adityamukho / 90-firewall.conf
Last active

Embed URL

HTTPS clone URL

SSH clone URL

You can clone with HTTPS or SSH.

Download Gist

Secure an Arch Linux instance to run as a public server.

View 90-firewall.conf
Raw
File suppressed. Click to show.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 
# /etc/sysctl.d/90-firewall.conf

 

# Turn on Source Address Verification in all interfaces to

# prevent some spoofing attacks

net.ipv4.conf.all.rp_filter=1

 

# Uncomment the next line to enable TCP/IP SYN cookies

net.ipv4.tcp_syncookies=1

net.ipv4.tcp_max_syn_backlog = 2048

net.ipv4.tcp_synack_retries = 2

net.ipv4.tcp_syn_retries = 5

 

# Do not accept ICMP redirects (prevent MITM attacks)

net.ipv4.conf.all.accept_redirects = 0

net.ipv6.conf.all.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv6.conf.default.accept_redirects = 0

 

# Do not send ICMP redirects (we are not a router)

net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.default.send_redirects = 0

 

# Do not accept IP source route packets (we are not a router)

net.ipv4.conf.all.accept_source_route = 0

net.ipv6.conf.all.accept_source_route = 0

net.ipv4.conf.default.accept_source_route = 0

net.ipv6.conf.default.accept_source_route = 0

 

# Log Martian Packets

net.ipv4.conf.all.log_martians = 1

net.ipv4.icmp_ignore_bogus_error_responses = 1

 

# Ignore ICMP broadcast requests

net.ipv4.icmp_echo_ignore_broadcasts = 1

 

# Ignore Directed pings

#net.ipv4.icmp_echo_ignore_all = 1
View 90-firewall.conf
Raw
File suppressed. Click to show.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 
#!/bin/bash

 

iptables -N TCP

iptables -N UDP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

iptables -P INPUT DROP

iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP

iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable

iptables -A INPUT -p tcp -j REJECT --reject-with tcp-rst

iptables -A TCP -p tcp --dport 80 -j ACCEPT

iptables -A TCP -p tcp --dport 443 -j ACCEPT

iptables -A TCP -p tcp --dport 22 -j ACCEPT

#iptables -I INPUT ! -i lo -s 127.0.0.0/8 -j DROP

iptables -A INPUT -p icmp --icmp-type echo-request -m recent --name ping_limiter --set

iptables -A INPUT -p icmp --icmp-type echo-request -m recent --name ping_limiter --update --hitcount 6 --seconds 4 -j DROP

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

iptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst

iptables -D INPUT -p tcp -j REJECT --reject-with tcp-rst

iptables -A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst

iptables -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with port-unreach

iptables -D INPUT -p udp -j REJECT --reject-with icmp-port-unreach

iptables -A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreach

iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable

 

 

iptables-save > /etc/iptables/iptables.rules

# service iptables save
Owner
adityamukho commented

Based on the following articles:

  1. https://wiki.archlinux.org/index.php/Simple_Stateful_Firewall
  2. http://0v.org/installing-ghost-on-ubuntu-nginx-and-mysql/

net.ipv4.conf.default.rp_filter is set to 1 by default on Arch Linux systems. Check if it is so on your system by running

sysctl net.ipv4.conf.default.rp_filter

If it is 0, then add net.ipv4.conf.default.rp_filter=1 to 90-firewall.conf

Owner
adityamukho commented

Restart/Reload your firewall service after these changes:

# systemctl [reload|restart] iptables

Load the new kernel parameters:

# sysctl --system
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.