feffi/rules.v4

## rules.v4
# Generated by iptables-save v1.4.14 on Wed May 14 23:43:26 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# accept all loop traffic, discard all malicious localloop traffic
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable

# accept already established connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# allow ssh/mosh traffic
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 60000:60100 -j ACCEPT
-A INPUT -p udp -m state --state NEW,ESTABLISHED -m udp --dport 60000:60100 -j ACCEPT

# allow nginx proxy and deny real ports on external device
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

# allow submission/SSMTP
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT

# allow IMAP/IMAPS
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT

# log scanning and attacks
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 3/min -j LOG --log-prefix "Firewall> XMAS scan "
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m limit --limit 3/min -j LOG --log-prefix "Firewall> XMAS-PSH scan "
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 3/min -j LOG --log-prefix "Firewall> XMAS-ALL scan "
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 3/min -j LOG --log-prefix "Firewall> Null scan "
-A INPUT -p tcp -m multiport --dports 23,79 -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -m limit --limit 3/min -j LOG --log-prefix "Firewall>SYN scan trap:"
-A INPUT -p udp -m limit --limit 6/hour --limit-burst 1 -m length --length 0:28 -j LOG --log-prefix "Firewall>0 length udp "
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -m limit --limit 3/min -j LOG --log-prefix "Firewall> FIN scan "

# deny scanning and attacks
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m recent --set --name blacklist_60 --rsource -m comment --comment "Drop/Blacklist Xmas/PSH scan" -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m recent --set --name blacklist_60 --rsource -m comment --comment "Drop/Blacklist Xmas scan" -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m recent --set --name blacklist_60 --rsource -m comment --comment "Drop/Blacklist Xmas/All scan" -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m recent --set --name blacklist_60 --rsource -m comment --comment "Drop/Blacklist Null scan" -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -m recent --set --name blacklist_60 --rsource -m comment --comment "Drop/Blacklist FIN scan" -j DROP
-A INPUT -p tcp -m multiport --dports 23,79 -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -m recent --set --name blacklist_180 --rsource -j DROP

# drop malicious packets
-A INPUT -p udp -m length --length 0:28 -m comment --comment "Drop UDP packet with no content" -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP

# log for psad
-A INPUT -j LOG
-A FORWARD -j LOG

-P FORWARD DROP
-P INPUT DROP
-P OUTPUT ACCEPT

COMMIT
# Completed on Wed May 14 23:43:26 2014
	# Generated by iptables-save v1.4.14 on Wed May 14 23:43:26 2014
	*filter
	:INPUT ACCEPT [0:0]
	:FORWARD ACCEPT [0:0]
	:OUTPUT ACCEPT [0:0]

	# accept all loop traffic, discard all malicious localloop traffic
	-A INPUT -i lo -j ACCEPT
	-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable

	# accept already established connections
	-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

	# allow ssh/mosh traffic
	-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT
	-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 60000:60100 -j ACCEPT
	-A INPUT -p udp -m state --state NEW,ESTABLISHED -m udp --dport 60000:60100 -j ACCEPT

	# allow nginx proxy and deny real ports on external device
	-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

	# allow submission/SSMTP
	-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
	-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
	-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT

	# allow IMAP/IMAPS
	-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
	-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT

	# log scanning and attacks
	-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
	-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 3/min -j LOG --log-prefix "Firewall> XMAS scan "
	-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m limit --limit 3/min -j LOG --log-prefix "Firewall> XMAS-PSH scan "
	-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 3/min -j LOG --log-prefix "Firewall> XMAS-ALL scan "
	-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 3/min -j LOG --log-prefix "Firewall> Null scan "
	-A INPUT -p tcp -m multiport --dports 23,79 -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -m limit --limit 3/min -j LOG --log-prefix "Firewall>SYN scan trap:"
	-A INPUT -p udp -m limit --limit 6/hour --limit-burst 1 -m length --length 0:28 -j LOG --log-prefix "Firewall>0 length udp "
	-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -m limit --limit 3/min -j LOG --log-prefix "Firewall> FIN scan "

	# deny scanning and attacks
	-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m recent --set --name blacklist_60 --rsource -m comment --comment "Drop/Blacklist Xmas/PSH scan" -j DROP
	-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m recent --set --name blacklist_60 --rsource -m comment --comment "Drop/Blacklist Xmas scan" -j DROP
	-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m recent --set --name blacklist_60 --rsource -m comment --comment "Drop/Blacklist Xmas/All scan" -j DROP
	-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m recent --set --name blacklist_60 --rsource -m comment --comment "Drop/Blacklist Null scan" -j DROP
	-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -m recent --set --name blacklist_60 --rsource -m comment --comment "Drop/Blacklist FIN scan" -j DROP
	-A INPUT -p tcp -m multiport --dports 23,79 -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -m recent --set --name blacklist_180 --rsource -j DROP

	# drop malicious packets
	-A INPUT -p udp -m length --length 0:28 -m comment --comment "Drop UDP packet with no content" -j DROP
	-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
	-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
	-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP

	# log for psad
	-A INPUT -j LOG
	-A FORWARD -j LOG

	-P FORWARD DROP
	-P INPUT DROP
	-P OUTPUT ACCEPT

	COMMIT
	# Completed on Wed May 14 23:43:26 2014