Create a gist now

Instantly share code, notes, and snippets.

@skl /rules.v4
Last active Dec 16, 2015

What would you like to do?
iptables base firewall
# usgae: iptables-restore < firewall.rules
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [606:306949]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Reject packets from RFC1918 class networks (i.e., spoofed)
-A INPUT -s 10.0.0.0/8 -j DROP
-A INPUT -s 169.254.0.0/16 -j DROP
-A INPUT -s 172.16.0.0/12 -j DROP
-A INPUT -s 127.0.0.0/8 -j DROP
-A INPUT -s 224.0.0.0/4 -j DROP
-A INPUT -d 224.0.0.0/4 -j DROP
-A INPUT -s 240.0.0.0/5 -j DROP
-A INPUT -d 240.0.0.0/5 -j DROP
-A INPUT -s 0.0.0.0/8 -j DROP
-A INPUT -d 0.0.0.0/8 -j DROP
-A INPUT -d 239.255.255.0/24 -j DROP
-A INPUT -d 255.255.255.255 -j DROP
# Allow most ICMP packets to be received (so people can check our
# presence), but restrict the flow to avoid ping flood attacks
-A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
-A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
-A INPUT -p icmp -m icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT
# Drop invalid packets immediately
-A INPUT -m state --state INVALID -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A OUTPUT -m state --state INVALID -j DROP
# Drop bogus TCP packets
-A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
# Drop excessive RST packets to avoid SMURF attacks, by given the
# next real data packet in the sequence a better chance to arrive first.
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
# Protect against SYN floods by rate limiting the number of new
# connections from any host to 60 per second. This does *not* do rate
# limiting overall, because then someone could easily shut us down by
# saturating the limit.
#-A INPUT -m state --state NEW -p tcp -m tcp --syn -m recent --name synflood --set
#-A INPUT -m state --state NEW -p tcp -m tcp --syn -m recent --name synflood --update --seconds 1 --hitcount 60 -j DROP
# The above doesn't seem to work?
# Anyone who tried to portscan us is locked out for an entire day.
-A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
-A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
# Once the day has passed, remove them from the portscan list
-A INPUT -m recent --name portscan --remove
-A FORWARD -m recent --name portscan --remove
# These rules add scanners to the portscan list, and log the attempt.
-A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
-A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
-A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
-A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
# Allow SSH from LAN
-A INPUT -s 192.168.0.0/16 -p tcp -m tcp --dport 22 -j ACCEPT
# Allow web traffic
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# Drop everything else
-A INPUT -j DROP
COMMIT
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment