Created
December 28, 2022 08:42
-
-
Save hatunaa/8996f5b9067af8cb26e448168fa0ffaa to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File config: /etc/sysconfig/iptables | |
Edit /etc/sysconfig/iptables, enter: | |
# vi /etc/sysconfig/iptables | |
You will see default rules as follows: | |
*filter | |
:INPUT ACCEPT [0:0] | |
:FORWARD ACCEPT [0:0] | |
:OUTPUT ACCEPT [0:0] | |
:RH-Firewall-1-INPUT - [0:0] | |
-A INPUT -j RH-Firewall-1-INPUT | |
-A FORWARD -j RH-Firewall-1-INPUT | |
-A RH-Firewall-1-INPUT -i lo -j ACCEPT | |
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT | |
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT | |
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT | |
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT | |
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT | |
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited | |
COMMIT | |
Drop All Traffic | |
Find lines: | |
*filter | |
:INPUT ACCEPT [0:0] | |
:FORWARD ACCEPT [0:0] | |
:OUTPUT ACCEPT [0:0] | |
Update as follows to change the default policy to DROP from ACCEPT for the INPUT and FORWARD built-in chains: | |
:INPUT DROP [0:0] | |
:FORWARD DROP [0:0] | |
Log and Drop Spoofing Source Addresses | |
Append the following lines before final COMMIT line: | |
-A INPUT -i eth0 -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP SPOOF " | |
-A INPUT -i eth0 -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF " | |
-A INPUT -i eth0 -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF " | |
-A INPUT -i eth0 -s 224.0.0.0/4 -j LOG --log-prefix "IP DROP MULTICAST " | |
-A INPUT -i eth0 -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF " | |
-A INPUT -i eth0 -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK " | |
-A INPUT -i eth0 -s 169.254.0.0/16 -j LOG --log-prefix "IP DROP MULTICAST " | |
-A INPUT -i eth0 -s 0.0.0.0/8 -j LOG --log-prefix "IP DROP " | |
-A INPUT -i eth0 -s 240.0.0.0/4 -j LOG --log-prefix "IP DROP " | |
-A INPUT -i eth0 -s 255.255.255.255/32 -j LOG --log-prefix "IP DROP " | |
-A INPUT -i eth0 -s 168.254.0.0/16 -j LOG --log-prefix "IP DROP " | |
-A INPUT -i eth0 -s 248.0.0.0/5 -j LOG --log-prefix "IP DROP " | |
Log And Drop All Traffic | |
Find the lines: | |
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited | |
COMMIT | |
Update it as follows: | |
-A RH-Firewall-1-INPUT -j LOG | |
-A RH-Firewall-1-INPUT -j DROP | |
COMMIT | |
Open Port | |
To open port 80 (Http server) add the following before COMMIT line: | |
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 80 -j ACCEPT | |
To open port 53 (DNS Server) add the following before COMMIT line: | |
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 53 -j ACCEPT | |
-A RH-Firewall-1-INPUT -m udp -p tcp --dport 53 -j ACCEPT | |
To open port 443 (Https server) add the following before COMMIT line: | |
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 443 -j ACCEPT | |
To open port 25 (smtp server) add the following before COMMIT line: | |
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 25 -j ACCEPT | |
Only allow SSH traffic From 192.168.1.0/24 | |
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT | |
Enable Printing Access For 192.168.1.0/24 | |
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p udp -m udp --dport 631 -j ACCEPT | |
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 631 -j ACCEPT | |
Allow Legitimate NTP Clients to Access the Server | |
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 123 -j ACCEPT | |
Open FTP Port 21 (FTP) | |
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT | |
Save and close the file. Edit /etc/sysconfig/iptables-config, enter: | |
# vi /etc/sysconfig/iptables-config | |
Make sure ftp module is loaded with the space-separated list of modules: | |
IPTABLES_MODULES="ip_conntrack_ftp" | |
To restart firewall, type the following commands: | |
# service iptables restart | |
# iptables -vnL --line-numbers | |
Edit /etc/sysctl.conf For DoS and Syn Protection | |
Edit /etc/sysctl.conf to defend against certain types of attacks and append / update as follows: | |
net.ipv4.conf.all.log_martians = 1 | |
net.ipv4.conf.default.accept_source_route = 0 | |
net.ipv4.conf.default.accept_redirects = 0 | |
net.ipv4.conf.default.secure_redirects = 0 | |
net.ipv4.icmp_echo_ignore_broadcasts = 1 | |
#net.ipv4.icmp_ignore_bogus_error_messages = 1 | |
net.ipv4.tcp_syncookies = 1 | |
net.ipv4.conf.all.rp_filter = 1 | |
net.ipv4.conf.default.rp_filter = 1 | |
See previous FAQ, “Linux Kernel /etc/sysctl.conf Security Hardening” for more details. | |
Alternate Configuration Option | |
You can skip /etc/sysconfig/iptables file and create a shell script from scratch as follows: | |
#!/bin/bash | |
# A sample firewall shell script | |
IPT="/sbin/iptables" | |
SPAMLIST="blockedip" | |
SPAMDROPMSG="BLOCKED IP DROP" | |
SYSCTL="/sbin/sysctl" | |
BLOCKEDIPS="/root/scripts/blocked.ips.txt" | |
# Stop certain attacks | |
echo "Setting sysctl IPv4 settings..." | |
$SYSCTL net.ipv4.ip_forward=0 | |
$SYSCTL net.ipv4.conf.all.send_redirects=0 | |
$SYSCTL net.ipv4.conf.default.send_redirects=0 | |
$SYSCTL net.ipv4.conf.all.accept_source_route=0 | |
$SYSCTL net.ipv4.conf.all.accept_redirects=0 | |
$SYSCTL net.ipv4.conf.all.secure_redirects=0 | |
$SYSCTL net.ipv4.conf.all.log_martians=1 | |
$SYSCTL net.ipv4.conf.default.accept_source_route=0 | |
$SYSCTL net.ipv4.conf.default.accept_redirects=0 | |
$SYSCTL net.ipv4.conf.default.secure_redirects=0 | |
$SYSCTL net.ipv4.icmp_echo_ignore_broadcasts=1 | |
#$SYSCTL net.ipv4.icmp_ignore_bogus_error_messages=1 | |
$SYSCTL net.ipv4.tcp_syncookies=1 | |
$SYSCTL net.ipv4.conf.all.rp_filter=1 | |
$SYSCTL net.ipv4.conf.default.rp_filter=1 | |
$SYSCTL kernel.exec-shield=1 | |
$SYSCTL kernel.randomize_va_space=1 | |
echo "Starting IPv4 Firewall..." | |
$IPT -F | |
$IPT -X | |
$IPT -t nat -F | |
$IPT -t nat -X | |
$IPT -t mangle -F | |
$IPT -t mangle -X | |
# load modules | |
modprobe ip_conntrack | |
[ -f "$BLOCKEDIPS" ] && BADIPS=$(egrep -v -E "^#|^$" "${BLOCKEDIPS}") | |
# interface connected to the Internet | |
PUB_IF="eth0" | |
#Unlimited traffic for loopback | |
$IPT -A INPUT -i lo -j ACCEPT | |
$IPT -A OUTPUT -o lo -j ACCEPT | |
# DROP all incomming traffic | |
$IPT -P INPUT DROP | |
$IPT -P OUTPUT DROP | |
$IPT -P FORWARD DROP | |
if [ -f "${BLOCKEDIPS}" ]; | |
then | |
# create a new iptables list | |
$IPT -N $SPAMLIST | |
for ipblock in $BADIPS | |
do | |
$IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG " | |
$IPT -A $SPAMLIST -s $ipblock -j DROP | |
done | |
$IPT -I INPUT -j $SPAMLIST | |
$IPT -I OUTPUT -j $SPAMLIST | |
$IPT -I FORWARD -j $SPAMLIST | |
fi | |
# Block sync | |
$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Sync" | |
$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP | |
# Block Fragments | |
$IPT -A INPUT -i ${PUB_IF} -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets" | |
$IPT -A INPUT -i ${PUB_IF} -f -j DROP | |
# Block bad stuff | |
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP | |
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP | |
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets" | |
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP # NULL packets | |
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP | |
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets" | |
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS | |
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan" | |
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans | |
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP | |
# Allow full outgoing connection but no incomming stuff | |
$IPT -A INPUT -i ${PUB_IF} -m state --state ESTABLISHED,RELATED -j ACCEPT | |
$IPT -A OUTPUT -o ${PUB_IF} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | |
# Allow ssh | |
$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 22 -j ACCEPT | |
# Allow http / https (open port 80 / 443) | |
$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 80 -j ACCEPT | |
#$IPT -A INPUT -o ${PUB_IF} -p tcp --destination-port 443 -j ACCEPT | |
# allow incomming ICMP ping pong stuff | |
$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | |
#$IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
# Allow port 53 tcp/udp (DNS Server) | |
$IPT -A INPUT -i ${PUB_IF} -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | |
#$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | |
#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
# Open port 110 (pop3) / 143 | |
$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 110 -j ACCEPT | |
$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 143 -j ACCEPT | |
# Do not log smb/windows sharing packets - too much logging | |
$IPT -A INPUT -p tcp -i ${PUB_IF} --dport 137:139 -j REJECT | |
$IPT -A INPUT -p udp -i ${PUB_IF} --dport 137:139 -j REJECT | |
# log everything else and drop | |
$IPT -A INPUT -j LOG | |
$IPT -A FORWARD -j LOG | |
$IPT -A INPUT -j DROP | |
exit 0 | |
Recommend readings: | |
+ See all our iptables related FAQs, tutorials, and shell scripts. | |
+ Ip6tables (IPv6) firewall configurations. | |
+ Read iptables and sysctl man pages using the man command: | |
man iptables | |
man ip6tables | |
man sysctl | |
Ref: https://www.cyberciti.biz/faq/rhel-fedorta-linux-iptables-firewall-configuration-tutorial | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment