Created
July 6, 2017 12:53
-
-
Save spuzirev/e1230b366ea7428c6b170fb88df290e8 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| $IPT=/sbin/iptables | |
| ################# | |
| # GENERIC INPUT # | |
| ################# | |
| $IPT --policy INPUT DROP | |
| # Drop invalid | |
| $IPT --append INPUT --match conntrack --ctstate INVALID --jump DROP | |
| # Drop invalid SYN packets | |
| $IPT --append INPUT --protocol tcp --tcp-flags ALL ACK,RST,SYN,FIN --jump DROP | |
| $IPT --append INPUT --protocol tcp --tcp-flags SYN,FIN SYN,FIN --jump DROP | |
| $IPT --append INPUT --protocol tcp --tcp-flags SYN,RST SYN,RST --jump DROP | |
| # Make sure NEW incoming TCP-connections are SYN packets; otherwise we need to drop them | |
| $IPT --append INPUT --protocol tcp ! --syn --match conntrack --ctstate NEW --jump DROP | |
| # DROP Packets with incoming fragments. This attack result into Linux server panic such data loss | |
| $IPT --append INPUT --fragment --jump DROP | |
| # DROP incoming malformed XMAS packets | |
| $IPT --append INPUT --protocol tcp --tcp-flags ALL ALL --jump DROP | |
| # DROP incoming malformed NULL packets | |
| $IPT --append INPUT --protocol tcp --tcp-flags ALL NONE --jump DROP | |
| # Local traffic | |
| $IPT --append INPUT --in-interface lo --jump ACCEPT | |
| # ICMP traffic | |
| $IPT --append INPUT --protocol icmp --icmp-type 8 -m conntrack --ctstate NEW,ESTABLISHED,RELATED --jump ACCEPT | |
| $IPT --append INPUT --protocol icmp --icmp-type 3 -m conntrack --ctstate NEW,ESTABLISHED,RELATED --jump ACCEPT | |
| $IPT --append INPUT --protocol icmp --icmp-type 4 -m conntrack --ctstate NEW,ESTABLISHED,RELATED --jump ACCEPT | |
| $IPT --append INPUT --protocol icmp --icmp-type 0 -m conntrack --ctstate NEW,ESTABLISHED,RELATED --jump ACCEPT | |
| # Allow only ESTABLISHED, RELATED | |
| $IPT --append INPUT --protocol tcp --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT | |
| $IPT --append INPUT --protocol udp --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT | |
| # End of GENERIC INPUT | |
| ################## | |
| # GENERIC OUTPUT # | |
| ################## | |
| $IPT --policy OUTPUT DROP | |
| # DROP INVALID | |
| $IPT --append OUTPUT --match conntrack --ctstate INVALID --jump DROP | |
| # DROP invalid SYN packets | |
| $IPT --append OUTPUT --protocol tcp --tcp-flags ALL ACK,RST,SYN,FIN --jump DROP | |
| $IPT --append OUTPUT --protocol tcp --tcp-flags SYN,FIN SYN,FIN --jump DROP | |
| $IPT --append OUTPUT --protocol tcp --tcp-flags SYN,RST SYN,RST --jump DROP | |
| # Make sure NEW outgoing TCP-connections are SYN packets; otherwise we need to drop them | |
| $IPT --append OUTPUT --protocol tcp ! --syn --match conntrack --ctstate NEW --jump DROP | |
| # DROP packets with outgoing fragments. This attack result into Linux server panic such data loss | |
| $IPT --append OUTPUT --fragment --jump DROP | |
| # DROP outgoing malformed XMAS packets | |
| $IPT --append OUTPUT --protocol tcp --tcp-flags ALL ALL --jump DROP | |
| # DROP outgoing malformed NULL packets | |
| $IPT --append OUTPUT --protocol tcp --tcp-flags ALL NONE --jump DROP | |
| # Accept local traffic | |
| $IPT --append OUTPUT --out-interface lo --jump ACCEPT | |
| # ACCEPT NEW,RELATED,ESTABLISHED | |
| $IPT --append OUTPUT --match conntrack --ctstate NEW,RELATED,ESTABLISHED --jump ACCEPT | |
| # End of GENERIC OUTPUT | |
| ################ | |
| # CUSTOM RULES # | |
| ################ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment