Skip to content

Instantly share code, notes, and snippets.

@Veraticus
Created August 14, 2014 23:08
Show Gist options
  • Save Veraticus/5901a4e0638ef446e51f to your computer and use it in GitHub Desktop.
Save Veraticus/5901a4e0638ef446e51f to your computer and use it in GitHub Desktop.
include_recipe 'simple_iptables'
# Disable all INPUT, FORWARD, and allow all OUTPUT
simple_iptables_policy "INPUT" do
policy "DROP"
end
simple_iptables_policy "FORWARD" do
policy "DROP"
end
simple_iptables_policy "OUTPUT" do
policy "ACCEPT"
end
# Allow all traffic on the loopback device
simple_iptables_rule "LOOPBACK" do
direction "INPUT"
rule "--in-interface lo"
jump "ACCEPT"
end
# Accept all established inbound connections
simple_iptables_rule "ESTABLISHED" do
direction "INPUT"
rule "-m conntrack --ctstate ESTABLISHED,RELATED"
jump "ACCEPT"
end
# Drop non-conforming packets, such as malformed headers, etc.
simple_iptables_rule "NON_CONFORMING" do
direction "INPUT"
rule "-m state --state INVALID"
jump "DROP"
end
# Block remote packets claiming to be from a loopback address
simple_iptables_rule "NON_LOCAL" do
direction "INPUT"
rule "-s 127.0.0.0/8 ! -i lo"
jump "DROP"
end
# Drop all packets that are going to broadcast, multicast or anycast addresses
simple_iptables_rule "DROP_CASTS" do
direction "INPUT"
rule [
"-m addrtype --dst-type BROADCAST",
"-m addrtype --dst-type MULTICAST",
"-m addrtype --dst-type ANYCAST",
"-d 224.0.0.0/4"
]
jump "DROP"
end
# Chain for preventing SSH brute-force attacks.
# Permits 10 new connections within 5 minutes from a single host then drops
# incomming connections from that host. Beyond a burst of 100 connections we
# log at up 1 attempt per second to prevent filling of logs
simple_iptables_rule "SSH_BRUTE" do
direction 'INPUT'
chain_condition '-p tcp -m tcp --dport 22 --syn -m state --state NEW'
rule [
"-m recent --name SSH --set",
"-m recent --name SSH --update --seconds 60 --hitcount 8 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix \"iptables[SSH_BRUTE]: \"",
"-m recent --name SSH --update --seconds 60 --hitcount 8 -j DROP",
"-j ACCEPT"
]
jump false
end
# Chain for preventing ping flooding - up to 6 pings per second from a single
# source, again with log limiting. Also prevents us from ICMP REPLY flooding
# some victim when replying to ICMP ECHO from a spoofed source
simple_iptables_rule "ICMP_FLOOD" do
direction 'INPUT'
chain_condition '-p icmp -m icmp --icmp-type 8 -m state --state NEW'
rule [
"-m recent --set --name ICMP --rsource",
"-m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix \"iptables[ICMP_FLOOD]: \"",
"-m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP",
"-j ACCEPT"
]
jump false
end
# Permit useful IMCP packet types
# Note: RFC 792 states that all hosts MUST respond to ICMP ECHO requests.
# Blocking these can make diagnosing of even simple faults much more tricky.
# Real security lies in locking down and hardening all services, not by hiding.
simple_iptables_rule "USEFUL_ICMP" do
direction "INPUT"
rule [
"-p icmp -m icmp --icmp-type 0 -m state --state NEW",
"-p icmp -m icmp --icmp-type 3 -m state --state NEW",
"-p icmp -m icmp --icmp-type 11 -m state --state NEW"
]
jump "ACCEPT"
end
# Do not log packets that are going to port used by UPnP protocol
simple_iptables_rule "UPNP_DROP" do
direction "INPUT"
rule "-p udp -m udp --dport 1900"
jump "DROP"
end
# Do not log late replies from nameservers
simple_iptables_rule "LATE_REPLY" do
direction "INPUT"
rule "-p udp -m udp --sport 53"
jump "DROP"
end
# Good practice is to explicately reject AUTH traffic so that it fails fast
simple_iptables_rule "REJECT_AUTH" do
direction "INPUT"
rule "-p tcp -m tcp --dport 113 --syn -m state --state NEW -j REJECT --reject-with tcp-reset"
jump false
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment