jamesbrink/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Aggresive IPTables Rules

echo "service iptables restart"| at now + 2 min

iptables --flush

### Drop invalid packets ### 
iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP

### Drop TCP packets that are new and are not SYN ### 
iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
 
### Drop SYN packets with suspicious MSS value ### 
iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP

### Block packets with bogus TCP flags ### 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP  

### Block spoofed packets ### 
iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP 
iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP 
iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP 
iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP 
iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP 
iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP 
iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP 
iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP 
iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP  

### Drop ICMP (you usually don't need this protocol) ### 
iptables -t mangle -A PREROUTING -p icmp -j DROP

### Drop fragments in all chains ### 
iptables -t mangle -A PREROUTING -f -j DROP  

### Create UDP,TCP, and port-scanning chains ###
iptables -N TCP
iptables -N UDP
iptables -N port-scanning 

iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable


### SET whitelist ###

iptables -I INPUT -p tcp -m multiport --dports http,https -s 202.174.99.130 -j ACCEPT
iptables -I INPUT -p tcp -m multiport --dports http,https -s 54.236.157.195 -j ACCEPT
iptables -I INPUT -p tcp -m multiport --dports http,https -s 54.86.126.38 -j ACCEPT
iptables -I INPUT -p tcp -m multiport --dports http,https -s 52.7.68.54 -j ACCEPT
iptables -I INPUT -p tcp -m multiport --dports http,https -s 54.209.238.117 -j ACCEPT
iptables -I INPUT -p tcp -m multiport --dports http,https -s 54.86.185.255 -j ACCEPT
iptables -I INPUT -p tcp -m multiport --dports http,https -s 54.85.44.205 -j ACCEPT
iptables -I INPUT -p tcp -m multiport --dports http,https -s 66.214.200.238 -j ACCEPT
iptables -I INPUT -p tcp -m multiport --dports http,https -s 54.88.4.97 -j ACCEPT
iptables -I INPUT -p tcp -m multiport --dports http,https -s 54.86.103.84 -j ACCEPT
iptables -I INPUT -p tcp -m multiport --dports http,https -s 54.85.26.143 -j ACCEPT
iptables -I INPUT -p tcp -m multiport --dports http,https -s 54.86.139.165 -j ACCEPT
iptables -I INPUT -p tcp -m multiport --dports http,https -s 54.86.23.132 -j ACCEPT
iptables -I INPUT -p tcp -m multiport --dports http,https -s 54.208.124.69 -j ACCEPT
iptables -I INPUT -p tcp -m multiport --dports http,https -s 54.208.74.167 -j ACCEPT
iptables -I INPUT -p tcp -m multiport --dports http,https -s 52.7.0.189 -j ACCEPT
iptables -I INPUT -p tcp -m multiport --dports http,https -s 149.56.241.110 -j ACCEPT
iptables -I INPUT -p tcp -m multiport --dports http,https -s 54.208.48.109 -j ACCEPT
iptables -I INPUT -p tcp -m multiport --dports http,https -s 54.88.6.144 -j ACCEPT
iptables -I INPUT -p tcp -m multiport --dports http,https -s 54.84.211.224 -j ACCEPT
iptables -I INPUT -p tcp -m multiport --dports http,https -s 54.209.26.250 -j ACCEPT
iptables -I INPUT -p tcp -m multiport --dports http,https -s 54.209.153.92 -j ACCEPT
iptables -I INPUT -p tcp -m multiport --dports http,https -s 54.84.49.49 -j ACCEPT
iptables -I INPUT -p tcp -m multiport --dports http,https -s 54.209.220.208  -j ACCEPT


### SSH brute-force protection ### 
iptables -A TCP -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set 
iptables -A TCP -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP

### Accept SSH ###
iptables -A TCP -p tcp --dport 22 -j ACCEPT
### Accept HTTP ###
iptables -A TCP -p tcp --dport 80 -j ACCEPT
### Accept HTTPS ###
iptables -A TCP -p tcp --dport 443 -j ACCEPT
### Accept PowerPanel VZ ###
iptables -A TCP -p tcp --dport 4643 -j ACCEPT
### Accept cPanel/WHM connections
iptables -A TCP -p tcp --dport 2087 -j ACCEPT
iptables -A TCP -p tcp --dport 2083 -j ACCEPT
### Accept DNS ###
iptables -A TCP -p tcp --dport 53 -j ACCEPT
iptables -A UDP -p udp --dport 53 -j ACCEPT
### SMTP ###
iptables -A TCP -p tcp --dport 25 -j ACCEPT
### POP ###
iptables -A TCP -p tcp --dport 110 -j ACCEPT
iptables -A TCP -p tcp --dport 995 -j ACCEPT
### Imap ###
iptables -A TCP -p tcp --dport 143 -j ACCEPT
iptables -A TCP -p tcp --dport 993 -j ACCEPT
### Additional Email ports provided by client ###
iptables -A TCP -p tcp --dport 587 -j ACCEPT
iptables -A TCP -p tcp --dport 465 -j ACCEPT

### Protection against port scanning ### 
iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN 
iptables -A port-scanning -j DROP

### 8: Limit connections per source IP ### 
iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset  

### 9: Limit RST packets ### 
iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP  

### 10: Limit new TCP connections per second per source IP ### 
iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP  
DDOS Deflate

I have had some success with this https://github.com/jgmdev/ddos-deflate