Created
September 4, 2010 02:58
-
-
Save xeoncross/564856 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| *filter | |
| # http://articles.slicehost.com/2010/4/30/ubuntu-lucid-setup-part-1 | |
| # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 | |
| -A INPUT -i lo -j ACCEPT | |
| -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT | |
| # Accepts all established inbound connections | |
| -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| # Allows all outbound traffic | |
| # You can modify this to only allow certain traffic | |
| -A OUTPUT -j ACCEPT | |
| # Allows HTTP and HTTPS connections from anywhere (the normal ports for websites) | |
| -A INPUT -p tcp --dport 80 -j ACCEPT | |
| -A INPUT -p tcp --dport 443 -j ACCEPT | |
| # Allows SSH connections (only 4 attempts by an IP every 3 minutes, drop the rest to prevent SSH attacks) | |
| -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource | |
| -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 4 --name DEFAULT --rsource -j DROP | |
| -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT | |
| # Allow ping | |
| -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT | |
| # log iptables denied calls | |
| -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 | |
| # Reject all other inbound - default deny unless explicitly allowed policy | |
| -A INPUT -j REJECT | |
| -A FORWARD -j REJECT | |
| COMMIT |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| *filter | |
| # Since v1 I have improved it some (10/3/2012) | |
| # http://articles.slicehost.com/2010/4/30/ubuntu-lucid-setup-part-1 | |
| # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 | |
| -A INPUT -i lo -j ACCEPT | |
| -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT | |
| # Accepts all established inbound connections | |
| -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| # Allows all outbound traffic | |
| # You can modify this to only allow certain traffic | |
| -A OUTPUT -j ACCEPT | |
| # Allows HTTP and HTTPS connections from anywhere (the normal ports for websites) | |
| -A INPUT -p tcp --dport 80 -j ACCEPT | |
| -A INPUT -p tcp --dport 443 -j ACCEPT | |
| # UN-COMMENT THESE IF YOU USE INCOMING MAIL! | |
| # Allows POP (and SSL-POP) | |
| #-A INPUT -p tcp --dport 110 -j ACCEPT | |
| #-A INPUT -p tcp --dport 995 -j ACCEPT | |
| # SMTP (and SSMTP) | |
| #-A INPUT -p tcp --dport 25 -j ACCEPT | |
| #-A INPUT -p tcp --dport 465 -j ACCEPT | |
| # IMAP (and IMAPS) | |
| #-A INPUT -p tcp --dport 143 -j ACCEPT | |
| #-A INPUT -p tcp --dport 993 -j ACCEPT | |
| # Allows SSH connections (only 3 attempts by an IP every 2 minutes, drop the rest to prevent SSH attacks) | |
| -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource | |
| -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 120 --hitcount 3 --name DEFAULT --rsource -j DROP | |
| -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT | |
| # Allow ping | |
| -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT | |
| # log iptables denied calls (Can grow log files fast!) | |
| #-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 | |
| # Reject all other inbound - default deny unless explicitly allowed policy | |
| #-A INPUT -j REJECT | |
| #-A FORWARD -j REJECT | |
| # It's safer to just DROP the packet | |
| -A INPUT -j DROP | |
| -A FORWARD -j DROP | |
| COMMIT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment