Created
December 22, 2011 21:40
-
-
Save potem/1511984 to your computer and use it in GitHub Desktop.
Basic IPTables server firewall
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This script is a basic IPTables server firewall with defenses against some | |
| # of the most common attack types. | |
| # | |
| # Basically you just have to add/remove ports in the first part of this script | |
| # and you should be ready to go. | |
| # | |
| # Help, comments and improvements always appreciated, also, feel free to | |
| # use, change and distribute. Cheers | |
| ip=/usr/sbin/iptables | |
| # basic setup, chains | |
| $ip --flush | |
| $ip --delete-chain | |
| $ip -P OUTPUT DROP | |
| $ip -P INPUT DROP | |
| $ip -P FORWARD DROP | |
| # SSH | |
| $ip -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name ssh | |
| $ip -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 10 --rttl --name ssh -j DROP | |
| $ip -A INPUT -p tcp --dport 22 -m limit --limit 2/s -j ACCEPT | |
| $ip -A INPUT -p tcp --dport 22 -m connlimit --connlimit-above 5 -j DROP | |
| # HTTP | |
| $ip -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT | |
| $ip -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT | |
| # DNS lookups | |
| $ip -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT | |
| # loopback device | |
| $ip -A INPUT -i lo -j ACCEPT | |
| $ip -A OUTPUT -o lo -j ACCEPT | |
| # already established in-/outgoing connections | |
| $ip -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| $ip -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| # log and ban portscans | |
| $ip -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP | |
| $ip -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP | |
| $ip -A INPUT -m recent --name portscan --remove | |
| $ip -A FORWARD -m recent --name portscan --remove | |
| $ip -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:" | |
| $ip -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP | |
| $ip -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:" | |
| $ip -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP | |
| # drop LAN/Multicast IP's (RFC1918) | |
| $ip -A INPUT -s 10.0.0.0/8 -j DROP | |
| $ip -A INPUT -s 169.254.0.0/16 -j DROP | |
| $ip -A INPUT -s 172.16.0.0/12 -j DROP | |
| $ip -A INPUT -s 127.0.0.0/8 -j DROP | |
| $ip -A INPUT -s 224.0.0.0/4 -j DROP | |
| $ip -A INPUT -d 224.0.0.0/4 -j DROP | |
| $ip -A INPUT -s 240.0.0.0/5 -j DROP | |
| $ip -A INPUT -d 240.0.0.0/5 -j DROP | |
| $ip -A INPUT -s 0.0.0.0/8 -j DROP | |
| $ip -A INPUT -d 0.0.0.0/8 -j DROP | |
| $ip -A INPUT -d 239.255.255.0/24 -j DROP | |
| $ip -A INPUT -d 255.255.255.255 -j DROP | |
| # drop broadcast and multicast packets | |
| $ip -A INPUT -m pkttype --pkt-type broadcast -j DROP | |
| $ip -A INPUT -m pkttype --pkt-type multicast -j DROP | |
| # drop INVALID packets | |
| $ip -A INPUT -m state --state INVALID -j DROP | |
| $ip -A FORWARD -m state --state INVALID -j DROP | |
| $ip -A OUTPUT -m state --state INVALID -j DROP | |
| # limit RST packets | |
| $ipt -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT | |
| # block syn flood | |
| $ip -A INPUT -p tcp --syn -m limit --limit 3/s -j ACCEPT | |
| $ip -A INPUT -p tcp --syn -j DROP | |
| # everything has to start with SYN | |
| $ip -A INPUT -p tcp ! --syn -m state --state NEW -j DROP | |
| # block smurf attacks | |
| $ip -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP | |
| $ip -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP | |
| # limit ICMP packets | |
| $ip -A INPUT -p icmp -m limit --limit 1/s -j ACCEPT | |
| # allow ping | |
| $ip -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT | |
| # block fragmented packets | |
| $ip -A INPUT -f -j DROP | |
| # block oversized unfragmented packets | |
| $ip -t raw -A PREROUTING -p icmp -m length --length 1492:65535 -j DROP | |
| # defend against SYN-FIN, SYN-RST, X-Mas, nmap FIN, NULLflags and ALLflags attacks | |
| $ip -t raw -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP | |
| $ip -t raw -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP | |
| $ip -t raw -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP | |
| $ip -t raw -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP | |
| $ip -t raw -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP | |
| $ip -t raw -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # Kernel sysctl configuration | |
| # | |
| # Disables packet forwarding | |
| net.ipv4.ip_forward = 0 | |
| # Disables IP source routing | |
| net.ipv4.conf.all.accept_source_route = 0 | |
| net.ipv4.conf.lo.accept_source_route = 0 | |
| net.ipv4.conf.eth0.accept_source_route = 0 | |
| net.ipv4.conf.default.accept_source_route = 0 | |
| # Enable IP spoofing protection, turn on source route verification | |
| net.ipv4.conf.all.rp_filter = 1 | |
| net.ipv4.conf.lo.rp_filter = 1 | |
| net.ipv4.conf.eth0.rp_filter = 1 | |
| net.ipv4.conf.default.rp_filter = 1 | |
| # Disable ICMP Redirect Acceptance | |
| net.ipv4.conf.all.accept_redirects = 0 | |
| net.ipv4.conf.lo.accept_redirects = 0 | |
| net.ipv4.conf.eth0.accept_redirects = 0 | |
| net.ipv4.conf.default.accept_redirects = 0 | |
| # Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets | |
| net.ipv4.conf.all.log_martians = 1 | |
| net.ipv4.conf.lo.log_martians = 1 | |
| net.ipv4.conf.eth0.log_martians = 1 | |
| # Disables the magic-sysrq key | |
| kernel.sysrq = 0 | |
| # Decrease the time default value for tcp_fin_timeout connection | |
| net.ipv4.tcp_fin_timeout = 10 | |
| # Decrease the time default value for tcp_keepalive_time connection | |
| net.ipv4.tcp_keepalive_time = 1800 | |
| # Turn off the tcp_window_scaling | |
| net.ipv4.tcp_window_scaling = 0 | |
| # Turn off the tcp_sack | |
| net.ipv4.tcp_sack = 0 | |
| # Turn off the tcp_timestamps | |
| net.ipv4.tcp_timestamps = 0 | |
| # Enable TCP SYN Cookie Protection | |
| net.ipv4.tcp_syncookies = 1 | |
| # Enable ignoring broadcasts request | |
| net.ipv4.icmp_echo_ignore_broadcasts = 1 | |
| # Enable bad error message Protection | |
| net.ipv4.icmp_ignore_bogus_error_responses = 1 | |
| # Log Spoofed Packets, Source Routed Packets, Redirect Packets | |
| net.ipv4.conf.all.log_martians = 1 | |
| # Increases the size of the socket queue (effectively, q0). | |
| net.ipv4.tcp_max_syn_backlog = 1024 | |
| # Increase the tcp-time-wait buckets pool size | |
| net.ipv4.tcp_max_tw_buckets = 1440000 | |
| # Allowed local port range | |
| net.ipv4.ip_local_port_range = 16384 65536 | |
| # protect against tcp time-wait assassination hazards | |
| # drop RST packets for sockets in the time-wait state | |
| # (not widely supported outside of linux, but conforms to RFC) | |
| net.ipv4.tcp_rfc1337 = 1 | |
| # send redirects (not a router, disable it) | |
| net.ipv4.conf.all.send_redirects = 0 | |
| # ICMP routing redirects (only secure) | |
| net.ipv4.conf.all.accept_redirects = 0 | |
| net.ipv4.conf.all.secure_redirects = 1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment