Last active
September 4, 2018 14:50
-
-
Save ArneGockeln/20750de5b3952f85e139e7f9e8e66c64 to your computer and use it in GitHub Desktop.
minimum ip(6)tables rules. it allows ssh, prevents ssh bruteforce and icmpflood
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
*filter | |
# | |
# Base policy | |
:INPUT DROP [0:0] | |
:FORWARD DROP [0:0] | |
:OUTPUT ACCEPT [0:0] | |
# | |
# Don't attempt to firewall internal traffic on the loopback device. | |
-A INPUT -i lo -j ACCEPT | |
# | |
# allow established connections | |
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
# | |
# Block remote packets claiming to be from a loopback address. | |
-4 -A INPUT -s 127.0.0.0/8 ! -i lo -j DROP | |
-6 -A INPUT -s ::1/128 ! -i lo -j DROP | |
# change policy to drop. | |
-4 -P INPUT DROP | |
-6 -P INPUT DROP | |
# Chain for preventing SSH brute-force attacks. | |
# Permits 10 new connections within 1 minute from a single host then drops | |
# incomming connections from that host. | |
-N SSHBRUTE | |
-A SSHBRUTE -m recent --name SSH --set | |
-A SSHBRUTE -m recent --name SSH --update --seconds 60 --hitcount 10 -j DROP | |
-A SSHBRUTE -j ACCEPT | |
# Chain for preventing ping flooding - up to 6 pings per second from a single | |
# source, again with log limiting. Also prevents us from ICMP REPLY flooding | |
# some victim when replying to ICMP ECHO from a spoofed source. | |
-N ICMPFLOOD | |
-A ICMPFLOOD -m recent --set --name ICMP --rsource | |
-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP | |
-A ICMPFLOOD -j ACCEPT | |
# General rules | |
# Accept worldwide access to SSH and use SSHBRUTE chain for preventing | |
# brute-force attacks. | |
-A INPUT -p tcp --dport ssh --syn -m conntrack --ctstate NEW -j SSHBRUTE | |
# Permit IMCP echo requests (ping) and use ICMPFLOOD chain for preventing ping | |
# flooding. | |
-4 -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ICMPFLOOD | |
-6 -A INPUT -p ipv6-icmp --icmpv6-type 128 -j ICMPFLOOD | |
COMMIT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment