Skip to main content

Strict IPTables Rules for postgresql server (Configured to make streaming replication)

IPTables rules script for a postgresql server which is configured as a master or a standby for streaming replication.
#!/bin/sh
# IP address of this server
SERVER_IP=$(/sbin/ifconfig -a | awk '/(cast)/ { print $2 }' | cut -d':' -f2 | head -1)

DNS_SERVER=<write IP address of the dns server>
SSH_CLIENT=<write the IP address from where you make ssh connections>
PGE_SERVER=<write IP address of the other postgresql server>

# Flush iptables rules
iptables -F
iptables -X

# Set default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Allow traffic on loopback adapter
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow incoming ssh only
iptables -A INPUT -p tcp -s $SSH_CLIENT -d $SERVER_IP --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT 
iptables -A OUTPUT -p tcp -s $SERVER_IP -d $SSH_CLIENT --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT

# Allow incoming icmp only
iptables -A INPUT -p icmp --icmp-type 8 -s $SSH_CLIENT -d $SERVER_IP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 
iptables -A OUTPUT -p icmp --icmp-type 0 -s $SERVER_IP -d $SSH_CLIENT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow incoming postgresql connections
iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 1024:65535 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT 
iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

# Allow outgoing postgresql connections
iptables -A OUTPUT -p tcp -s $SERVER_IP -d $PGE_SERVER --sport 1024:65535 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT 
iptables -A INPUT -p tcp -s $PGE_SERVER -d $SERVER_IP --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

# Allow outgoing DNS requests
iptables -A OUTPUT -p udp -s $SERVER_IP --sport 1024:65535 -d $DNS_SERVER --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT 
iptables -A INPUT -p udp -s $DNS_SERVER --sport 53 -d $SERVER_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT 
iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 1024:65535 -d $DNS_SERVER --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT 
iptables -A INPUT -p tcp -s $DNS_SERVER --sport 53 -d $SERVER_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

# drop all other traffic
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP

Comments

Popular posts from this blog