iptables

iptables

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# Accept all loopback traffic
-A INPUT -i lo -j ACCEPT

# Drop invalid/unknown/spoofed TCP sessions
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# Accept new sessions
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Accept important ICMP types
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT

# Accept known services
# 22 - ssh
# 25 - sendmail or postfix
# 80, 443 - http/https
# 465, 587 - smtp
# 993, 995 - IMAP, pop
# 53, 5353 - DNS, mDNS
# 3306 - mysql
-A INPUT -p tcp -m tcp -m multiport --dports 22,25,80,443,465,587,993,995 -j ACCEPT
-A INPUT -p udp -m udp -m multiport --dports 53,5353 -j ACCEPT

# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Prevent DoS attack
# -m limit: This uses the limit iptables extension
# –limit 25/minute: This limits only maximum of 25 connection per minute.
# –limit-burst 100: This value indicates that the limit/minute will be enforced only after the total number of connection have reached the limit-burst level.
#-A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

# Block an IP
#-A INPUT -s xxx.xxx.x.x -j DROP

# Allow MySQL connection from a specific IP
-A INPUT -p tcp -s 192.168.100.0/24 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT

COMMIT