Created
May 14, 2017 19:55
-
-
Save RiFi2k/8f3cad2b88c5c9b85855d76b63ce00a4 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| *filter | |
| # Base policy | |
| :INPUT DROP [0:0] | |
| :FORWARD DROP [0:0] | |
| :OUTPUT ACCEPT [0:0] | |
| # Don't attempt to firewall internal traffic on the loopback device. | |
| -A INPUT -i lo -j ACCEPT | |
| # Continue connections that are already established or related to an established | |
| # connection. | |
| -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| # Drop non-conforming packets, such as malformed headers, etc. | |
| -A INPUT -m conntrack --ctstate INVALID -j DROP | |
| # Block remote packets claiming to be from a loopback address. | |
| -A INPUT -s 127.0.0.0/8 ! -i lo -j DROP | |
| # Drop all packets that are going to broadcast, multicast or anycast address. | |
| -A INPUT -m addrtype --dst-type BROADCAST -j DROP | |
| -A INPUT -m addrtype --dst-type MULTICAST -j DROP | |
| -A INPUT -m addrtype --dst-type ANYCAST -j DROP | |
| -A INPUT -d 224.0.0.0/4 -j DROP | |
| # Chain for preventing SSH brute-force attacks. | |
| # Permits 10 new connections within 5 minutes from a single host then drops | |
| # incomming connections from that host. Beyond a burst of 100 connections we | |
| # log at up 1 attempt per second to prevent filling of logs. | |
| -N SSHBRUTE | |
| -A SSHBRUTE -m recent --name SSH --set | |
| -A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[SSH-brute]: " | |
| -A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -j DROP | |
| -A SSHBRUTE -j ACCEPT | |
| # Chain for preventing ping flooding - up to 6 pings per second from a single | |
| # source, again with log limiting. Also prevents us from ICMP REPLY flooding | |
| # some victim when replying to ICMP ECHO from a spoofed source. | |
| -N ICMPFLOOD | |
| -A ICMPFLOOD -m recent --set --name ICMP --rsource | |
| -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "iptables[ICMP-flood]: " | |
| -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP | |
| -A ICMPFLOOD -j ACCEPT | |
| ############################################################################### | |
| # 2. HOST SPECIFIC RULES # | |
| # # | |
| # This section is a good place to enable your host-specific services. # | |
| # ! DO NOT FORGOT TO COPY THESE RULES TO firewall.ip6tables TO ALLOW IPV6 ! # | |
| ############################################################################### | |
| # Accept HTTP and HTTPS | |
| #-A INPUT -p tcp -m multiport --dports 80,443 --syn -m conntrack --ctstate NEW -j ACCEPT | |
| ############################################################################### | |
| # 3. GENERAL RULES # | |
| # # | |
| # This section contains general rules that should be suitable for most hosts. # | |
| ############################################################################### | |
| # Accept worldwide access to SSH and use SSHBRUTE chain for preventing | |
| # brute-force attacks. | |
| -A INPUT -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE | |
| # Permit useful IMCP packet types. | |
| # Note: RFC 792 states that all hosts MUST respond to ICMP ECHO requests. | |
| # Blocking these can make diagnosing of even simple faults much more tricky. | |
| # Real security lies in locking down and hardening all services, not by hiding. | |
| -A INPUT -p icmp --icmp-type 0 -m conntrack --ctstate NEW -j ACCEPT | |
| -A INPUT -p icmp --icmp-type 3 -m conntrack --ctstate NEW -j ACCEPT | |
| -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ICMPFLOOD | |
| -A INPUT -p icmp --icmp-type 11 -m conntrack --ctstate NEW -j ACCEPT | |
| # Do not log packets that are going to ports used by SMB | |
| # (Samba / Windows Sharing). | |
| -A INPUT -p udp -m multiport --dports 135,445 -j DROP | |
| -A INPUT -p udp --dport 137:139 -j DROP | |
| -A INPUT -p udp --sport 137 --dport 1024:65535 -j DROP | |
| -A INPUT -p tcp -m multiport --dports 135,139,445 -j DROP | |
| # Do not log packets that are going to port used by UPnP protocol. | |
| -A INPUT -p udp --dport 1900 -j DROP | |
| # Do not log late replies from nameservers. | |
| -A INPUT -p udp --sport 53 -j DROP | |
| # Good practise is to explicately reject AUTH traffic so that it fails fast. | |
| -A INPUT -p tcp --dport 113 --syn -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset | |
| # Prevent DOS by filling log files. | |
| -A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[DOS]: " | |
| COMMIT | |
| ############################################################################### | |
| # 4. HOST SPECIFIC NAT RULES # | |
| # # | |
| # Uncomment this section if you want to use NAT table, e.g. for port # | |
| # forwarding, redirect, masquerade... # | |
| ############################################################################### | |
| #*nat | |
| # Base policy | |
| #:PREROUTING ACCEPT [0:0] | |
| #:POSTROUTING ACCEPT [0:0] | |
| #:OUTPUT ACCEPT [0:0] | |
| # Redirect port 21 to local port 2121 | |
| #-A PREROUTING -i eth0 -p tcp --dport 21 -j REDIRECT --to-port 2121 | |
| # Forward port 8080 to port 80 on host 192.168.1.10 | |
| #-A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.10:80 | |
| #COMMIT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment