Cấu hình firewall iptables cho Zimbra

Tạo file script với tên iptables.sh
#vi iptables.sh
Điền vào nội dung sau.
#!/bin/bash
# define some constants. Those are your WAN IP which need to be whitelisted.
your_vnpt_ip=’x.x.x.x’
your_viettel_ip=’y.y.y.y’
# delete all configuration and set default policy for each chain.
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -N ZIMBRA-FIREWALL
/sbin/iptables -A INPUT -j ZIMBRA-FIREWALL
/sbin/iptables -A FORWARD -j ZIMBRA-FIREWALL
# Stop some attacks
/sbin/iptables -A ZIMBRA-FIREWALL -p tcp –tcp-flags ALL NONE -j DROP
/sbin/iptables -A ZIMBRA-FIREWALL -p tcp ! –syn -m state –state NEW -j DROP
/sbin/iptables -A ZIMBRA-FIREWALL -p tcp –tcp-flags ALL ALL -j DROP
# Accept save connection and icmp
/sbin/iptables -A ZIMBRA-FIREWALL -i lo -j ACCEPT
/sbin/iptables -A ZIMBRA-FIREWALL -p icmp –icmp-type any -j ACCEPT
/sbin/iptables -A ZIMBRA-FIREWALL -m state –state ESTABLISHED,RELATED -j ACCEPT
# enable this rule if have has layer remote 2/3 devices
/sbin/iptables -A ZIMBRA-FIREWALL -p tcp –tcp-flags FIN,SYN,RST,ACK RST,ACK -j ACCEPT
# enable ssh and snmp
/sbin/iptables -A ZIMBRA-FIREWALL -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT -s $vnpt_ip
/sbin/iptables -A ZIMBRA-FIREWALL -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT -s $viettel_ip
/sbin/iptables -A ZIMBRA-FIREWALL -m state –state NEW -m udp -p udp –dport 161 -j ACCEPT -s $vnpt_ip
/sbin/iptables -A ZIMBRA-FIREWALL -m state –state NEW -m udp -p udp –dport 161 -j ACCEPT -s $viettel_ip
# enable zimbra ports
/sbin/iptables -A ZIMBRA-FIREWALL -m state –state NEW -m tcp -p tcp –dport 25 -j ACCEPT
/sbin/iptables -A ZIMBRA-FIREWALL -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
/sbin/iptables -A ZIMBRA-FIREWALL -m state –state NEW -m tcp -p tcp –dport 110 -j ACCEPT
/sbin/iptables -A ZIMBRA-FIREWALL -m state –state NEW -m tcp -p tcp –dport 143 -j ACCEPT
/sbin/iptables -A ZIMBRA-FIREWALL -m state –state NEW -m tcp -p tcp –dport 443 -j ACCEPT
/sbin/iptables -A ZIMBRA-FIREWALL -m state –state NEW -m tcp -p tcp –dport 465 -j ACCEPT
/sbin/iptables -A ZIMBRA-FIREWALL -m state –state NEW -m tcp -p tcp –dport 587 -j ACCEPT
/sbin/iptables -A ZIMBRA-FIREWALL -m state –state NEW -m tcp -p tcp –dport 993 -j ACCEPT
/sbin/iptables -A ZIMBRA-FIREWALL -m state –state NEW -m tcp -p tcp –dport 995 -j ACCEPT
/sbin/iptables -A ZIMBRA-FIREWALL -m state –state NEW -m tcp -p tcp –dport 7071 -j ACCEPT
/sbin/iptables -A ZIMBRA-FIREWALL -m state –state NEW -m tcp -p tcp –dport 9071 -j ACCEPT
# log and reject everything else
#/sbin/iptables -A ZIMBRA-FIREWALL -j LOG -m limit –limit 10/m –log-prefix “DROP ON INPUT: ” –log-tcp-options –log-ip-options –log-level INFO
/sbin/iptables -A ZIMBRA-FIREWALL -j DROP
# save configuraton and restart iptables
/etc/rc.d/init.d/iptables save
/etc/rc.d/init.d/iptables restart

#sh iptables.sh
Script sẽ xóa cấu hình iptables cũ, tạo mới và sau đó lưu lại để sau khi khởi động sẽ giữ nguyên cấu hình.