#!/bin/bash

# sample script for secure HOSTING setups
# Angulo Solido - http://www.angulosolido.pt

# clear all iptables rules

service iptables stop

#usually eth0
EXTIF=eth0

# default policies: DROP everything 

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# accept everything from the loopback device

iptables -t filter -A INPUT -i lo -j ACCEPT

# accept outgoing connections selectively

iptables -A OUTPUT -o lo -j ACCEPT # for localhost
iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT # for DNS queries
iptables -A OUTPUT -p udp -m udp --dport 123 -j ACCEPT # for NTP queries
iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT # for rhn
iptables -A OUTPUT -p tcp -m tcp --dport 80 -d 70.86.4.226 -j ACCEPT # for virtualmin packages
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# open specific services

# ICMP

iptables -t filter -A INPUT -p icmp -m icmp  -j ACCEPT

# enable ssh on all interfaces
iptables -N sshguard
iptables -A INPUT -p tcp --dport 22 -j sshguard
iptables -t filter -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

#enable several services

iptables -A INPUT -p udp -m udp --dport domain -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport smtp -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 20000 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport http -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport imaps -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport pop3s -j ACCEPT

# accept traffic related to ESTABLISHED connections

iptables -t filter -A INPUT -m state --state ESTABLISHED -j ACCEPT

# save the iptables rules

iptables-save >/etc/sysconfig/iptables