Created
August 14, 2014 23:08
-
-
Save Veraticus/5901a4e0638ef446e51f to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
include_recipe 'simple_iptables' | |
# Disable all INPUT, FORWARD, and allow all OUTPUT | |
simple_iptables_policy "INPUT" do | |
policy "DROP" | |
end | |
simple_iptables_policy "FORWARD" do | |
policy "DROP" | |
end | |
simple_iptables_policy "OUTPUT" do | |
policy "ACCEPT" | |
end | |
# Allow all traffic on the loopback device | |
simple_iptables_rule "LOOPBACK" do | |
direction "INPUT" | |
rule "--in-interface lo" | |
jump "ACCEPT" | |
end | |
# Accept all established inbound connections | |
simple_iptables_rule "ESTABLISHED" do | |
direction "INPUT" | |
rule "-m conntrack --ctstate ESTABLISHED,RELATED" | |
jump "ACCEPT" | |
end | |
# Drop non-conforming packets, such as malformed headers, etc. | |
simple_iptables_rule "NON_CONFORMING" do | |
direction "INPUT" | |
rule "-m state --state INVALID" | |
jump "DROP" | |
end | |
# Block remote packets claiming to be from a loopback address | |
simple_iptables_rule "NON_LOCAL" do | |
direction "INPUT" | |
rule "-s 127.0.0.0/8 ! -i lo" | |
jump "DROP" | |
end | |
# Drop all packets that are going to broadcast, multicast or anycast addresses | |
simple_iptables_rule "DROP_CASTS" do | |
direction "INPUT" | |
rule [ | |
"-m addrtype --dst-type BROADCAST", | |
"-m addrtype --dst-type MULTICAST", | |
"-m addrtype --dst-type ANYCAST", | |
"-d 224.0.0.0/4" | |
] | |
jump "DROP" | |
end | |
# Chain for preventing SSH brute-force attacks. | |
# Permits 10 new connections within 5 minutes from a single host then drops | |
# incomming connections from that host. Beyond a burst of 100 connections we | |
# log at up 1 attempt per second to prevent filling of logs | |
simple_iptables_rule "SSH_BRUTE" do | |
direction 'INPUT' | |
chain_condition '-p tcp -m tcp --dport 22 --syn -m state --state NEW' | |
rule [ | |
"-m recent --name SSH --set", | |
"-m recent --name SSH --update --seconds 60 --hitcount 8 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix \"iptables[SSH_BRUTE]: \"", | |
"-m recent --name SSH --update --seconds 60 --hitcount 8 -j DROP", | |
"-j ACCEPT" | |
] | |
jump false | |
end | |
# Chain for preventing ping flooding - up to 6 pings per second from a single | |
# source, again with log limiting. Also prevents us from ICMP REPLY flooding | |
# some victim when replying to ICMP ECHO from a spoofed source | |
simple_iptables_rule "ICMP_FLOOD" do | |
direction 'INPUT' | |
chain_condition '-p icmp -m icmp --icmp-type 8 -m state --state NEW' | |
rule [ | |
"-m recent --set --name ICMP --rsource", | |
"-m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix \"iptables[ICMP_FLOOD]: \"", | |
"-m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP", | |
"-j ACCEPT" | |
] | |
jump false | |
end | |
# Permit useful IMCP packet types | |
# Note: RFC 792 states that all hosts MUST respond to ICMP ECHO requests. | |
# Blocking these can make diagnosing of even simple faults much more tricky. | |
# Real security lies in locking down and hardening all services, not by hiding. | |
simple_iptables_rule "USEFUL_ICMP" do | |
direction "INPUT" | |
rule [ | |
"-p icmp -m icmp --icmp-type 0 -m state --state NEW", | |
"-p icmp -m icmp --icmp-type 3 -m state --state NEW", | |
"-p icmp -m icmp --icmp-type 11 -m state --state NEW" | |
] | |
jump "ACCEPT" | |
end | |
# Do not log packets that are going to port used by UPnP protocol | |
simple_iptables_rule "UPNP_DROP" do | |
direction "INPUT" | |
rule "-p udp -m udp --dport 1900" | |
jump "DROP" | |
end | |
# Do not log late replies from nameservers | |
simple_iptables_rule "LATE_REPLY" do | |
direction "INPUT" | |
rule "-p udp -m udp --sport 53" | |
jump "DROP" | |
end | |
# Good practice is to explicately reject AUTH traffic so that it fails fast | |
simple_iptables_rule "REJECT_AUTH" do | |
direction "INPUT" | |
rule "-p tcp -m tcp --dport 113 --syn -m state --state NEW -j REJECT --reject-with tcp-reset" | |
jump false | |
end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment