Created
January 31, 2026 17:55
-
-
Save GreatGodApollo/191c6fc83d939e7df974b84adc6aecef to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| IPTABLES_SCRIPT="$SCRIPT_DIR/linux/iptables.sh" | |
| cat <<EOF > $IPTABLES_SCRIPT | |
| if [[ \$EUID -ne 0 ]] | |
| then | |
| printf 'Must be run as root, exiting!\n' | |
| exit 1 | |
| fi | |
| # Empty all rules | |
| iptables -t filter -F | |
| iptables -t filter -X | |
| # Block everything by default | |
| iptables -t filter -P INPUT DROP | |
| iptables -t filter -P FORWARD DROP | |
| iptables -t filter -P OUTPUT DROP | |
| # Authorize already established connections | |
| iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| iptables -t filter -A INPUT -i lo -j ACCEPT | |
| iptables -t filter -A OUTPUT -o lo -j ACCEPT | |
| # ICMP (Ping) | |
| iptables -t filter -A INPUT -p icmp -j ACCEPT | |
| iptables -t filter -A OUTPUT -p icmp -j ACCEPT | |
| # DNS (Needed for curl, and updates) | |
| iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT | |
| iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT | |
| # HTTP/HTTPS | |
| iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT | |
| iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT | |
| # NTP (server time) | |
| iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT | |
| # Splunk | |
| iptables -t filter -A OUTPUT -p tcp --dport 8000 -j ACCEPT | |
| iptables -t filter -A OUTPUT -p tcp --dport 8089 -j ACCEPT | |
| iptables -t filter -A OUTPUT -p tcp --dport 9997 -j ACCEPT | |
| # Splunk Web UI | |
| iptables -t filter -A INPUT -p tcp --dport 8000 -j ACCEPT | |
| # Splunk Forwarder | |
| iptables -t filter -A INPUT -p tcp --dport 8089 -j ACCEPT | |
| iptables -t filter -A INPUT -p tcp --dport 9997 -j ACCEPT | |
| # Splunk Syslog (PA) | |
| iptables -t filter -A INPUT -p tcp --dport 514 -j ACCEPT | |
| # Bad Flag Combinations | |
| # Prevent an attacker from sending flags for reconnaissance. | |
| # These kinds of packets typically are not done as an attack. | |
| iptables -N BAD_FLAGS | |
| iptables -A INPUT -p tcp -j BAD_FLAGS | |
| # Fragmented Packets | |
| iptables -A INPUT -f -j LOG --log-prefix "IT Fragmented " | |
| iptables -A INPUT -f -j DROP | |
| # NOT SURE WHAT THIS DOES, THINGS BREAK WITHOUT IT | |
| iptables -I INPUT -m u32 --u32 "4 & 0x8000 = 0x8000" -j DROP | |
| EOF | |
| # Set firewall rules | |
| chmod +x $IPTABLES_SCRIPT | |
| bash $IPTABLES_SCRIPT | |
| if [ ! -d /etc/iptables ]; then | |
| mkdir /etc/iptables | |
| fi | |
| # Save the rules | |
| iptables-save > /etc/iptables/rules.v4 | |
| #Disable firewalld | |
| systemctl stop firewalld | |
| systemctl disable firewalld | |
| # Create a systemd service to load the rules on boot (as a fallback for iptables-save) | |
| if [ ! -d /etc/systemd/system/ ]; then | |
| mkdir -p /etc/systemd/system/ | |
| fi | |
| cat <<-EOF > /etc/systemd/system/ccdc_firewall.service | |
| [Unit] | |
| Description=ZDSFirewall | |
| After=syslog.target network.target | |
| [Service] | |
| Type=oneshot | |
| ExecStart=/bin/bash $IPTABLES_SCRIPT | |
| ExecStop=/sbin/iptables -F | |
| RemainAfterExit=yes | |
| [Install] | |
| WantedBy=multi-user.target | |
| EOF | |
| # Enable the service | |
| systemctl enable ccdc_firewall.service | |
| systemctl start ccdc_firewall.service |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment