Last active
December 15, 2015 17:48
-
-
Save bbck/5298530 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
## | |
## iptables rules for gentoo.bbck.net | |
## Mostly stolen from ArchWiki | |
## | |
## Last updated April 3, 1013 | |
## | |
# Reset everything | |
iptables -F | |
iptables -X | |
# Create chains and set defaults | |
iptables -N TCP | |
iptables -N UDP | |
iptables -N SSH | |
iptables -P FORWARD DROP | |
iptables -P OUTPUT ACCEPT | |
iptables -P INPUT DROP | |
# Rate limit ping requests | |
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT | |
iptables -A INPUT -p icmp --icmp-type echo-request -j LOG | |
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP | |
# Accept established connections | |
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
# Accept all traffic on loopback interface | |
iptables -A INPUT -i lo -j ACCEPT | |
# Drop packets declared invalid | |
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP | |
# SSH rate limiting | |
iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH | |
iptables -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j LOG | |
iptables -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP | |
iptables -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 10 --seconds 1800 -j LOG | |
iptables -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 10 --seconds 1800 -j DROP | |
iptables -A SSH -m recent --name sshbf --set -j ACCEPT | |
# Send TCP and UDP connections to their respective rules chain | |
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP | |
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP | |
# Reject dropped packets with a RFC compliant responce | |
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable | |
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-rst | |
iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable | |
## PORT RULES | |
iptables -A TCP -p tcp --dport 22 -j ACCEPT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment