andybeak
1/9/2017 - 12:31 PM

Set up iptables for a webserver

Set up iptables for a webserver

#!/bin/bash
logger Configuring iptables

# Flush existing rules
sudo iptables -F

# Allow SSH from Brightsource
sudo iptables -A INPUT -p tcp -s 31.221.84.114/32 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Allow loopback traffic
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT

# Allow established and related incoming connections
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allow established outgoing connections
sudo iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Drop invalid packets
sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

# Allow incoming HTTP and HTTPS
sudo iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Drop traffic we're not allowing
sudo iptables -A INPUT -j DROP

# Restart Fail2Ban to get its chains set up
sudo service fail2ban restart

# Save all changes
sudo invoke-rc.d iptables-persistent save