craiglondon/iptables.sh

## iptables.sh
###########################
# Variables Section
###########################

# iptables path --> iptables binary
IPT=$(which iptables)

# internet interface --> ifconfig
IFACE="venet0:0"
#####################################
# Flush actual configuration
#####################################

# Delete all the rules in configuration chain
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

# Delete all the not empty chains
$IPT -X

# Initialize the counters (Debugging godness)
$IPT -Z
###################################################
# It's usefull to lock all the traffic except the exit route.
# Warning: You should lock even the exit route and create
# specific rules for it
###################################################

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
##############################
# Enable local traffic
##############################

$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
#####################################################
# Create some rules for ICMP Ping packages
#####################################################

$IPT -A INPUT -p icmp --icmp-type echo-reply -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 5/s -m state --state NEW -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type destination-unreachable -m state --state NEW -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type time-exceeded -m state --state NEW -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type timestamp-request -m state --state NEW -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type timestamp-reply -m state --state ESTABLISHED,RELATED -j ACCEPT
###############################################
# Lock all the new connections w/out SYN
# It should work like a sort of DDos protector
###############################################

$IPT -N syn-flood
$IPT -A INPUT -i $IFACE -p tcp --syn -j syn-flood
$IPT -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPT -A syn-flood -j DROP
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
#########################################################
# Enable traffic for identified connections
#########################################################

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#########################################################
# Enable traffic on ports 22 and 80
#########################################################
# 80  - HTTP - public
$IPT -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
# 22  - SSH - public
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
###############################################################
# Security & Stuff
# Block fragments and Xmas tree as well as SYN,FIN and SYN,RST
###############################################################

$IPT -A INPUT -p ip -f -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# With this rule we lock every tcp request from internet and redirect them to our firewall
#
$IPT -I INPUT -p tcp -i $IFACE -m state -s 0/0 --dport 1:65535 --state INVALID,NEW -j DROP
$IPT -I INPUT -p tcp -i $IFACE -m state -s 0/0 --dport 1:65535 --state INVALID,NEW -j LOG --log-prefix "portscan block"
# With this rule we lock every udp request from internet and redirect them to our firewall
#
$IPT -I INPUT -p udp -i $IFACE -m state -s 0/0 --state INVALID,NEW -j DROP
#block slowloris
$IPT -I INPUT -p tcp -m state --state NEW --dport 80 -m recent --name slowloris --set
$IPT -I INPUT -p tcp -m state --state NEW --dport 80 -m recent --name slowloris --update --seconds 15 --hitcount 20 -j DROP
$IPT -I INPUT -p tcp -m state --state NEW --dport 80 -m recent --name slowloris --update --seconds 15 --hitcount 20 -j LOG --log-prefix "slowloris block"
#block brute force ssh
$IPT -I INPUT -p tcp --dport 22 -i $IFACE -m state --state NEW -m recent --set
$IPT -I INPUT -p tcp --dport 22 -i $IFACE -m state --state NEW -m recent --update --seconds 40 --hitcount 4 -j DROP
$IPT -I INPUT -p tcp --dport 22 -i $IFACE -m state --state NEW -m recent --update --seconds 40 --hitcount 4 -j LOG --log-prefix "ssh brute force block"
	###########################
	# Variables Section
	###########################

	# iptables path --> iptables binary
	IPT=$(which iptables)

	# internet interface --> ifconfig
	IFACE="venet0:0"
	#####################################
	# Flush actual configuration
	#####################################

	# Delete all the rules in configuration chain
	$IPT -F
	$IPT -F -t nat
	$IPT -F -t mangle

	# Delete all the not empty chains
	$IPT -X

	# Initialize the counters (Debugging godness)
	$IPT -Z
	###################################################
	# It's usefull to lock all the traffic except the exit route.
	# Warning: You should lock even the exit route and create
	# specific rules for it
	###################################################

	$IPT -P INPUT DROP
	$IPT -P FORWARD DROP
	$IPT -P OUTPUT ACCEPT
	##############################
	# Enable local traffic
	##############################

	$IPT -A INPUT -i lo -j ACCEPT
	$IPT -A OUTPUT -o lo -j ACCEPT
	#####################################################
	# Create some rules for ICMP Ping packages
	#####################################################

	$IPT -A INPUT -p icmp --icmp-type echo-reply -m state --state ESTABLISHED,RELATED -j ACCEPT
	$IPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 5/s -m state --state NEW -j ACCEPT
	$IPT -A INPUT -p icmp --icmp-type destination-unreachable -m state --state NEW -j ACCEPT
	$IPT -A INPUT -p icmp --icmp-type time-exceeded -m state --state NEW -j ACCEPT
	$IPT -A INPUT -p icmp --icmp-type timestamp-request -m state --state NEW -j ACCEPT
	$IPT -A INPUT -p icmp --icmp-type timestamp-reply -m state --state ESTABLISHED,RELATED -j ACCEPT
	###############################################
	# Lock all the new connections w/out SYN
	# It should work like a sort of DDos protector
	###############################################

	$IPT -N syn-flood
	$IPT -A INPUT -i $IFACE -p tcp --syn -j syn-flood
	$IPT -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
	$IPT -A syn-flood -j DROP
	$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
	#########################################################
	# Enable traffic for identified connections
	#########################################################

	$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
	#########################################################
	# Enable traffic on ports 22 and 80
	#########################################################
	# 80 - HTTP - public
	$IPT -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
	# 22 - SSH - public
	$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
	###############################################################
	# Security & Stuff
	# Block fragments and Xmas tree as well as SYN,FIN and SYN,RST
	###############################################################

	$IPT -A INPUT -p ip -f -j DROP
	$IPT -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
	$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
	$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
	# With this rule we lock every tcp request from internet and redirect them to our firewall
	#
	$IPT -I INPUT -p tcp -i $IFACE -m state -s 0/0 --dport 1:65535 --state INVALID,NEW -j DROP
	$IPT -I INPUT -p tcp -i $IFACE -m state -s 0/0 --dport 1:65535 --state INVALID,NEW -j LOG --log-prefix "portscan block"
	# With this rule we lock every udp request from internet and redirect them to our firewall
	#
	$IPT -I INPUT -p udp -i $IFACE -m state -s 0/0 --state INVALID,NEW -j DROP
	#block slowloris
	$IPT -I INPUT -p tcp -m state --state NEW --dport 80 -m recent --name slowloris --set
	$IPT -I INPUT -p tcp -m state --state NEW --dport 80 -m recent --name slowloris --update --seconds 15 --hitcount 20 -j DROP
	$IPT -I INPUT -p tcp -m state --state NEW --dport 80 -m recent --name slowloris --update --seconds 15 --hitcount 20 -j LOG --log-prefix "slowloris block"
	#block brute force ssh
	$IPT -I INPUT -p tcp --dport 22 -i $IFACE -m state --state NEW -m recent --set
	$IPT -I INPUT -p tcp --dport 22 -i $IFACE -m state --state NEW -m recent --update --seconds 40 --hitcount 4 -j DROP
	$IPT -I INPUT -p tcp --dport 22 -i $IFACE -m state --state NEW -m recent --update --seconds 40 --hitcount 4 -j LOG --log-prefix "ssh brute force block"