| # /etc/sysctl.d/90-firewall.conf | |
| # Turn on Source Address Verification in all interfaces to | |
| # prevent some spoofing attacks | |
| net.ipv4.conf.all.rp_filter=1 | |
| # Uncomment the next line to enable TCP/IP SYN cookies | |
| net.ipv4.tcp_syncookies=1 | |
| net.ipv4.tcp_max_syn_backlog = 2048 | |
| net.ipv4.tcp_synack_retries = 2 | |
| net.ipv4.tcp_syn_retries = 5 | |
| # Do not accept ICMP redirects (prevent MITM attacks) | |
| net.ipv4.conf.all.accept_redirects = 0 | |
| net.ipv6.conf.all.accept_redirects = 0 | |
| net.ipv4.conf.default.accept_redirects = 0 | |
| net.ipv6.conf.default.accept_redirects = 0 | |
| # Do not send ICMP redirects (we are not a router) | |
| net.ipv4.conf.all.send_redirects = 0 | |
| net.ipv4.conf.default.send_redirects = 0 | |
| # Do not accept IP source route packets (we are not a router) | |
| net.ipv4.conf.all.accept_source_route = 0 | |
| net.ipv6.conf.all.accept_source_route = 0 | |
| net.ipv4.conf.default.accept_source_route = 0 | |
| net.ipv6.conf.default.accept_source_route = 0 | |
| # Log Martian Packets | |
| net.ipv4.conf.all.log_martians = 1 | |
| net.ipv4.icmp_ignore_bogus_error_responses = 1 | |
| # Ignore ICMP broadcast requests | |
| net.ipv4.icmp_echo_ignore_broadcasts = 1 | |
| # Ignore Directed pings | |
| #net.ipv4.icmp_echo_ignore_all = 1 |
| #!/bin/bash | |
| iptables -N TCP | |
| iptables -N UDP | |
| iptables -P FORWARD DROP | |
| iptables -P OUTPUT ACCEPT | |
| iptables -P INPUT DROP | |
| iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| iptables -A INPUT -i lo -j ACCEPT | |
| iptables -A INPUT -m conntrack --ctstate INVALID -j DROP | |
| iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP | |
| iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP | |
| iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable | |
| iptables -A INPUT -p tcp -j REJECT --reject-with tcp-rst | |
| iptables -A TCP -p tcp --dport 80 -j ACCEPT | |
| iptables -A TCP -p tcp --dport 443 -j ACCEPT | |
| iptables -A TCP -p tcp --dport 22 -j ACCEPT | |
| #iptables -I INPUT ! -i lo -s 127.0.0.0/8 -j DROP | |
| iptables -A INPUT -p icmp --icmp-type echo-request -m recent --name ping_limiter --set | |
| iptables -A INPUT -p icmp --icmp-type echo-request -m recent --name ping_limiter --update --hitcount 6 --seconds 4 -j DROP | |
| iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT | |
| iptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst | |
| iptables -D INPUT -p tcp -j REJECT --reject-with tcp-rst | |
| iptables -A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst | |
| iptables -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with port-unreach | |
| iptables -D INPUT -p udp -j REJECT --reject-with icmp-port-unreach | |
| iptables -A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreach | |
| iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable | |
| iptables-save > /etc/iptables/iptables.rules | |
| # service iptables save |
Restart/Reload your firewall service after these changes:
# systemctl [reload|restart] iptables
Load the new kernel parameters:
# sysctl --system
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Based on the following articles:
net.ipv4.conf.default.rp_filteris set to 1 by default on Arch Linux systems. Check if it is so on your system by runningIf it is 0, then add
net.ipv4.conf.default.rp_filter=1to 90-firewall.conf