b e Q u i e t . c h : : The swiss quietest page : :

Firewall (myfirewall) per Horde/IMP con più server

#!/bin/bash

##
## IPTABLES Firewall per Server Horde (caso con Mail e IMAP su una macchina remota)
##
## Sul server webmail è installato un firewall locale. Solo le porte necessarie a Webmail
## e a pochi altri servizi sono aperte.
##
## INPUT CHAIN: HTTP, HTTPS, SSH, SMTP, IMAP, 113 (ident)
## OUTPUT CHAIN: HTTP/HTTPS (established), IMAP, SMTP, PROXY, 53 nameserver,23 timeserver
##
## Questo semplice firewall va inteso come sicurezza supplementare che non sostituisce in alcun caso
## il firewall centrale della ditta dove Horde è raggiungibile unicamente via HTTP/HTTPS.
##
## Daniele Albisetti - albisetti [at] elektro-material [.] ch
##

if ! [ -x /sbin/iptables ]; then
    exit 0
fi

fw_start() {

# Some variables:

IPTABLES=`which iptables`
INET_IFACE="eth0"
IP_ADDR=`grep address /etc/network/interfaces | cut -d' ' -f2` # (in Debian/Ubuntu)
# IP_ADDR=`grep IPADDR /etc/sysconfig/network-scripts/ifcfg-`$INET_IFACE` | cut -d'=' -f2`
# (in RedHat/Fedora)
INTERN_LAN="your intern server LAN" # (in our case 192.168.1.0/16)
UNPRIVPORTS="1024:65535"
MAILSER="your mailserver ip"
PROXYSER="your proxyserver ip" # (only if needed)

# Flush all rules and all user defined chains
$IPTABLES -F
$IPTABLES -X

# Iptables rules set up.
# Set default policies for the INPUT, FORWARD and OUTPUT chains
# Default policies = DROP

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#############
# INPUT chain
# Rules for incoming packets from the internet

$IPTABLES -A INPUT -i lo -j ACCEPT

$IPTABLES -A INPUT -p ICMP -d $IP_ADDR -j ACCEPT
$IPTABLES -A INPUT -p TCP -d $IP_ADDR --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p TCP -d $IP_ADDR --dport 443 -j ACCEPT
$IPTABLES -A INPUT -p TCP -s $INTERN_LAN -d $IP_ADDR --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p TCP -s $INTERN_LAN -d $IP_ADDR --dport 143 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -s $MAILSER -d $IP_ADDR --dport 113 -j ACCEPT
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -s $MAILSER -d $IP_ADDR --dport 113 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -s $INTERN_LAN --dport 123 -j ACCEPT
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -s $INTERN_LAN --dport 123 -j ACCEPT
$IPTABLES -A INPUT -i $INET_IFACE -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport $UNPRIVPORTS -m state --state RELATED -j ACCEPT
$IPTABLES -A INPUT -i $INET_IFACE -p UDP --dport $UNPRIVPORTS -m state --state RELATED -j ACCEPT
# DROP without LOG (Samba/Windows packages)
$IPTABLES -A INPUT -p UDP --dport 137 -j DROP
$IPTABLES -A INPUT -p UDP --dport 138 -j DROP

# All others packages are dropped; change DROP to LOG for logging
$IPTABLES -A INPUT -j DROP

##############
# OUTPUT chain
# Special OUTPUT rules to decide which IP's to allow

$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A OUTPUT -p ICMP -j ACCEPT
$IPTABLES -A OUTPUT -p TCP --sport 80 -j ACCEPT
$IPTABLES -A OUTPUT -p TCP --sport 443 -j ACCEPT
$IPTABLES -A OUTPUT -p TCP --sport 22 -j ACCEPT
$IPTABLES -A OUTPUT -p TCP --dport 22 -j ACCEPT
$IPTABLES -A OUTPUT -p UDP --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p TCP --dport 143 -j ACCEPT
$IPTABLES -A OUTPUT -d $INTERN_LAN -p TCP --dport 25 -j ACCEPT
$IPTABLES -A OUTPUT -p TCP --sport 113 -d $MAILSER -j ACCEPT
$IPTABLES -A OUTPUT -p UDP --sport 113 -d $MAILSER -j ACCEPT
$IPTABLES -A OUTPUT -p TCP --dport 8080 -d $PROXYSER -j ACCEPT # (only if needed)
$IPTABLES -A OUTPUT -p UDP --dport 123 -d $INTERN_LAN -j ACCEPT

# All others packages are dropped; change DROP to LOG for logging
$IPTABLES -A OUTPUT -j DROP

}

fw_stop () {
    /sbin/iptables -F
    /sbin/iptables -t nat -F
    /sbin/iptables -t mangle -F
    /sbin/iptables -P INPUT ACCEPT
    /sbin/iptables -P FORWARD ACCEPT
    /sbin/iptables -P OUTPUT ACCEPT
  }

fw_clear () {
    /sbin/iptables -F
    /sbin/iptables -t nat -F
    /sbin/iptables -t mangle -F
    /sbin/iptables -P INPUT DROP
    /sbin/iptables -P FORWARD DROP
    /sbin/iptables -P OUTPUT ACCEPT
  }

fw_status () {
    /sbin/iptables -L
  }

  case "$1" in
    start|restart)
    echo -n "Starting firewall.."
    fw_stop
    fw_start
    echo "done."
    ;;
  stop)
    echo -n "Stopping firewall.."
    fw_stop
    echo "done."
  ;;
  clear)
    echo -n "Clearing firewall rules.."
    fw_clear
    echo "done."
    ;;
  status)
    echo -n "Status of the firewall rules.."
    fw_status
    echo "done."
    ;;
  *)
    echo "Usage: $0 {start|stop|restart|clear|status}"
    exit 1
    ;;
  esac
exit 0