apt-get update && apt-get upgrade apt-get install iptables-persistent iptables -A INPUT -p tcp --dport 10000 -j ACCEPT iptables -A INPUT -p tcp --dport 21 -j ACCEPT nano /etc/init.d/iptables FILE-CONTENT: #!/bin/sh -e ### BEGIN INIT INFO # Provides: iptables # Required-Start: ifupdown $local_fs # Required-Stop: # Default-Start: S # Default-Stop: 0 6 ### END INIT INFO # July 9, 2007 # James B. Crocker # Creative Commons Attribution - Share Alike 3.0 License (BY,SA) # Script to load/unload/save iptables firewall settings. PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin" IPTABLES=/sbin/iptables IPTABLES_SAVE=/sbin/iptables-save IPTABLES_RESTORE=/sbin/iptables-restore IPTABLES_CONFIG=/etc/iptables.conf [ -x $IPTABLES ] || exit 0 . /lib/lsb/init-functions case "$1" in start) log_action_begin_msg "Starting firewall" type usplash_write >/dev/null 2>/dev/null && usplash_write "TIMEOUT 120" || true if $IPTABLES_RESTORE < $IPTABLES_CONFIG ; then log_action_end_msg $? else log_action_end_msg $? fi type usplash_write >/dev/null 2>/dev/null && usplash_write "TIMEOUT 15" || true ;; stop) log_action_begin_msg "Saving current firewall configuration" if $IPTABLES_SAVE > $IPTABLES_CONFIG ; then log_action_end_msg $? else log_action_end_msg $? fi log_action_begin_msg "Flushing ALL firewall rules from chains!" if $IPTABLES -F ; then log_action_end_msg $? else log_action_end_msg $? fi log_action_begin_msg "Deleting ALL firewall chains [Warning: ACCEPTING ALL PORT SERVICES!]" if $IPTABLES -X ; then $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IPTABLES -P OUTPUT ACCEPT log_action_end_msg $? else log_action_end_msg $? fi ;; save) log_action_begin_msg "Saving current firewall configuration" if $IPTABLES_SAVE > $IPTABLES_CONFIG ; then log_action_end_msg $? else log_action_end_msg $? fi ;; force-reload|restart) log_action_begin_msg "Reloading firewall configuration [Warning: POTENTIAL NETWORK INSECURITY DURING RELOAD]" $IPTABLES -F $IPTABLES -X if $IPTABLES_RESTORE < $IPTABLES_CONFIG ; then log_action_end_msg $? else log_action_end_msg $? fi ;; *) echo "Usage: /etc/init.d/iptables {start|stop|save|restart|force-reload}" exit 1 ;; esac exit 0 FILE-END! cd /etc/ chmod +x *iptables* chmod +x /etc/init.d/iptables update-rc.d iptables defaults service iptables stop service iptables save service iptables start nano iptables-rules.sh FILE: #!/bin/bash # Flushing all rules iptables -F FORWARD iptables -F INPUT iptables -F OUTPUT iptables -X # Setting default filter policy #iptables -P INPUT DROP #iptables -P OUTPUT DROP #iptables -P FORWARD DROP # Allow unlimited traffic on loopback iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Accept inbound TCP packets #iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow incoming SSH iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 10000 -j ACCEPT iptables -A INPUT -p tcp --dport 21 -j ACCEPT # Allow incoming OpenVPN iptables -A INPUT -p udp --dport 1194 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT # Accept outbound packets iptables -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT # Allow DNS outbound iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT # Allow HTTP outbound iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT # Allow HTTPS outbound iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT # Enable NAT for the VPN #iptables -t nat -A POSTROUTING -s 172.16.100.0/24 -o eth0 -j MASQUERADE # Allow TUN interface connections to OpenVPN server iptables -A INPUT -i tun0 -j ACCEPT # Allow TUN interface connections to be forwarded through other interfaces iptables -A FORWARD -i tun0 -j ACCEPT iptables -A OUTPUT -o tun0 -j ACCEPT #iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT #iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT # Allow outbound access to all networks on the Internet from the VPN #iptables -A FORWARD -i tun0 -s 172.16.100.0/24 -d 0.0.0.0/0 -j ACCEPT # Block client-to-client routing on the VPN #iptables -A FORWARD -i tun0 -s 172.16.100.0/24 -d 172.16.100.0/24 -j DROP exit 0 FILE-END!