-
-
Save tiernano/3525b864a2e5b349a5c731cdec04a828 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #thanks to /u/dagger0 for the updates | |
| #adding ssh brute force checks | |
| /ipv6 firewall filter | |
| add chain=input action=accept comment="Allow established connections" connection-state=established | |
| add chain=input action=accept comment="Allow related connections" connection-state=related | |
| add chain=input action=accept comment="Allow ICMP" protocol=icmpv6 | |
| add chain=input action=reject comment="Reject invalid packets" connection-state=invalid | |
| add chain=input action=accept comment="Allow lo" in-interface=lo | |
| add chain=input action=accept comment="Allow local network" in-interface=LAN | |
| add action=add-src-to-address-list address-list=trying_to_login address-list-timeout=1d chain=input dst-port=22 protocol=tcp comment="list IP's who try remote login" | |
| add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist | |
| add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3 | |
| add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1h chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2 | |
| add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1h chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1 | |
| add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1h chain=input connection-state=new dst-port=22 protocol=tcp | |
| add chain=input action=accept comment="Allow SSH to router" protocol=tcp dst-port=22 | |
| add chain=input action=reject comment="Reject TCP connections by default" protocol=tcp reject-with=tcp-reset | |
| add chain=input action=reject comment="Reject other protocols by default" reject-with=icmp-admin-prohibited | |
| add chain=forward action=accept comment="Allow established connections" connection-state=established | |
| add chain=forward action=accept comment="Allow related connections" connection-state=related | |
| add chain=forward action=accept comment="Allow ICMP" protocol=icmpv6 | |
| add chain=forward action=reject comment="Reject invalid packets" connection-state=invalid | |
| add chain=forward action=accept comment="Allow any to internet" out-interface=sit1 | |
| add chain=forward action=reject comment="Reject TCP connections by default" protocol=tcp reject-with=tcp-reset | |
| add chain=forward action=reject comment="Reject other protocols by default" reject-with=icmp-admin-prohibited |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment