Last active
December 15, 2018 16:49
-
-
Save milnomada/c8b1a9fb0545d9a77697a88f9db0d3fa to your computer and use it in GitHub Desktop.
Install iptables firewall
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# iptables | |
printf "Installing iptables-persistent..." | |
sudo apt-get update | |
sudo apt-get install iptables-persistent | |
printf "Setting basic rules...\n" | |
# sudo iptables -I INPUT -p tcp -s 10.1.1.2 --dport 22 -j ACCEPT -m comment --comment "Filter traffic to specific ip address" | |
# Sensible stuff | |
sudo iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m comment --comment "Syn-flood attack" -j DROP | |
sudo iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m comment --comment "Drop Empty packets" -j DROP | |
# Stop smurf attacks | |
sudo iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP | |
sudo iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP | |
sudo iptables -A INPUT -p icmp -m icmp -j DROP | |
# Drop all invalid packets | |
sudo iptables -A INPUT -m state --state INVALID -j DROP | |
sudo iptables -A FORWARD -m state --state INVALID -j DROP | |
sudo iptables -A OUTPUT -m state --state INVALID -j DROP | |
# Anyone who tried to portscan us is locked out for an entire day. | |
sudo iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP | |
sudo iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP | |
# ICMP flood | |
sudo iptables -N icmp_flood | |
sudo iptables -A INPUT -p icmp -j icmp_flood | |
sudo iptables -A icmp_flood -m limit --limit 1/s --limit-burst 3 -j RETURN | |
sudo iptables -A icmp_flood -j DROP | |
# UPD flood | |
sudo iptables -N udp_flood | |
sudo iptables -A INPUT -p udp -j udp_flood | |
sudo iptables -A udp_flood -m state –state NEW –m recent –update –seconds 1 –hitcount 10 -j RETURN | |
sudo iptables -A udp_flood -j DROP | |
# Accept these | |
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "keep active connections" | |
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT -m comment --comment "limit ssh access" | |
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT -m comment --comment "accept traffic to 80 port" | |
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT -m comment --comment "accept traffic to SSL port" | |
sudo iptables -I INPUT 1 -i lo -j ACCEPT -m comment --comment "accept loopback stuff" | |
# Drop anything else | |
sudo iptables -P INPUT DROP -m comment --comment "drops anything still here" | |
printf "Installed \n" | |
sudo iptables -L --line-numbers | |
printf "Persisting...\n" | |
if [ $(lsb_release -rs) = '16.04' ] ; then | |
sudo netfilter-persistent save | |
else | |
sudo invoke-rc.d iptables-persistent save | |
fi | |
printf "Done" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment