPT -A OUTPUT -o lo -j ACCEPT
  33.  
  34. # DROP all incomming traffic
  35. $IPT -P INPUT DROP
  36. $IPT -P OUTPUT DROP
  37. $IPT -P FORWARD DROP
  38.  
  39. if [ -f /root/scripts/blocked.ips.txt ];
  40. then
  41. # create a new iptables list
  42. $IPT -N $SPAMLIST
  43.  
  44. for ipblock in $BADIPS
  45. do
  46. $IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG"
  47. $IPT -A $SPAMLIST -s $ipblock -j DROP
  48. done
  49.  
  50. $IPT -I INPUT -j $SPAMLIST
  51. $IPT -I OUTPUT -j $SPAMLIST
  52. $IPT -I FORWARD -j $SPAMLIST
  53. fi
  54.  
  55. # Block sync
  56. $IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Sync"
  57. $IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP
  58.  
  59. # Block Fragments
  60. $IPT -A INPUT -i ${PUB_IF} -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets"
  61. $IPT -A INPUT -i ${PUB_IF} -f -j DROP
  62.  
  63. # Block bad stuff
  64. $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
  65. $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP
  66.  
  67. $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets"
  68. $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
  69.  
  70. $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
  71.  
  72. $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets"
  73. $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
  74.  
  75. $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan"
  76. $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
  77.  
  78. $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
  79.  
  80. # Allow full outgoing connection but no incomming stuff
  81. $IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
  82. $IPT -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  83.  
  84. # Allow ssh
  85. $IPT -A INPUT -p tcp --destination-port 22 -j ACCEPT
  86.  
  87. # allow incomming ICMP ping pong stuff
  88. $IPT -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  89. $IPT -A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
  90.  
  91. # Allow port 53 tcp/udp (DNS Server)
  92. $IPT -A INPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  93. $IPT -A OUTPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
  94.  
  95. $IPT -A INPUT -p tcp --destination-port 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  96. $IPT -A OUTPUT -p tcp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
  97.  
  98. # Open port 80
  99. $IPT -A INPUT -p tcp --destination-port 80 -j ACCEPT
  100. ##### Add your rules below ######
  101.  
  102. ##### END your rules ############
  103.  
  104. # Do not log smb/windows sharing packets - too much logging
  105. $IPT -A INPUT -p tcp -i eth0 --dport 137:139 -j REJECT
  106. $IPT -A INPUT -p udp -i eth0 --dport 137:139 -j REJECT
  107.  
  108. # log everything else and drop
  109. $IPT -A INPUT -j LOG
  110. $IPT -A FORWARD -j LOG
  111. $IPT -A INPUT -j DROP
  112.  
  113. exit 0

How do I install and use this script?

Type the following command as root server:
# mkdir /root/scripts
# cd /root/scripts
# wget http://bash.cyberciti.biz/dl/381.sh.zip
# wget http://bash.cyberciti.biz/dl/151.sh.zip
# unzip 381.sh.zip
# unzip 151.sh.zip
# mv 381.sh start.fw
# mv 151.sh stop.fw
# chmod +x *.fw

Now edit firewall as per your requirements:
# vi /root/scripts/start.fw
Install firewall:
# echo '/root/scripts/start.fw' >> /etc/rc.local

How do I start firewall from a shell prompt?

# /root/scripts/start.fw

How do I stop firewall from a shell prompt?

# /root/scripts/stop.fw



4000+ howtos and counting! If you enjoyed this article, join 45000+ others and get free email updates!

Click here to subscribe via email.

  • WAHIL

    It seems really good. I’ll try it very soon. Thanks!

  • wi77iam

    Nice script, how would you open ftp with tls?

  • Chaplu

    not helping at all

    i tried, but still getting ddos

  • harold

    When I start the script ssh is not working anymore and nothing else is working, totally firewalled. What might be the problem

  • harold

    Never mind I found it, I was using another adapter so I changed the script to use eth1

  • hp1

    I think this is a very good script, but one mistake left inside:
    egrep -v -E
    Do you mean -e ? Option called -E doesn’t exist in my egrep version :)

  • Dlugi

    Something is wrong with Your script, because DNS resolving doesnt work… so for example using Your script I cant login to Roundcube mail.

    Please correct this.

  • Canis Lupus

    This aint a charity mate, you didn’t even say thankyou to this guy who spent HIS time to create this script and distribute it openly, so at least show some appreciation and common-sense.

    He doesn’t have to fix anything, if you’re managing a firewall, least you can do is learn how it works or even read a log to find out why it’s not letting you… however it should work fine.

  • lactose

    in addition..the script does not allow mail. you have to open whatever port you use for that

  • John B.

    This is about the time we should learn how to appreciate one another. We should all learn to live in LOVE,harmony and appreciation. Whoever wrote this script from the bottom of my heart I say thank you in a million fold.
    John B.

  • gilligoon

    port 20-21

  • ruud berry

    Why DROP, REJECT is better..

Previous Script:

Next Script: