#!/bin/bash # PORTLIST can be passed as an argument if [ "x$1" == "x" ]; then PORTLIST=80,443 ; else PORTLIST=$1 ; fi # Find out which interface looks to the Internet and what is IP address # on that interface (tested on real servers and OpenVZ VPSes): DEF=`ip route | grep default` FOUND=0 for i in $DEF; do if [ $FOUND -eq 1 ]; then GWINT=$i; break; fi; if [ "$i" == "dev" ]; then FOUND=1; fi ; done EXTIP=`ip addr list dev $GWINT | grep "inet " | grep "scope global" | head -1 | awk '{ print $2 }' | cut -d'/' -f 1` echo "Gateway interface (autodetected) is $GWINT" echo "External IP (looking to the Internet, autodetected) is $EXTIP" # Actually configure the firewall: iptables -P INPUT ACCEPT iptables -F INPUT iptables -A INPUT -i $GWINT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -d $EXTIP -i $GWINT -p tcp -m multiport --dports $PORTLIST -m state --state NEW -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -d $EXTIP -i $GWINT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT iptables -A INPUT -d $EXTIP -i $GWINT -p icmp -m icmp --icmp-type 8 -j ACCEPT iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -F OUTPUT iptables -P FORWARD ACCEPT iptables -F FORWARD