Created
June 2, 2014 06:19
-
-
Save feffi/dba8e81ea3563e5e0719 to your computer and use it in GitHub Desktop.
/etc/iptables/rules.v4
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Generated by iptables-save v1.4.14 on Wed May 14 23:43:26 2014 | |
*filter | |
:INPUT ACCEPT [0:0] | |
:FORWARD ACCEPT [0:0] | |
:OUTPUT ACCEPT [0:0] | |
# accept all loop traffic, discard all malicious localloop traffic | |
-A INPUT -i lo -j ACCEPT | |
-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable | |
# accept already established connections | |
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
# allow ssh/mosh traffic | |
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT | |
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 60000:60100 -j ACCEPT | |
-A INPUT -p udp -m state --state NEW,ESTABLISHED -m udp --dport 60000:60100 -j ACCEPT | |
# allow nginx proxy and deny real ports on external device | |
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT | |
# allow submission/SSMTP | |
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT | |
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT | |
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT | |
# allow IMAP/IMAPS | |
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT | |
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT | |
# log scanning and attacks | |
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 | |
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 3/min -j LOG --log-prefix "Firewall> XMAS scan " | |
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m limit --limit 3/min -j LOG --log-prefix "Firewall> XMAS-PSH scan " | |
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 3/min -j LOG --log-prefix "Firewall> XMAS-ALL scan " | |
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 3/min -j LOG --log-prefix "Firewall> Null scan " | |
-A INPUT -p tcp -m multiport --dports 23,79 -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -m limit --limit 3/min -j LOG --log-prefix "Firewall>SYN scan trap:" | |
-A INPUT -p udp -m limit --limit 6/hour --limit-burst 1 -m length --length 0:28 -j LOG --log-prefix "Firewall>0 length udp " | |
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -m limit --limit 3/min -j LOG --log-prefix "Firewall> FIN scan " | |
# deny scanning and attacks | |
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m recent --set --name blacklist_60 --rsource -m comment --comment "Drop/Blacklist Xmas/PSH scan" -j DROP | |
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m recent --set --name blacklist_60 --rsource -m comment --comment "Drop/Blacklist Xmas scan" -j DROP | |
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m recent --set --name blacklist_60 --rsource -m comment --comment "Drop/Blacklist Xmas/All scan" -j DROP | |
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m recent --set --name blacklist_60 --rsource -m comment --comment "Drop/Blacklist Null scan" -j DROP | |
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -m recent --set --name blacklist_60 --rsource -m comment --comment "Drop/Blacklist FIN scan" -j DROP | |
-A INPUT -p tcp -m multiport --dports 23,79 -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -m recent --set --name blacklist_180 --rsource -j DROP | |
# drop malicious packets | |
-A INPUT -p udp -m length --length 0:28 -m comment --comment "Drop UDP packet with no content" -j DROP | |
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP | |
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP | |
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP | |
# log for psad | |
-A INPUT -j LOG | |
-A FORWARD -j LOG | |
-P FORWARD DROP | |
-P INPUT DROP | |
-P OUTPUT ACCEPT | |
COMMIT | |
# Completed on Wed May 14 23:43:26 2014 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment