The firewall rules below can be loaded by using iptables-restore and ip6tables-restore. I have also included a bash script which can be used to generate and load the rules.
The below rules allow almost all outbound traffic; you may want to restrict that further if required.
The passive FTP port range has been set to 52000-53000. You will need to check and/or configure the relevant port range in your FTP server configuration file. For Pure FTPD, in the configuration file /etc/pureftpd.conf the following change was made:
PassivePortRange 52000 53000
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:ACTION_DROP - [0:0]
:ACTION_REJECT - [0:0]
:IN_ICMP - [0:0]
:IN_INVALID - [0:0]
:IN_TCP - [0:0]
:IN_UDP - [0:0]
:cphulk - [0:0]
-A INPUT -j cphulk
-A INPUT -i lo -m comment --comment "Allow all local loopback traffic" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "Allow established/related connections" -j ACCEPT
-A INPUT -m comment --comment "Do basic checks for invalid packets" -j IN_INVALID
-A INPUT -p tcp -m comment --comment "Send all TCP traffic to IN_TCP" -j IN_TCP
-A INPUT -p udp -m comment --comment "Send all UDP traffic to IN_UDP" -j IN_UDP
-A INPUT -p icmp -m comment --comment "Send all ICMP traffic to IN_ICMP" -j IN_ICMP
-A INPUT -m comment --comment "Drop all unmatched traffic" -j ACTION_DROP
-A ACTION_DROP -m comment --comment "Enable logging" -j LOG --log-prefix "Dropping: "
-A ACTION_DROP -m comment --comment "Drop all traffic sent to this chain" -j DROP
-A ACTION_REJECT -m comment --comment "Enable logging" -j LOG --log-prefix "Rejecting: "
-A ACTION_REJECT -m comment --comment "Reject all traffic sent to this chain" -j REJECT --reject-with icmp-port-unreachable
-A IN_ICMP -p icmp -m icmp --icmp-type 3 -m comment --comment "Allow ICMP destination unreachable" -j ACCEPT
-A IN_ICMP -p icmp -m icmp --icmp-type 8 -m comment --comment "Allow ICMP ping" -j ACCEPT
-A IN_ICMP -p icmp -m icmp --icmp-type 11 -m comment --comment "Allow ICMP time exceeded" -j ACCEPT
-A IN_ICMP -p icmp -m icmp --icmp-type 30 -m comment --comment "Allow ICMP traceroute" -j ACCEPT
-A IN_ICMP -p icmp -m comment --comment "Drop unmatched ICMP" -j ACTION_DROP
-A IN_INVALID -m state --state INVALID -m comment --comment "Drop invalid traffic" -j ACTION_DROP
-A IN_INVALID -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m comment --comment "Force incoming TCP connections to start with SYN" -j ACTION_DROP
-A IN_INVALID -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m comment --comment "Stealth scan" -j ACTION_DROP
-A IN_INVALID -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m comment --comment "Stealth scan" -j ACTION_DROP
-A IN_INVALID -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m comment --comment "Stealth scan" -j ACTION_DROP
-A IN_INVALID -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m comment --comment "Stealth scan" -j ACTION_DROP
-A IN_INVALID -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m comment --comment "Stealth scan" -j ACTION_DROP
-A IN_INVALID -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m comment --comment "Stealth scan" -j ACTION_DROP
-A IN_INVALID -p icmp -f -m comment --comment "Drop ICMP fragments" -j ACTION_DROP
-A IN_INVALID -m comment --comment "Return for further processing" -j RETURN
-A IN_TCP -p tcp -m multiport --dports 80,443 -m state --state NEW -m comment --comment "Allow incoming HTTP and HTTPS connections" -j ACCEPT
-A IN_TCP -p tcp -m multiport --dports 143,993 -m state --state NEW -m comment --comment "Allow incoming IMAP and IMAPS connections" -j ACCEPT
-A IN_TCP -p tcp -m multiport --dports 110,995 -m state --state NEW -m comment --comment "Allow incoming POP3 and POP3S connections" -j ACCEPT
-A IN_TCP -p tcp -m multiport --dports 25,465,587 -m state --state NEW -m comment --comment "Allow incoming SMTP and SMTPS connections including alternate port" -j ACCEPT
-A IN_TCP -p tcp -m multiport --dports 20,21 -m state --state NEW -m comment --comment "Allow incoming FTP and FTP control connections" -j ACCEPT
-A IN_TCP -p tcp -m tcp --dport 52000:53000 -m state --state NEW -m comment --comment "Allow incoming FTP passive connections" -j ACCEPT
-A IN_TCP -p tcp -m multiport --dports 22 -m state --state NEW -m comment --comment "Allow incoming SSH connections" -j ACCEPT
-A IN_TCP -p tcp -m multiport --dports 3306 -m state --state NEW -m comment --comment "Allow incoming MySQL connections" -j ACCEPT
-A IN_TCP -p tcp -m tcp --dport 53 -m state --state NEW -m comment --comment "Allow incoming TCP DNS queries" -j ACCEPT
-A IN_TCP -p tcp -m multiport --dports 2077,2078 -m state --state NEW -m comment --comment "Allow incoming traffic to cPanel WebDAV" -j ACCEPT
-A IN_TCP -p tcp -m multiport --dports 2079,2080 -m state --state NEW -m comment --comment "Allow incoming traffic to cPanel CalDAV and CardDAV" -j ACCEPT
-A IN_TCP -p tcp -m multiport --dports 2082,2083 -m state --state NEW -m comment --comment "Allow incoming traffic to cPanel" -j ACCEPT
-A IN_TCP -p tcp -m multiport --dports 2086,2087 -m state --state NEW -m comment --comment "Allow incoming traffic to cPanel WHM" -j ACCEPT
-A IN_TCP -p tcp -m multiport --dports 2095,2096 -m state --state NEW -m comment --comment "Allow incoming traffic to cPanel webmail" -j ACCEPT
-A IN_TCP -p tcp -m comment --comment "Drop unmatched TCP" -j ACTION_DROP
-A IN_UDP -p udp -m udp --dport 53 -m comment --comment "Allow incoming UDP DNS queries" -j ACCEPT
-A IN_UDP -p udp -m udp --dport 33434:33523 -m comment --comment "Allow UDP traceroute" -j ACCEPT
-A IN_UDP -p udp -m comment --comment "Drop unmatched UDP" -j ACTION_DROP
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:ACTION_DROP - [0:0]
:ACTION_REJECT - [0:0]
:IN_ICMP - [0:0]
:IN_INVALID - [0:0]
:IN_TCP - [0:0]
:IN_UDP - [0:0]
-A INPUT -i lo -m comment --comment "Allow all local loopback traffic" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "Allow established/related connections" -j ACCEPT
-A INPUT -m comment --comment "Do basic checks for invalid packets" -j IN_INVALID
-A INPUT -p tcp -m comment --comment "Send all TCP traffic to IN_TCP" -j IN_TCP
-A INPUT -p udp -m comment --comment "Send all UDP traffic to IN_UDP" -j IN_UDP
-A INPUT -p ipv6-icmp -m comment --comment "Send all ICMP traffic to IN_ICMP" -j IN_ICMP
-A INPUT -m comment --comment "Drop all unmatched traffic" -j ACTION_DROP
-A ACTION_DROP -m comment --comment "Enable logging" -j LOG --log-prefix "Dropping: "
-A ACTION_DROP -m comment --comment "Drop all traffic sent to this chain" -j DROP
-A ACTION_REJECT -m comment --comment "Enable logging" -j LOG --log-prefix "Rejecting: "
-A ACTION_REJECT -m comment --comment "Reject all traffic sent to this chain" -j REJECT --reject-with icmp6-port-unreachable
-A IN_ICMP -p ipv6-icmp -m comment --comment "Allow all ICMPv6" -j ACCEPT
-A IN_INVALID -m state --state INVALID -m comment --comment "Drop invalid traffic" -j ACTION_DROP
-A IN_INVALID -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m comment --comment "Force incoming TCP connections to start with SYN" -j ACTION_DROP
-A IN_INVALID -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m comment --comment "Stealth scan" -j ACTION_DROP
-A IN_INVALID -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m comment --comment "Stealth scan" -j ACTION_DROP
-A IN_INVALID -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m comment --comment "Stealth scan" -j ACTION_DROP
-A IN_INVALID -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m comment --comment "Stealth scan" -j ACTION_DROP
-A IN_INVALID -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m comment --comment "Stealth scan" -j ACTION_DROP
-A IN_INVALID -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m comment --comment "Stealth scan" -j ACTION_DROP
-A IN_INVALID -m comment --comment "Return for further processing" -j RETURN
-A IN_TCP -p tcp -m multiport --dports 80,443 -m state --state NEW -m comment --comment "Allow incoming HTTP and HTTPS connections" -j ACCEPT
-A IN_TCP -p tcp -m multiport --dports 143,993 -m state --state NEW -m comment --comment "Allow incoming IMAP and IMAPS connections" -j ACCEPT
-A IN_TCP -p tcp -m multiport --dports 110,995 -m state --state NEW -m comment --comment "Allow incoming POP3 and POP3S connections" -j ACCEPT
-A IN_TCP -p tcp -m multiport --dports 25,465,587 -m state --state NEW -m comment --comment "Allow incoming SMTP and SMTPS connections including alternate port" -j ACCEPT
-A IN_TCP -p tcp -m multiport --dports 20,21 -m state --state NEW -m comment --comment "Allow incoming FTP and FTP control connections" -j ACCEPT
-A IN_TCP -p tcp -m tcp --dport 52000:53000 -m state --state NEW -m comment --comment "Allow incoming FTP passive connections" -j ACCEPT
-A IN_TCP -p tcp -m multiport --dports 22 -m state --state NEW -m comment --comment "Allow incoming SSH connections" -j ACCEPT
-A IN_TCP -p tcp -m multiport --dports 3306 -m state --state NEW -m comment --comment "Allow incoming MySQL connections" -j ACCEPT
-A IN_TCP -p tcp -m tcp --dport 53 -m state --state NEW -m comment --comment "Allow incoming TCP DNS queries" -j ACCEPT
-A IN_TCP -p tcp -m multiport --dports 2077,2078 -m state --state NEW -m comment --comment "Allow incoming traffic to cPanel WebDAV" -j ACCEPT
-A IN_TCP -p tcp -m multiport --dports 2079,2080 -m state --state NEW -m comment --comment "Allow incoming traffic to cPanel CalDAV and CardDAV" -j ACCEPT
-A IN_TCP -p tcp -m multiport --dports 2082,2083 -m state --state NEW -m comment --comment "Allow incoming traffic to cPanel" -j ACCEPT
-A IN_TCP -p tcp -m multiport --dports 2086,2087 -m state --state NEW -m comment --comment "Allow incoming traffic to cPanel WHM" -j ACCEPT
-A IN_TCP -p tcp -m multiport --dports 2095,2096 -m state --state NEW -m comment --comment "Allow incoming traffic to cPanel webmail" -j ACCEPT
-A IN_TCP -p tcp -m comment --comment "Drop unmatched TCP" -j ACTION_DROP
-A IN_UDP -p udp -m udp --dport 53 -m comment --comment "Allow incoming UDP DNS queries" -j ACCEPT
-A IN_UDP -p udp -m udp --dport 33434:33523 -m comment --comment "Allow UDP traceroute" -j ACCEPT
-A IN_UDP -p udp -m comment --comment "Drop unmatched UDP" -j ACTION_DROP
COMMIT
This bash script can be used to generate the above rules:
#!/bin/bash
# IPv4 Firewall for cPanel
# Configuration
## Path to iptables binary
IPTABLES="/usr/sbin/iptables"
## Enable logging
LOGGING="true"
# Create a function to print messages that is padded automatically
function check() {
printf '%-60b' "$1..........."
}
# Create a function to print success messages
function success() {
## If the message is different, echo that otherwise simply echo success
if [ ! -z "$1" ]; then
echo "$1"
else
echo "Success"
fi
}
# Create a function to print fail messages and exit
function fail() {
## Print the fail
echo "Fail"
## Check if there is a failure message to give
if [ ! -z "$1" ]; then
echo "\n$1"
fi
## Exit
exit 2
}
# Make sure iptables binary can be used
check "Checking for iptables binary"
if [ ! -f "${IPTABLES}" ]; then
fail "Could not open iptables binary: ${IPTABLES}"
else
success
fi
# Clear all existing rules and chains
check "Clearing filter rules"
${IPTABLES} --flush && success || fail
check "Clearing filter chains"
${IPTABLES} --delete-chain && success || fail
check "Clearing NAT rules"
${IPTABLES} -t nat --flush && success || fail
check "Clearing NAT chains"
${IPTABLES} -t nat --delete-chain && success || fail
check "Clearing mangle rules"
${IPTABLES} -t mangle --flush && success || fail
check "Clearing mangle chains"
${IPTABLES} -t mangle --delete-chain && success || fail
# Create chains for traffic
check "Creating chain IN_INVALID"
${IPTABLES} -N IN_INVALID && success || fail
check "Creating chain IN_TCP"
${IPTABLES} -N IN_TCP && success || fail
check "Creating chain IN_UDP"
${IPTABLES} -N IN_UDP && success || fail
check "Creating chain IN_ICMP"
${IPTABLES} -N IN_ICMP && success || fail
check "Creating chain ACTION_DROP"
${IPTABLES} -N ACTION_DROP && success || fail
check "Creating chain ACTION_REJECT"
${IPTABLES} -N ACTION_REJECT && success || fail
# Set default policies
check "Setting default INPUT policy"
${IPTABLES} -P INPUT ACCEPT && success || fail
check "Setting default OUTPUT policy"
${IPTABLES} -P OUTPUT ACCEPT && success || fail
check "Setting default FORWARD policy"
${IPTABLES} -P FORWARD DROP && success || fail
# Add drop handler
check "Adding ACTION_DROP chain rules"
if [ $LOGGING == "true" ]; then
${IPTABLES} -A ACTION_DROP -p ALL -m comment --comment "Enable logging" -j LOG --log-prefix "Dropping: "
fi
${IPTABLES} -A ACTION_DROP -p ALL -m comment --comment "Drop all traffic sent to this chain" -j DROP && success || fail
# Add reject handler
check "Adding REJECT chain rules"
if [ $LOGGING == "true" ]; then
${IPTABLES} -A ACTION_REJECT -p ALL -m comment --comment "Enable logging" -j LOG --log-prefix "Rejecting: "
fi
${IPTABLES} -A ACTION_REJECT -p ALL -m comment --comment "Reject all traffic sent to this chain" -j REJECT && success || fail
# Add firewall rules to the invalid chain to drop invalid packets before further processing
check "Adding firewall rules to the IN_INVALID chain"
${IPTABLES} -A IN_INVALID -p ALL -m state --state INVALID -m comment --comment "Drop invalid traffic" -j ACTION_DROP
${IPTABLES} -A IN_INVALID -p tcp ! --syn -m state --state NEW -m comment --comment "Force incoming TCP connections to start with SYN" -j ACTION_DROP
${IPTABLES} -A IN_INVALID -p tcp --tcp-flags ALL NONE -m comment --comment "Stealth scan" -j ACTION_DROP
${IPTABLES} -A IN_INVALID -p tcp --tcp-flags ALL ALL -m comment --comment "Stealth scan" -j ACTION_DROP
${IPTABLES} -A IN_INVALID -p tcp --tcp-flags ALL FIN,URG,PSH -m comment --comment "Stealth scan" -j ACTION_DROP
