Last active
August 29, 2015 14:17
-
-
Save craiglondon/622b8693d75deabbe6e6 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
########################### | |
# Variables Section | |
########################### | |
# iptables path --> iptables binary | |
IPT=$(which iptables) | |
# internet interface --> ifconfig | |
IFACE="venet0:0" | |
##################################### | |
# Flush actual configuration | |
##################################### | |
# Delete all the rules in configuration chain | |
$IPT -F | |
$IPT -F -t nat | |
$IPT -F -t mangle | |
# Delete all the not empty chains | |
$IPT -X | |
# Initialize the counters (Debugging godness) | |
$IPT -Z | |
################################################### | |
# It's usefull to lock all the traffic except the exit route. | |
# Warning: You should lock even the exit route and create | |
# specific rules for it | |
################################################### | |
$IPT -P INPUT DROP | |
$IPT -P FORWARD DROP | |
$IPT -P OUTPUT ACCEPT | |
############################## | |
# Enable local traffic | |
############################## | |
$IPT -A INPUT -i lo -j ACCEPT | |
$IPT -A OUTPUT -o lo -j ACCEPT | |
##################################################### | |
# Create some rules for ICMP Ping packages | |
##################################################### | |
$IPT -A INPUT -p icmp --icmp-type echo-reply -m state --state ESTABLISHED,RELATED -j ACCEPT | |
$IPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 5/s -m state --state NEW -j ACCEPT | |
$IPT -A INPUT -p icmp --icmp-type destination-unreachable -m state --state NEW -j ACCEPT | |
$IPT -A INPUT -p icmp --icmp-type time-exceeded -m state --state NEW -j ACCEPT | |
$IPT -A INPUT -p icmp --icmp-type timestamp-request -m state --state NEW -j ACCEPT | |
$IPT -A INPUT -p icmp --icmp-type timestamp-reply -m state --state ESTABLISHED,RELATED -j ACCEPT | |
############################################### | |
# Lock all the new connections w/out SYN | |
# It should work like a sort of DDos protector | |
############################################### | |
$IPT -N syn-flood | |
$IPT -A INPUT -i $IFACE -p tcp --syn -j syn-flood | |
$IPT -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN | |
$IPT -A syn-flood -j DROP | |
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP | |
######################################################### | |
# Enable traffic for identified connections | |
######################################################### | |
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
######################################################### | |
# Enable traffic on ports 22 and 80 | |
######################################################### | |
# 80 - HTTP - public | |
$IPT -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT | |
# 22 - SSH - public | |
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT | |
############################################################### | |
# Security & Stuff | |
# Block fragments and Xmas tree as well as SYN,FIN and SYN,RST | |
############################################################### | |
$IPT -A INPUT -p ip -f -j DROP | |
$IPT -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP | |
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP | |
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP | |
# With this rule we lock every tcp request from internet and redirect them to our firewall | |
# | |
$IPT -I INPUT -p tcp -i $IFACE -m state -s 0/0 --dport 1:65535 --state INVALID,NEW -j DROP | |
$IPT -I INPUT -p tcp -i $IFACE -m state -s 0/0 --dport 1:65535 --state INVALID,NEW -j LOG --log-prefix "portscan block" | |
# With this rule we lock every udp request from internet and redirect them to our firewall | |
# | |
$IPT -I INPUT -p udp -i $IFACE -m state -s 0/0 --state INVALID,NEW -j DROP | |
#block slowloris | |
$IPT -I INPUT -p tcp -m state --state NEW --dport 80 -m recent --name slowloris --set | |
$IPT -I INPUT -p tcp -m state --state NEW --dport 80 -m recent --name slowloris --update --seconds 15 --hitcount 20 -j DROP | |
$IPT -I INPUT -p tcp -m state --state NEW --dport 80 -m recent --name slowloris --update --seconds 15 --hitcount 20 -j LOG --log-prefix "slowloris block" | |
#block brute force ssh | |
$IPT -I INPUT -p tcp --dport 22 -i $IFACE -m state --state NEW -m recent --set | |
$IPT -I INPUT -p tcp --dport 22 -i $IFACE -m state --state NEW -m recent --update --seconds 40 --hitcount 4 -j DROP | |
$IPT -I INPUT -p tcp --dport 22 -i $IFACE -m state --state NEW -m recent --update --seconds 40 --hitcount 4 -j LOG --log-prefix "ssh brute force block" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment