iptables.sh

#!/bin/sh
##
## iptables rules for gentoo.bbck.net
## Mostly stolen from ArchWiki
## 
## Last updated April 3, 1013
##

# Reset everything
iptables -F
iptables -X

# Create chains and set defaults
iptables -N TCP
iptables -N UDP
iptables -N SSH
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP

# Rate limit ping requests
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j LOG
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

# Accept established connections
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Accept all traffic on loopback interface
iptables -A INPUT -i lo -j ACCEPT

# Drop packets declared invalid
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

# SSH rate limiting
iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
iptables -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j LOG
iptables -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
iptables -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 10 --seconds 1800 -j LOG
iptables -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 10 --seconds 1800 -j DROP
iptables -A SSH -m recent --name sshbf --set -j ACCEPT

# Send TCP and UDP connections to their respective rules chain
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

# Reject dropped packets with a RFC compliant responce
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-rst
iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable

## PORT RULES
iptables -A TCP -p tcp --dport 22 -j ACCEPT