Veraticus/gistify979871.rb

## gistify979871.rb
include_recipe 'simple_iptables'

# Disable all INPUT, FORWARD, and allow all OUTPUT
simple_iptables_policy "INPUT" do
  policy "DROP"
end

simple_iptables_policy "FORWARD" do
  policy "DROP"
end

simple_iptables_policy "OUTPUT" do
  policy "ACCEPT"
end

# Allow all traffic on the loopback device
simple_iptables_rule "LOOPBACK" do
  direction "INPUT"
  rule "--in-interface lo"
  jump "ACCEPT"
end

# Accept all established inbound connections
simple_iptables_rule "ESTABLISHED" do
  direction "INPUT"
  rule "-m conntrack --ctstate ESTABLISHED,RELATED"
  jump "ACCEPT"
end

# Drop non-conforming packets, such as malformed headers, etc.
simple_iptables_rule "NON_CONFORMING" do
  direction "INPUT"
  rule "-m state --state INVALID"
  jump "DROP"
end

# Block remote packets claiming to be from a loopback address
simple_iptables_rule "NON_LOCAL" do
  direction "INPUT"
  rule "-s 127.0.0.0/8 ! -i lo"
  jump "DROP"
end

# Drop all packets that are going to broadcast, multicast or anycast addresses
simple_iptables_rule "DROP_CASTS" do
  direction "INPUT"
  rule [
    "-m addrtype --dst-type BROADCAST",
    "-m addrtype --dst-type MULTICAST",
    "-m addrtype --dst-type ANYCAST",
    "-d 224.0.0.0/4"
  ]
  jump "DROP"
end

# Chain for preventing SSH brute-force attacks.
# Permits 10 new connections within 5 minutes from a single host then drops
# incomming connections from that host. Beyond a burst of 100 connections we
# log at up 1 attempt per second to prevent filling of logs
simple_iptables_rule "SSH_BRUTE" do
  direction 'INPUT'
  chain_condition '-p tcp -m tcp --dport 22 --syn -m state --state NEW'
  rule [
    "-m recent --name SSH --set",
    "-m recent --name SSH --update --seconds 60 --hitcount 8 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix \"iptables[SSH_BRUTE]: \"",
    "-m recent --name SSH --update --seconds 60 --hitcount 8 -j DROP",
    "-j ACCEPT"
  ]
  jump false
end

# Chain for preventing ping flooding - up to 6 pings per second from a single
# source, again with log limiting. Also prevents us from ICMP REPLY flooding
# some victim when replying to ICMP ECHO from a spoofed source
simple_iptables_rule "ICMP_FLOOD" do
  direction 'INPUT'
  chain_condition '-p icmp -m icmp --icmp-type 8  -m state --state NEW'
  rule [
    "-m recent --set --name ICMP --rsource",
    "-m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix \"iptables[ICMP_FLOOD]: \"",
    "-m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP",
    "-j ACCEPT"
  ]
  jump false
end

# Permit useful IMCP packet types
# Note: RFC 792 states that all hosts MUST respond to ICMP ECHO requests.
# Blocking these can make diagnosing of even simple faults much more tricky.
# Real security lies in locking down and hardening all services, not by hiding.
simple_iptables_rule "USEFUL_ICMP" do
  direction "INPUT"
  rule [
    "-p icmp -m icmp --icmp-type 0  -m state --state NEW",
    "-p icmp -m icmp --icmp-type 3  -m state --state NEW",
    "-p icmp -m icmp --icmp-type 11 -m state --state NEW"
  ]
  jump "ACCEPT"
end

# Do not log packets that are going to port used by UPnP protocol
simple_iptables_rule "UPNP_DROP" do
  direction "INPUT"
  rule "-p udp -m udp --dport 1900"
  jump "DROP"
end

# Do not log late replies from nameservers
simple_iptables_rule "LATE_REPLY" do
  direction "INPUT"
  rule "-p udp -m udp --sport 53"
  jump "DROP"
end

# Good practice is to explicately reject AUTH traffic so that it fails fast
simple_iptables_rule "REJECT_AUTH" do
  direction "INPUT"
  rule "-p tcp -m tcp --dport 113 --syn -m state --state NEW -j REJECT --reject-with tcp-reset"
  jump false
end
	include_recipe 'simple_iptables'

	# Disable all INPUT, FORWARD, and allow all OUTPUT
	simple_iptables_policy "INPUT" do
	policy "DROP"
	end

	simple_iptables_policy "FORWARD" do
	policy "DROP"
	end

	simple_iptables_policy "OUTPUT" do
	policy "ACCEPT"
	end

	# Allow all traffic on the loopback device
	simple_iptables_rule "LOOPBACK" do
	direction "INPUT"
	rule "--in-interface lo"
	jump "ACCEPT"
	end

	# Accept all established inbound connections
	simple_iptables_rule "ESTABLISHED" do
	direction "INPUT"
	rule "-m conntrack --ctstate ESTABLISHED,RELATED"
	jump "ACCEPT"
	end

	# Drop non-conforming packets, such as malformed headers, etc.
	simple_iptables_rule "NON_CONFORMING" do
	direction "INPUT"
	rule "-m state --state INVALID"
	jump "DROP"
	end

	# Block remote packets claiming to be from a loopback address
	simple_iptables_rule "NON_LOCAL" do
	direction "INPUT"
	rule "-s 127.0.0.0/8 ! -i lo"
	jump "DROP"
	end

	# Drop all packets that are going to broadcast, multicast or anycast addresses
	simple_iptables_rule "DROP_CASTS" do
	direction "INPUT"
	rule [
	"-m addrtype --dst-type BROADCAST",
	"-m addrtype --dst-type MULTICAST",
	"-m addrtype --dst-type ANYCAST",
	"-d 224.0.0.0/4"
	]
	jump "DROP"
	end

	# Chain for preventing SSH brute-force attacks.
	# Permits 10 new connections within 5 minutes from a single host then drops
	# incomming connections from that host. Beyond a burst of 100 connections we
	# log at up 1 attempt per second to prevent filling of logs
	simple_iptables_rule "SSH_BRUTE" do
	direction 'INPUT'
	chain_condition '-p tcp -m tcp --dport 22 --syn -m state --state NEW'
	rule [
	"-m recent --name SSH --set",
	"-m recent --name SSH --update --seconds 60 --hitcount 8 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix \"iptables[SSH_BRUTE]: \"",
	"-m recent --name SSH --update --seconds 60 --hitcount 8 -j DROP",
	"-j ACCEPT"
	]
	jump false
	end

	# Chain for preventing ping flooding - up to 6 pings per second from a single
	# source, again with log limiting. Also prevents us from ICMP REPLY flooding
	# some victim when replying to ICMP ECHO from a spoofed source
	simple_iptables_rule "ICMP_FLOOD" do
	direction 'INPUT'
	chain_condition '-p icmp -m icmp --icmp-type 8 -m state --state NEW'
	rule [
	"-m recent --set --name ICMP --rsource",
	"-m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix \"iptables[ICMP_FLOOD]: \"",
	"-m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP",
	"-j ACCEPT"
	]
	jump false
	end

	# Permit useful IMCP packet types
	# Note: RFC 792 states that all hosts MUST respond to ICMP ECHO requests.
	# Blocking these can make diagnosing of even simple faults much more tricky.
	# Real security lies in locking down and hardening all services, not by hiding.
	simple_iptables_rule "USEFUL_ICMP" do
	direction "INPUT"
	rule [
	"-p icmp -m icmp --icmp-type 0 -m state --state NEW",
	"-p icmp -m icmp --icmp-type 3 -m state --state NEW",
	"-p icmp -m icmp --icmp-type 11 -m state --state NEW"
	]
	jump "ACCEPT"
	end

	# Do not log packets that are going to port used by UPnP protocol
	simple_iptables_rule "UPNP_DROP" do
	direction "INPUT"
	rule "-p udp -m udp --dport 1900"
	jump "DROP"
	end

	# Do not log late replies from nameservers
	simple_iptables_rule "LATE_REPLY" do
	direction "INPUT"
	rule "-p udp -m udp --sport 53"
	jump "DROP"
	end

	# Good practice is to explicately reject AUTH traffic so that it fails fast
	simple_iptables_rule "REJECT_AUTH" do
	direction "INPUT"
	rule "-p tcp -m tcp --dport 113 --syn -m state --state NEW -j REJECT --reject-with tcp-reset"
	jump false
	end