# !/bin/sh # init.d/localfw # #### BEGIN INIT INFO # Provides: iptables # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Start daemon at boot time # Description: Enable service provided by daemon. ### END INIT INFO # # case "$1" in start) #carga de los modulos del kernel modprobe ip_tables modprobe ip_conntrack_ftp iptables --flush iptables --delete-chain #flush old rules, old custom tables iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP #Give free reign to loopback interfaces iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT #Accept inbound packets that are part of previously-OK'ed session iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #Accept inbound packets which initiate SSH sessions iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT #Accept inbound packets which initiate FTP sessions iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT #Accept inbound packets which initiate HTTP sessions iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT #Accept inbound packets which initiate HTTPS sessions iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT #Accept inbound packets which initiate HTTPS sessions iptables -A INPUT -p tcp --dport 5900 -m state --state NEW -j ACCEPT #Accept inbound packets which initiate HTTPS sessions iptables -A INPUT -p tcp --dport 5800 -m state --state NEW -j ACCEPT #Log anything not accepted above iptables -A INPUT -j LOG --log-prefix "Dropped by default (INPUT):" #Accept inbound packets which initiate SSH sessions iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #Accept inbound packets which initiate FTP sessions iptables -A OUTPUT -p udp --dport 53 -j ACCEPT #Accept inbound packets which initiate FTP sessions iptables -A OUTPUT -p tcp --dport 21 -j ACCEPT #Accept inbound packets which initiate FTP sessions iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT #Accept inbound packets which initiate HTTP sessions iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT #Accept inbound packets which initiate SMTP sessions iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT #Accept inbound packets which initiate HTTPS sessions iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT #Accept inbound packets which initiate HTTPS sessions iptables -A OUTPUT -p tcp --dport 8443 -j ACCEPT #Log anything not accepted above iptables -A OUTPUT -j LOG --log-prefix "Dropped by default (OUTPUT):" ;; stop) ;; restart) $0 stop $0 start ;; reload|force-reload) $0 stop $0 start ;; status) ;; *) echo "Usage: $0 {start|stop|restart|status}" exit 1 esac