IPtables bash script

To: debian-firewall@lists.debian.org, debian-security@lists.debian.org
Subject: IPtables bash script
From: Ralph Sanchez <rwsanchez3@gmail.com>
Date: Sun, 22 May 2016 19:30:07 -0400
Message-id: <[🔎] CAJJ2v1W43WtW=emKfHpK=xMEhcwmr6HDmV+1dqHFyBOz=deDDw@mail.gmail.com>

Hello All, I have taken up to writing this bash script to change my
iptables rules. It seems the only issue I've found is that it seems to
not want to connect to certain websites at some moments and not
others, or generally but sometimes it let's it through without
changing anything. This completely stops if I add RELATED to my OUTPUT
ACCEPT next to NEW, just not sure how that impacts security exactly.

Also, any advice on making this script better, or stronger per
secuirty, would be appreciated as this is both my first time scripting
in bash from scratch and my first IPTABLES venture.

Oh, and don't mind the echo lines, those are solely for my
entertainment upon running.

#!/bin/sh

IPT=/sbin/iptables
IP6=/sbin/ip6tables
echo  "[+]                                       ENTRY PLUG EJECTED,
READY FOR PILOT ENTRY"
read OK

echo  " $OK                                          ENTRY PLUG
INSERTION COMPLETE"

echo "[+]  Flooding the cockpit with LCL. Don't try and hold your
breath, just breath normal. It's weird at first, but you'll get used
to it "

$IPT -F

$IPT -F  -t nat

$IPT -X

echo "[+] Synch ratio 99%, within permissable parameters..."

$IP6 -P INPUT DROP

$IP6 -P FORWARD DROP

$IP6 -P OUTPUT DROP

$IPT -P INPUT DROP

$IPT -P FORWARD DROP

$IPT -P OUTPUT DROP
## INPUT  Rules ###

echo "[+] AT Field is active, moving EVA UNIT 1 to elevator 24..."

$IPT -A INPUT -m conntrack --ctstate INVALID -j LOG --log-prefix
"INVALID_DROPS" --log-ip-options --log-tcp-options

$IPT -A INPUT -m conntrack --ctstate NEW -j LOG --log-prefix
"NEW_DROPS" --log-ip-options --log-tcp-options

$IPT -A INPUT -m conntrack --ctstate INVALID -j DROP

$IPT -A INPUT -p icmp --icmp-type echo-request -j DROP

$IPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

$IPT -A INPUT --in-interface lo -j ACCEPT

$IPT -A INPUT -p tcp --dport 443 -j ACCEPT

$IPT -A INPUT -p tcp --dport 80 -j ACCEPT

## FORWARD Rules ##

#$IPT -A FORWARD -m conntrack --ctstate INVALID -j LOG --log-prefix
"INVALID_FORWARD" --log-ip-options --log-tcp-options

#$IPT -A FORWARD -i lo -j ACCEPT

#$IPT -A FORWARD -m conntrack --ctstate INVALID -j DROP

#$IPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
## OUTPUT Rules ##

echo "[+] It's up to you now, Shinji..."

$IPT -A OUTPUT --out-interface lo -j ACCEPT # Allows ALL Loopback traffic

$IPT -A OUTPUT -m conntrack --ctstate NEW -j ACCEPT # Only allow NEW
connection outbound.

$IPT -A OUTPUT -p tcp -m multiport --dports 80,443 -m owner
--uid-owner privoxy -j ACCEPT # Allows Privoxy via HTTP and HTTPS

$IPT -A OUTPUT -p tcp --dport 443 -j ACCEPT # ACCEPT outbound https

$IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT # ACCEPT outbound http (DO
NOT LEAVE ACTIVE!)

$IPT -A OUTPUT -m owner --uid-owner root -j ACCEPT # Allows ALL root requests

Reply to:

Prev by Date: Re: Bug#791919: RFP: USBGuard -- protect your computer against rogue USB devices
Next by Date: Re: Bug#791919: RFP: USBGuard -- protect your computer against rogue USB devices
Previous by thread: Re: Bug#791919: RFP: USBGuard -- protect your computer against rogue USB devices
Next by thread: Re: Thank you - Facebook Survey
Index(es):
- Date
- Thread