Skip to content

Instantly share code, notes, and snippets.

View Thermi's full-sized avatar

Thermi Thermi

57 followers · 6 following
  • Switzerland
View GitHub Profile
@Thermi
Thermi / gist:e01ef209652305dba1e5a60aee84499c
Last active February 28, 2019 22:13
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -s 87.128.0.0/10 -p tcp --dport 22 -m limit --limit 10/min -j LOG --log-prefix "SSH_TRAFFIC "
-A INPUT -s 87.128.0.0/10 -p tcp --dport 22 -j ACCEPT
@Thermi
Thermi / copy-and-start.sh
Created March 22, 2019 19:01
Copy and start script for Supermicro's ipmiview tool. It makes sure you always got the latest version in your home directory.
#! /bin/bash
# check and copy files
IPMIVIEWDIR=/opt/ipmiview
USERDIR="$HOME/.local/share/ipmiview/"
if [ "$IPMIVIEWDIR" -nt "$USERDIR" ]
then
OLDDIR="$(pwd)"
mkdir -p "$USERDIR"/BMCSecurity
@Thermi
Thermi / ipsecTunnelMonitoringScript.py
Created September 13, 2018 18:28
ipsecTunnelMonitoringScript
#! /usr/bin/python3 -B
# Copyright (C) 2018 Noel Kuntze <noel.kuntze@thermi.consulting> for VINN Gmbh
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
@Thermi
Thermi / README.md
Last active October 23, 2020 01:29

A quick run down on iptables rules

What is it?

iptables is a cli frontend to netfilter, the Linux kernel firewall/nat implementation for OSI layer 3 and 4.

Okay, give me more details

  • When you run "iptables", the actual file being executed is "xtables-multi". That is, because the file name "iptables" is symlinked to "xtables-multi".
@Thermi
Thermi / acme.service
Last active June 21, 2021 18:52
systemd service and timer unit
[Unit]
Description = update Let's Encrypt certificates
[Service]
ExecStart=/usr/bin/acmetool --batch reconcile
ExecStartPost=/usr/bin/systemctl reload nginx
ExecStartPost=/usr/bin/cp /var/lib/acme/live/thermi.strangled.net/haproxy /var/lib/znc/.znc/certs/znc_whole_chain.pem
ExecStartPost=/usr/bin/chown znc:znc /var/lib/znc/.znc/certs/znc_whole_chain.pem
ExecStartPost=/usr/bin/chmod 600 /var/lib/znc/.znc/certs/znc_whole_chain.pem
@Thermi
Thermi / Best Practices.md
Last active May 20, 2022 09:01
Summary page of the Netfilter related resources

Best Practices:

  1. Don't use iptables to apply your rules one at a time, use iptables-restore to apply a whole ruleset in one action.
  2. Set your INPUT and FORWARD policy to DROP.
  3. Don't set your OUTPUT policy to DROP unless you really know what you're doing.
  4. If you're going to implement a blacklist or whitelist, you should look at using ipsets if that list is going to be more than two or three addresses, and if it might be dynamic.
  5. Allow all traffic on lo.
  6. You should ALLOW traffic in ctstates of RELATED and ESTABLISHED near the beginning of your rules
  7. Don't use iptables -L
  8. DON'T USE IPTABLES -L
  9. Use iptables-save instead of iptables -L.