${IPTABLES} -A IN_INVALID -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m comment --comment "Stealth scan" -j ACTION_DROP
${IPTABLES} -A IN_INVALID -p tcp --tcp-flags SYN,RST SYN,RST -m comment --comment "Stealth scan" -j ACTION_DROP
${IPTABLES} -A IN_INVALID -p tcp --tcp-flags SYN,FIN SYN,FIN -m comment --comment "Stealth scan" -j ACTION_DROP
${IPTABLES} -A IN_INVALID -p ICMP --fragment -m comment --comment "Drop ICMP fragments" -j ACTION_DROP
${IPTABLES} -A IN_INVALID -m comment --comment "Return for further processing" -j RETURN
success
# Add firewall rules to the ICMP chain
check "Adding firewall rules to the IN_ICMP chain"
${IPTABLES} -A IN_ICMP -p ICMP --icmp-type 3 -m comment --comment "Allow ICMP destination unreachable" -j ACCEPT
${IPTABLES} -A IN_ICMP -p ICMP --icmp-type 8 -m comment --comment "Allow ICMP ping" -j ACCEPT
${IPTABLES} -A IN_ICMP -p ICMP --icmp-type 11 -m comment --comment "Allow ICMP time exceeded" -j ACCEPT
${IPTABLES} -A IN_ICMP -p ICMP --icmp-type 30 -m comment --comment "Allow ICMP traceroute" -j ACCEPT
${IPTABLES} -A IN_ICMP -p ICMP -m comment --comment "Drop unmatched ICMP" -j ACTION_DROP
success
# Add firewall rules to the TCP chain
check "Adding firewall rules to the IN_TCP chain"
${IPTABLES} -A IN_TCP -p tcp -m multiport --dport 80,443 -m state --state NEW -m comment --comment "Allow incoming HTTP and HTTPS connections" -j ACCEPT
${IPTABLES} -A IN_TCP -p tcp -m multiport --dport 143,993 -m state --state NEW -m comment --comment "Allow incoming IMAP and IMAPS connections" -j ACCEPT
${IPTABLES} -A IN_TCP -p tcp -m multiport --dport 110,995 -m state --state NEW -m comment --comment "Allow incoming POP3 and POP3S connections" -j ACCEPT
${IPTABLES} -A IN_TCP -p tcp -m multiport --dport 25,465,587 -m state --state NEW -m comment --comment "Allow incoming SMTP and SMTPS connections including alternate port" -j ACCEPT
${IPTABLES} -A IN_TCP -p tcp -m multiport --dport 20,21 -m state --state NEW -m comment --comment "Allow incoming FTP and FTP control connections" -j ACCEPT
${IPTABLES} -A IN_TCP -p tcp --dport 52000:53000 -m state --state NEW -m comment --comment "Allow incoming FTP passive connections" -j ACCEPT
${IPTABLES} -A IN_TCP -p tcp -m multiport --dport 22 -m state --state NEW -m comment --comment "Allow incoming SSH connections" -j ACCEPT
${IPTABLES} -A IN_TCP -p tcp -m multiport --dport 3306 -m state --state NEW -m comment --comment "Allow incoming MySQL connections" -j ACCEPT
${IPTABLES} -A IN_TCP -p tcp --dport 53 -m state --state NEW -m comment --comment "Allow incoming TCP DNS queries" -j ACCEPT
${IPTABLES} -A IN_TCP -p tcp -m multiport --dport 2077,2078 -m state --state NEW -m comment --comment "Allow incoming traffic to cPanel WebDAV" -j ACCEPT
${IPTABLES} -A IN_TCP -p tcp -m multiport --dport 2079,2080 -m state --state NEW -m comment --comment "Allow incoming traffic to cPanel CalDAV and CardDAV" -j ACCEPT
${IPTABLES} -A IN_TCP -p tcp -m multiport --dport 2082,2083 -m state --state NEW -m comment --comment "Allow incoming traffic to cPanel" -j ACCEPT
${IPTABLES} -A IN_TCP -p tcp -m multiport --dport 2086,2087 -m state --state NEW -m comment --comment "Allow incoming traffic to cPanel WHM" -j ACCEPT
${IPTABLES} -A IN_TCP -p tcp -m multiport --dport 2095,2096 -m state --state NEW -m comment --comment "Allow incoming traffic to cPanel webmail" -j ACCEPT
${IPTABLES} -A IN_TCP -p tcp -m comment --comment "Drop unmatched TCP" -j ACTION_DROP
success
# Add firewall rules to the UDP chain
check "Adding firewall rules to the IN_UDP chain"
${IPTABLES} -A IN_UDP -p udp --dport 53 -m comment --comment "Allow incoming UDP DNS queries" -j ACCEPT
${IPTABLES} -A IN_UDP -p udp --dport 33434:33523 -m comment --comment "Allow UDP traceroute" -j ACCEPT
${IPTABLES} -A IN_UDP -p udp -m comment --comment "Drop unmatched UDP" -j ACTION_DROP
success
# Allow all loopback traffic
check "Allowing all loopback traffic"
${IPTABLES} -A INPUT -i lo -m comment --comment "Allow all local loopback traffic" -j ACCEPT && success || fail
# Allow established/related connections
check "Allowing established/related connections"
${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -m comment --comment "Allow established/related connections" -j ACCEPT && success || fail
# Send traffic to the IN_INVALID chain to do basic checks
check "Adding rule to do basic packet checks"
${IPTABLES} -A INPUT -p ALL -m comment --comment "Do basic checks for invalid packets" -j IN_INVALID && success || fail
# Send traffic through the various chains
check "Adding forward for TCP traffic to the IN_TCP chain"
${IPTABLES} -A INPUT -p tcp -m comment --comment "Send all TCP traffic to IN_TCP" -j IN_TCP && success || fail
check "Adding forward for TCP traffic to the IN_UDP chain"
${IPTABLES} -A INPUT -p udp -m comment --comment "Send all UDP traffic to IN_UDP" -j IN_UDP && success || fail
check "Adding forward for TCP traffic to the IN_ICMP chain"
${IPTABLES} -A INPUT -p icmp -m comment --comment "Send all ICMP traffic to IN_ICMP" -j IN_ICMP && success || fail
check "Dropping all unmatched traffic"
${IPTABLES} -A INPUT -p all -m comment --comment "Drop all unmatched traffic" -j ACTION_DROP
#!/bin/bash
# IPv6 Firewall for cPanel
# Configuration
## Path to iptables binary
IPTABLES="/usr/sbin/ip6tables"
## Enable logging
LOGGING="true"
# Create a function to print messages that is padded automatically
function check() {
printf '%-60b' "$1..........."
}
# Create a function to print success messages
function success() {
## If the message is different, echo that otherwise simply echo success
if [ ! -z "$1" ]; then
echo "$1"
else
echo "Success"
fi
}
# Create a function to print fail messages and exit
function fail() {
## Print the fail
echo "Fail"
## Check if there is a failure message to give
if [ ! -z "$1" ]; then
echo "\n$1"
fi
## Exit
exit 2
}
# Make sure iptables binary can be used
check "Checking for ip6tables binary"
if [ ! -f "${IPTABLES}" ]; then
fail "Could not open ip6tables binary: ${IPTABLES}"
else
success
fi
# Clear all existing rules and chains
check "Clearing filter rules"
${IPTABLES} --flush && success || fail
check "Clearing filter chains"
${IPTABLES} --delete-chain && success || fail
check "Clearing mangle rules"
${IPTABLES} -t mangle --flush && success || fail
check "Clearing mangle chains"
${IPTABLES} -t mangle --delete-chain && success || fail
# Create chains for traffic
check "Creating chain IN_INVALID"
${IPTABLES} -N IN_INVALID && success || fail
check "Creating chain IN_TCP"
check "Creating chain IN_UDP"
${IPTABLES} -N IN_UDP && success || fail
check "Creating chain IN_ICMP"
${IPTABLES} -N IN_ICMP && success || fail
check "Creating chain ACTION_DROP"
${IPTABLES} -N ACTION_DROP && success || fail
check "Creating chain ACTION_REJECT"
${IPTABLES} -N ACTION_REJECT && success || fail
# Set default policies
check "Setting default INPUT policy"
${IPTABLES} -P INPUT ACCEPT && success || fail
check "Setting default OUTPUT policy"
${IPTABLES} -P OUTPUT ACCEPT && success || fail
check "Setting default FORWARD policy"
${IPTABLES} -P FORWARD DROP && success || fail
# Add drop handler
check "Adding ACTION_DROP chain rules"
if [ $LOGGING == "true" ]; then
${IPTABLES} -A ACTION_DROP -p ALL -m comment --comment "Enable logging" -j LOG --log-prefix "Dropping: "
fi
${IPTABLES} -A ACTION_DROP -p ALL -m comment --comment "Drop all traffic sent to this chain" -j DROP && success || fail
# Add reject handler
check "Adding REJECT chain rules"
if [ $LOGGING == "true" ]; then
${IPTABLES} -A ACTION_REJECT -p ALL -m comment --comment "Enable logging" -j LOG --log-prefix "Rejecting: "
fi
${IPTABLES} -A ACTION_REJECT -p ALL -m comment --comment "Reject all traffic sent to this chain" -j REJECT && success || fail
# Add firewall rules to the invalid chain to drop invalid packets before further processing
check "Adding firewall rules to the IN_INVALID chain"
${IPTABLES} -A IN_INVALID -p ALL -m state --state INVALID -m comment --comment "Drop invalid traffic" -j ACTION_DROP
${IPTABLES} -A IN_INVALID -p tcp ! --syn -m state --state NEW -m comment --comment "Force incoming TCP connections to start with SYN" -j ACTION_DROP
${IPTABLES} -A IN_INVALID -p tcp --tcp-flags ALL NONE -m comment --comment "Stealth scan" -j ACTION_DROP
${IPTABLES} -A IN_INVALID -p tcp --tcp-flags ALL ALL -m comment --comment "Stealth scan" -j ACTION_DROP
${IPTABLES} -A IN_INVALID -p tcp --tcp-flags ALL FIN,URG,PSH -m comment --comment "Stealth scan" -j ACTION_DROP
${IPTABLES} -A IN_INVALID -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m comment --comment "Stealth scan" -j ACTION_DROP
${IPTABLES} -A IN_INVALID -p tcp --tcp-flags SYN,RST SYN,RST -m comment --comment "Stealth scan" -j ACTION_DROP
${IPTABLES} -A IN_INVALID -p tcp --tcp-flags SYN,FIN SYN,FIN -m comment --comment "Stealth scan" -j ACTION_DROP
${IPTABLES} -A IN_INVALID -m comment --comment "Return for further processing" -j RETURN
success
# Add firewall rules to the ICMP chain
check "Adding firewall rules to the IN_ICMP chain"
${IPTABLES} -A IN_ICMP -p icmpv6 -m comment --comment "Allow all ICMPv6" -j ACCEPT
success
# Add firewall rules to the TCP chain
check "Adding firewall rules to the IN_TCP chain"
${IPTABLES} -A IN_TCP -p tcp -m multiport --dport 80,443 -m state --state NEW -m comment --comment "Allow incoming HTTP and HTTPS connections" -j ACCEPT
${IPTABLES} -A IN_TCP -p tcp -m multiport --dport 143,993 -m state --state NEW -m comment --comment "Allow incoming IMAP and IMAPS connections" -j ACCEPT
${IPTABLES} -A IN_TCP -p tcp -m multiport --dport 110,995 -m state --state NEW -m comment --comment "Allow incoming POP3 and POP3S connections" -j ACCEPT
${IPTABLES} -A IN_TCP -p tcp -m multiport --dport 25,465,587 -m state --state NEW -m comment --comment "Allow incoming SMTP and SMTPS connections including alternate port" -j ACCEPT
${IPTABLES} -A IN_TCP -p tcp -m multiport --dport 20,21 -m state --state NEW -m comment --comment "Allow incoming FTP and FTP control connections" -j ACCEPT
${IPTABLES} -A IN_TCP -p tcp --dport 52000:53000 -m state --state NEW -m comment --comment "Allow incoming FTP passive connections" -j ACCEPT
${IPTABLES} -A IN_TCP -p tcp -m multiport --dport 22 -m state --state NEW -m comment --comment "Allow incoming SSH connections" -j ACCEPT
${IPTABLES} -A IN_TCP -p tcp -m multiport --dport 3306 -m state --state NEW -m comment --comment "Allow incoming MySQL connections" -j ACCEPT
${IPTABLES} -A IN_TCP -p tcp --dport 53 -m state --state NEW -m comment --comment "Allow incoming TCP DNS queries" -j ACCEPT
${IPTABLES} -A IN_TCP -p tcp -m multiport --dport 2077,2078 -m state --state NEW -m comment --comment "Allow incoming traffic to cPanel WebDAV" -j ACCEPT
${IPTABLES} -A IN_TCP -p tcp -m multiport --dport 2079,2080 -m state --state NEW -m comment --comment "Allow incoming traffic to cPanel CalDAV and CardDAV" -j ACCEPT
${IPTABLES} -A IN_TCP -p tcp -m multiport --dport 2082,2083 -m state --state NEW -m comment --comment "Allow incoming traffic to cPanel" -j ACCEPT
${IPTABLES} -A IN_TCP -p tcp -m multiport --dport 2086,2087 -m state --state NEW -m comment --comment "Allow incoming traffic to cPanel WHM" -j ACCEPT
${IPTABLES} -A IN_TCP -p tcp -m multiport --dport 2095,2096 -m state --state NEW -m comment --comment "Allow incoming traffic to cPanel webmail" -j ACCEPT
${IPTABLES} -A IN_TCP -p tcp -m comment --comment "Drop unmatched TCP" -j ACTION_DROP
success
# Add firewall rules to the UDP chain
check "Adding firewall rules to the IN_UDP chain"
${IPTABLES} -A IN_UDP -p udp --dport 53 -m comment --comment "Allow incoming UDP DNS queries" -j ACCEPT
${IPTABLES} -A IN_UDP -p udp --dport 33434:33523 -m comment --comment "Allow UDP traceroute" -j ACCEPT
${IPTABLES} -A IN_UDP -p udp -m comment --comment "Drop unmatched UDP" -j ACTION_DROP
success
# Allow all loopback traffic
check "Allowing all loopback traffic"
${IPTABLES} -A INPUT -i lo -m comment --comment "Allow all local loopback traffic" -j ACCEPT && success || fail
# Allow established/related connections
check "Allowing established/related connections"
${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -m comment --comment "Allow established/related connections" -j ACCEPT && success || fail
# Send traffic to the IN_INVALID chain to do basic checks
check "Adding rule to do basic packet checks"
${IPTABLES} -A INPUT -p ALL -m comment --comment "Do basic checks for invalid packets" -j IN_INVALID && success || fail
# Send traffic through the various chains
check "Adding forward for TCP traffic to the IN_TCP chain"
${IPTABLES} -A INPUT -p tcp -m comment --comment "Send all TCP traffic to IN_TCP" -j IN_TCP && success || fail
check "Adding forward for TCP traffic to the IN_UDP chain"
${IPTABLES} -A INPUT -p udp -m comment --comment "Send all UDP traffic to IN_UDP" -j IN_UDP && success || fail
check "Adding forward for TCP traffic to the IN_ICMP chain"
${IPTABLES} -A INPUT -p icmpv6 -m comment --comment "Send all ICMP traffic to IN_ICMP" -j IN_ICMP && success || fail
check "Dropping all unmatched traffic"
${IPTABLES} -A INPUT -p all -m comment --comment "Drop all unmatched traffic" -j ACTION_DROP