30. März 2026

Iptables-Script IPv4

Einfaches Stateful-Firewall-Script mit Iptables als Teil der Endpoint-Security für Linux-Server.

homelabiptables

#!/usr/bin/env bash

# 1. Clear current configuration
iptables -F
iptables -X
iptables -Z
iptables -Z -t nat
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t raw -F
iptables -t raw -X

# 2. Create chains.
iptables -N TCP
iptables -N UDP

# 3. Set default policy.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# 4. Standard rules.
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT

# 5. Dispatch new connections chains.
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP

# 6. Allow inbound TCP traffic.
# iptables -A TCP -p tcp --dport 22 -j ACCEPT
# iptables -A TCP -p tcp --dport 53 -j ACCEPT
# iptables -A TCP -p tcp --dport 80 -j ACCEPT
# iptables -A TCP -p tcp --dport 139 -j ACCEPT
# iptables -A TCP -p tcp --dport 443 -j ACCEPT
# iptables -A TCP -p tcp --dport 445 -j ACCEPT
# iptables -A TCP -p tcp --dport 1081 -j ACCEPT
# iptables -A TCP -p tcp --dport 3128 -j ACCEPT
# iptables -A TCP -p tcp --dport 8118 -j ACCEPT

# 7. Allow inbound UDP traffic.
# iptables -A UDP_$IF1 -p udp --dport 53 -j ACCEPT
# iptables -A UDP_$IF1 -p udp --dport 137 -j ACCEPT
# iptables -A UDP_$IF1 -p udp --dport 138 -j ACCEPT
# iptables -A UDP_$IF1 -p udp --dport 139 -j ACCEPT

# 10. Reject/Log everything else.
iptables -A INPUT -p udp -j LOG --log-prefix "[iptables_ipv4_udp]: " --log-level 7 --log-uid
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p tcp -j LOG --log-prefix "[iptables_ipv4_tcp]: " --log-level 7 --log-uid
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -j LOG --log-prefix "[iptables_ipv4]: " --log-level 7 --log-uid
iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable

# 11. Persist rules.
mkdir -p /etc/iptables
iptables-save > /etc/iptables/rules.v4

# 12. Display info in terminal.
echo ""
echo "[IPv4] packets will be FILTERED."
echo ""

Siehe auch