Created
March 2, 2012 15:04
-
-
Save petrilli/1959001 to your computer and use it in GitHub Desktop.
Core iptables ruleset
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| *filter | |
| ############################## | |
| # Chains | |
| ############################## | |
| -N ICMP_IN | |
| -N ICMP_OUT | |
| -N SPOOF_LOG_DROP | |
| -N SPOOF_IN | |
| -N SPOOF_OUT | |
| -N BAD_TCP_FLAGS | |
| ############################## | |
| # ICMP filters | |
| # Only allow outgoing ICMP requests. All incoming requests are dropped without | |
| # comment. | |
| ############################## | |
| # Drop echo request | |
| -A ICMP_IN -p icmp --icmp-type 8 -j DROP | |
| # Drop echo reply if not part of an existing request | |
| -A ICMP_IN -p icmp -i eth0 --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| # Drop destination unreachable if not part of an existing request | |
| -A ICMP_IN -p icmp -i eth0 --icmp-type 3 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| # Drop time exceeded (TTL) if not part of an existing request | |
| -A ICMP_IN -p icmp -i eth0 --icmp-type 11 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| # Drop everything else ICMP related coming in | |
| -A ICMP_IN -p icmp -i eth0 -j DROP | |
| # Allow echo request (ping) to leave | |
| -A ICMP_OUT -p icmp -o eth0 --icmp-type 8 -m state --state NEW -j ACCEPT | |
| # Drop all other ICMP leaving | |
| -A ICMP_OUT -p icmp -o eth0 -j DROP | |
| # Attach to the main chains | |
| -A INPUT -p icmp -j ICMP_IN | |
| -A OUTPUT -p icmp -j ICMP_OUT | |
| ############################# | |
| # Spoofing | |
| # Try and catch anything too bogus coming in and also stop this host from being | |
| # a launching point for bogus traffic. See RFC3330 for more information on | |
| # many of these | |
| ############################## | |
| # Set up the logging | |
| -A SPOOF_LOG_DROP -j LOG --log-prefix "IPT: spoofed " | |
| -A SPOOF_LOG_DROP -j DROP | |
| # Don't allow our own address to show up as the source of incoming traffic | |
| -A SPOOF_IN -i eth0 -s <MYIP> -j SPOOF_LOG_DROP | |
| # Block all RFC1918 addresses | |
| -A SPOOF_IN -i eth0 -s 10.0.0.0/8 -j SPOOF_LOG_DROP | |
| -A SPOOF_IN -i eth0 -s 172.16.0.0/12 -j SPOOF_LOG_DROP | |
| -A SPOOF_IN -i eth0 -s 192.168.0.0/16 -j SPOOF_LOG_DROP | |
| # Block all benchmark networks - see RFC2544 | |
| -A SPOOF_IN -i eth0 -s 198.18.0.0/15 -j SPOOF_LOG_DROP | |
| # Block all link local traffic | |
| -A SPOOF_IN -i eth0 -s 169.254.0.0/16 -j SPOOF_LOG_DROP | |
| # Block TEST-NET - should never show up on the Internet | |
| -A SPOOF_IN -i eth0 -s 192.0.2.0/24 -j SPOOF_LOG_DROP | |
| # Block Class D (multicast) addresses | |
| -A SPOOF_IN -i eth0 -s 224.0.0.0/4 -j SPOOF_LOG_DROP | |
| # Block Class E (reserved) addresses | |
| -A SPOOF_IN -i eth0 -s 240.0.0.0/4 -j SPOOF_LOG_DROP | |
| # Block loopback/zero/broadcast from showing up | |
| -A SPOOF_IN -i eth0 -s 127.0.0.0/8 -j SPOOF_LOG_DROP | |
| -A SPOOF_IN -i eth0 -s 0.0.0.0/8 -j SPOOF_LOG_DROP | |
| -A SPOOF_IN -i eth0 -s 255.255.255.255/32 -j SPOOF_LOG_DROP | |
| # Block all outgoing traffic that isn't from my normal address | |
| -A SPOOF_OUT -i eth0 -s ! <MYIP> -j SPOOF_LOG_DROP | |
| # Attach to the main chains | |
| -A INPUT -j SPOOF_IN | |
| -A OUTPUT -j SPOOF_OUT | |
| ############################## | |
| # TCP Flags | |
| # These flags are used either for malicious behavior, or simply to probe the | |
| # system using nmap/etc. There's no reason to honor them or do anything at | |
| # all. We don't use the SPOOF_LOG_DROP trick here because we want to record | |
| # the exact flags that are showing up. | |
| ############################## | |
| -A BAD_TCP_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "IPT: Bad SF flag " | |
| -A BAD_TCP_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP | |
| -A BAD_TCP_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "IPT: Bad SR flag " | |
| -A BAD_TCP_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP | |
| -A BAD_TCP_FLAGS -p tcp --tcp-flags SYN,FIN,PSH SYN,FIN,PSH -j LOG --log-prefix "IPT: Bad SFP flag " | |
| -A BAD_TCP_FLAGS -p tcp --tcp-flags SYN,FIN,PSH SYN,FIN,PSH -j DROP | |
| -A BAD_TCP_FLAGS -p tcp --tcp-flags SYN,FIN,RST SYN,FIN,RST -j LOG --log-prefix "IPT: Bad SFR flag " | |
| -A BAD_TCP_FLAGS -p tcp --tcp-flags SYN,FIN,RST SYN,FIN,RST -j DROP | |
| -A BAD_TCP_FLAGS -p tcp --tcp-flags SYN,FIN,RST,PSH SYN,FIN,RST,PSH -j LOG --log-prefix "IPT: Bad SFRP flag " | |
| -A BAD_TCP_FLAGS -p tcp --tcp-flags SYN,FIN,RST,PSH SYN,FIN,RST,PSH -j DROP | |
| # FIN is set without the required accompanying ACK | |
| -A BAD_TCP_FLAGS -p tcp --tcp-flags ACK,FIN FIN -j LOG --log-prefix "IPT: Bad F-A flag " | |
| -A BAD_TCP_FLAGS -p tcp --tcp-flags ACK,FIN FIN -j DROP | |
| # PSH is set without the required accompanying ACK | |
| -A BAD_TCP_FLAGS -p tcp --tcp-flags ACK,PSH PSH -j LOG --log-prefix "IPT: Bad P-A flag " | |
| -A BAD_TCP_FLAGS -p tcp --tcp-flags ACK,PSH PSH -j DROP | |
| # URG is set without the required accompanying ACK | |
| -A BAD_TCP_FLAGS -p tcp --tcp-flags ACK,URG URG -j LOG --log-prefix "IPT: Bad U-A flag " | |
| -A BAD_TCP_FLAGS -p tcp --tcp-flags ACK,URG URG -j DROP | |
| # Null or all flags | |
| -A BAD_TCP_FLAGS -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "IPT: Null flag " | |
| -A BAD_TCP_FLAGS -p tcp --tcp-flags ALL NONE -j DROP | |
| -A BAD_TCP_FLAGS -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "IPT: All flags " | |
| -A BAD_TCP_FLAGS -p tcp --tcp-flags ALL ALL -j DROP | |
| # Xmas flags | |
| -A BAD_TCP_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix "IPT: Xmas flags " | |
| -A BAD_TCP_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP | |
| -A BAD_TCP_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "IPT: Merry Xmas flags " | |
| -A BAD_TCP_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP | |
| # Attach to the main chains | |
| -A INPUT -p tcp -j BAD_TCP_FLAGS | |
| ############################## | |
| # LOOPBACK traffic | |
| # We allow everything on the loopback interface. This is useful for both local | |
| # servers (such as databases), but also for SSH tunneled information. | |
| ############################## | |
| # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 | |
| -A INPUT -i lo -j ACCEPT | |
| -A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT | |
| ############################## | |
| # ESTABLISHED traffic | |
| # Accepts all established inbound connections | |
| ############################## | |
| -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| ############################## | |
| # OUTBOUND traffic | |
| # Allows all outbound traffic. This can be changed to only allow very specific | |
| # traffic to originate if you want. | |
| ############################## | |
| -A OUTPUT -j ACCEPT | |
| ############################## | |
| # APPLICATION traffic | |
| # This covers specific applications in use. | |
| ############################## | |
| # Allows HTTP and HTTPS connections from anywhere (the normal ports for websites) | |
| -A INPUT -p tcp --dport 80 -j ACCEPT | |
| -A INPUT -p tcp --dport 443 -j ACCEPT | |
| # Allows SSH connections | |
| # Make sure the port matches what you have in sshd.conf | |
| -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT | |
| ############################## | |
| # LOGGING | |
| ############################## | |
| # Limit the logging of iptables denied calls | |
| -A INPUT -m limit --limit-burst 100 --limit 60/min -j LOG --log-prefix "IPT: denied " --log-level 7 | |
| ############################## | |
| # BASE POLICY | |
| ############################## | |
| # Reject all other inbound - default deny unless explicitly allowed policy | |
| -A INPUT -j REJECT | |
| # Reject all traffic that is attempting to be forwarded | |
| -A FORWARD -j REJECT | |
| COMMIT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment