Skip to content

Instantly share code, notes, and snippets.

@BlackChar

BlackChar/rules-ipv4.iptables

Forked from jirutka/rules-both.iptables
Created September 18, 2012 13:44
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save BlackChar/3743182 to your computer and use it in GitHub Desktop.
Save BlackChar/3743182 to your computer and use it in GitHub Desktop.
Download ZIP
Basic iptables template for ordinary servers (both IPv4 and IPv6)
Raw
rules-ipv4.iptables
###############################################################################
# Copyright 2012 Jakub Jirutka. All rights reserved.
#
# "THE KOFOLA-WARE LICENSE" (Revision 1):
# Jakub Jirutka originally wrote this file. As long as you retain this notice you
# can do whatever you want with this stuff. If we meet some day, and you think
# this stuff is worth it, you can buy me a Kofola in return. <jakub@jirutka.cz>
#
###############################################################################
#
# Basic iptables/IPv4 template for ordinary servers
#
# This file is in iptables-restore format. See the man pages for
# iptables-restore(8) and iptables-save(8).
#
# The following is a set of firewall rules that should be applicable to Linux
# servers running within departments. It is intended to provide a useful
# starting point from which to devise a comprehensive firewall policy for
# a host.
#
# Parts 1 and 3 of these rules are the same for each host, whilst part 2 can be
# populated with rules specific to particular hosts.
#
# This template is based on http://jdem.cz/v64a3 from University of Leicester
#
# @author Jakub Jirutka <jakub@jirutka.cz>
# @version 1.0
# @date 2012-09-18
#
###############################################################################
# 1. COMMON HEADER #
# #
# This section is a generic header that should be suitable for most hosts. #
###############################################################################
*filter
# Base policy
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Don't attempt to firewall internal traffic on the loopback device
-A INPUT -i lo -j ACCEPT
# Continue connections that are already established or related to an established
# connection
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Drop non-conforming packets, such as malformed headers, etc.
-A INPUT -m state --state INVALID -j DROP
# Block remote packets claiming to be from a loopback address
-A INPUT -s 127.0.0.0/8 ! -i lo -j DROP
# Chain for preventing SSH brute-force attacks.
# Permits 10 new connections within 5 minutes from a single host then drops
# incomming connections from that host. Beyond a burst of 100 connections we
# log at up 1 attempt per second to prevent filling of logs
-N SSHBRUTE
-A SSHBRUTE -m recent --name SSH --set
-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "FW/ssh-brute: "
-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -j DROP
-A SSHBRUTE -j ACCEPT
# Chain for preventing ping flooding - up to 6 pings per second from a single
# source, again with log limiting. Also prevents us from ICMP REPLY flooding
# some victim when replying to ICMP ECHO from a spoofed source
-N ICMPFLOOD
-A ICMPFLOOD -m recent --set --name ICMP --rsource
-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "FW/icmp-flood: "
-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP
-A ICMPFLOOD -j ACCEPT
###############################################################################
# 2. HOST SPECIFIC RULES #
# #
# This section is a good place to enable your host-specific services. #
# ! DO NOT FORGOT TO COPY THESE RULES TO firewall.ip6tables TO ALLOW IPV6 ! #
###############################################################################
# Accept worldwide access to HTTP and HTTPS
# -A INPUT -p tcp -m tcp --dport 80 --syn -m state --state NEW -j ACCEPT
# -A INPUT -p tcp -m tcp --dport 443 --syn -m state --state NEW -j ACCEPT
###############################################################################
# 3. GENERAL RULES #
# #
# This section contains general rules that should be suitable for most hosts. #
###############################################################################
# Accept worldwide access to SSH and use SSHBRUTE chain for preventing
# brute-force attacks.
-A INPUT -p tcp -m tcp --dport 22 --syn -m state --state NEW -j SSHBRUTE
# Permit useful IMCP packet types
# Note: RFC 792 states that all hosts MUST respond to ICMP ECHO requests.
# Blocking these can make diagnosing of even simple faults much more tricky.
# Real security lies in locking down and hardening all services, not by hiding.
-A INPUT -p icmp -m icmp --icmp-type 0 -m state --state NEW -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -m state --state NEW -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ICMPFLOOD
-A INPUT -p icmp -m icmp --icmp-type 11 -m state --state NEW -j ACCEPT
# May not want to log late replies from nameservers
-A INPUT -p udp -m udp --sport 53 -j DROP
# Good practise is to explicately reject AUTH traffic so that it fails fast
-A INPUT -p tcp -m tcp --dport 113 --syn -m state --state NEW -j REJECT --reject-with tcp-reset
# Prevent DOS by filling log files
-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG
COMMIT
Raw
rules-ipv6.ip6tables
###############################################################################
# Copyright 2012 Jakub Jirutka. All rights reserved.
#
# "THE KOFOLA-WARE LICENSE" (Revision 1):
# Jakub Jirutka originally wrote this file. As long as you retain this notice you
# can do whatever you want with this stuff. If we meet some day, and you think
# this stuff is worth it, you can buy me a Kofola in return. <jakub@jirutka.cz>
#
###############################################################################
#
# Basic ip6tables/IPv6 template for ordinary servers
#
# This file is in iptables-restore format. See the man pages for
# ip6tables-restore(8) and ip6tables-save(8).
#
# The following is a set of firewall rules that should be applicable to Linux
# servers running within departments. It is intended to provide a useful
# starting point from which to devise a comprehensive firewall policy for
# a host.
#
# Parts 1 and 3 of these rules are the same for each host, whilst part 2 can be
# populated with rules specific to particular hosts.
#
# This template is based on http://jdem.cz/v64a3 from University of Leicester
#
# @author Jakub Jirutka <jakub@jirutka.cz>
# @version 1.0
# @date 2012-09-18
#
###############################################################################
# 1. COMMON HEADER #
# #
# This section is a generic header that should be suitable for most hosts. #
###############################################################################
*filter
# Base policy
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Don't attempt to firewall internal traffic on the loopback device
-A INPUT -i lo -j ACCEPT
# Continue connections that are already established or related to an established
# connection
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Drop non-conforming packets, such as malformed headers, etc.
-A INPUT -m state --state INVALID -j DROP
# Block remote packets claiming to be from a loopback address
-A INPUT -s ::1/128 ! -i lo -j DROP
# Chain for preventing SSH brute-force attacks.
# Permits 10 new connections within 5 minutes from a single host then drops
# incomming connections from that host. Beyond a burst of 100 connections we
# log at up 1 attempt per second to prevent filling of logs
-N SSHBRUTE
-A SSHBRUTE -m recent --name SSH --set
-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "FW/ssh-brute: "
-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -j DROP
-A SSHBRUTE -j ACCEPT
# Chain for preventing ping flooding - up to 6 pings per second from a single
# source, again with log limiting. Also prevents us from ICMP REPLY flooding
# some victim when replying to ICMP ECHO from a spoofed source
-N ICMPFLOOD
-A ICMPFLOOD -m recent --set --name ICMP --rsource
-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "FW/icmp-flood: "
-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP
-A ICMPFLOOD -j ACCEPT
###############################################################################
# 2. HOST SPECIFIC RULES #
# #
# This section is a good place to enable your host-specific services. #
###############################################################################
# Accept worldwide access to HTTP and HTTPS
# -A INPUT -p tcp -m tcp --dport 80 --syn -m state --state NEW -j ACCEPT
# -A INPUT -p tcp -m tcp --dport 443 --syn -m state --state NEW -j ACCEPT
# Accept limited access to Munin from hosts on CVUT network
# -A INPUT -s 147.32.0.0/15 -p tcp -m tcp --dport 4949 --syn -m state --state NEW -j ACCEPT
###############################################################################
# 3. GENERAL RULES #
# #
# This section contains general rules that should be suitable for most hosts. #
###############################################################################
# Accept worldwide access to SSH and use SSHBRUTE chain for preventing
# brute-force attacks.
-A INPUT -p tcp -m tcp --dport 22 --syn -m state --state NEW -j SSHBRUTE
# Permit needed ICMP packet types for IPv6 per RFC 4890
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 137 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 141 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 142 -j ACCEPT
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j ACCEPT
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j ACCEPT
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j ACCEPT
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 148 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 149 -j ACCEPT
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 151 -j ACCEPT
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 152 -j ACCEPT
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 153 -j ACCEPT
# Permit IMCP echo requests (ping) and use ICMPFLOOD chain for preventing ping
# flooding.
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ICMPFLOOD
# May not want to log late replies from campus nameservers
-A INPUT -p udp -m udp --sport 53 -j DROP
# Good practise is to explicately reject AUTH traffic so that it fails fast
-A INPUT -p tcp -m tcp --dport 113 --syn -m state --state NEW -j REJECT --reject-with tcp-reset
# Prevent DOS by filling log files
-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG
COMMIT
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment