Tạo file script
Tạo file script với tên iptables.sh
#vi iptables.sh
Điền vào nội dung sau.
#!/bin/bash
# define some constants. Those are your WAN IP which need to be whitelisted.
your_vnpt_ip='x.x.x.x'
your_viettel_ip='y.y.y.y'
# delete all configuration and set default policy for each chain.
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -N ZIMBRA-FIREWALL
/sbin/iptables -A INPUT -j ZIMBRA-FIREWALL
/sbin/iptables -A FORWARD -j ZIMBRA-FIREWALL
# Stop some attacks
/sbin/iptables -A ZIMBRA-FIREWALL -p tcp --tcp-flags ALL NONE -j DROP
/sbin/iptables -A ZIMBRA-FIREWALL -p tcp ! --syn -m state --state NEW -j DROP
/sbin/iptables -A ZIMBRA-FIREWALL -p tcp --tcp-flags ALL ALL -j DROP
# Accept save connection and icmp
/sbin/iptables -A ZIMBRA-FIREWALL -i lo -j ACCEPT
/sbin/iptables -A ZIMBRA-FIREWALL -p icmp --icmp-type any -j ACCEPT
/sbin/iptables -A ZIMBRA-FIREWALL -m state --state ESTABLISHED,RELATED -j ACCEPT
# enable this rule if have has layer remote 2/3 devices
/sbin/iptables -A ZIMBRA-FIREWALL -p tcp --tcp-flags FIN,SYN,RST,ACK RST,ACK -j ACCEPT
# enable ssh and snmp
/sbin/iptables -A ZIMBRA-FIREWALL -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -s $vnpt_ip
/sbin/iptables -A ZIMBRA-FIREWALL -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -s $viettel_ip
/sbin/iptables -A ZIMBRA-FIREWALL -m state --state NEW -m udp -p udp --dport 161 -j ACCEPT -s $vnpt_ip
/sbin/iptables -A ZIMBRA-FIREWALL -m state --state NEW -m udp -p udp --dport 161 -j ACCEPT -s $viettel_ip
# enable zimbra ports
/sbin/iptables -A ZIMBRA-FIREWALL -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
/sbin/iptables -A ZIMBRA-FIREWALL -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A ZIMBRA-FIREWALL -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
/sbin/iptables -A ZIMBRA-FIREWALL -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT
/sbin/iptables -A ZIMBRA-FIREWALL -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
/sbin/iptables -A ZIMBRA-FIREWALL -m state --state NEW -m tcp -p tcp --dport 465 -j ACCEPT
/sbin/iptables -A ZIMBRA-FIREWALL -m state --state NEW -m tcp -p tcp --dport 587 -j ACCEPT
/sbin/iptables -A ZIMBRA-FIREWALL -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT
/sbin/iptables -A ZIMBRA-FIREWALL -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT
/sbin/iptables -A ZIMBRA-FIREWALL -m state --state NEW -m tcp -p tcp --dport 7071 -j ACCEPT
/sbin/iptables -A ZIMBRA-FIREWALL -m state --state NEW -m tcp -p tcp --dport 9071 -j ACCEPT
# log and reject everything else
#/sbin/iptables -A ZIMBRA-FIREWALL -j LOG -m limit --limit 10/m --log-prefix "DROP ON INPUT: " --log-tcp-options --log-ip-options --log-level INFO
/sbin/iptables -A ZIMBRA-FIREWALL -j DROP
# save configuraton and restart iptables
/etc/rc.d/init.d/iptables save
/etc/rc.d/init.d/iptables restart