Created
October 27, 2016 12:03
-
-
Save tuklusan/128badafd6c3a7d582be735359e2ac64 to your computer and use it in GitHub Desktop.
Simple Starter Iptables with Security: Centos 7 Network Hardening: How to Protect Your Server from Basic Network Attacks using IPTABLES Firewall | http://supratim-sanyal.blogspot.com/2016/09/centos-7-network-hardening-how-to_19.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# ---------------------------- | |
# /etc/sysconfig/iptables | |
# Basic iptables initial rules for servers | |
# Protects from common attacks and opens up service ports to incoming connections | |
# | |
# See http://supratim-sanyal.blogspot.com/2016/09/centos-7-network-hardening-how-to_19.html | |
# | |
# Supratim Sanyal <supratim at riseup dot net> | |
# ---------------------------- | |
*filter | |
:INPUT ACCEPT [0:0] | |
:FORWARD ACCEPT [0:0] | |
:OUTPUT ACCEPT [0:0] | |
# | |
# --- | |
# Basic network security - resist IP fragmentation, NULL scan, Christmas Tree and TCP SYN flood attacks - Supratim Sanyal | |
# See http://supratim-sanyal.blogspot.com/2016/09/centos-7-network-hardening-how-to_19.html | |
# --- | |
-I INPUT 1 -f -j DROP | |
-I INPUT 1 -p tcp --tcp-flags ALL NONE -j DROP | |
-I INPUT 1 -p tcp --tcp-flags ALL ALL -j DROP | |
-I INPUT 1 -p tcp ! --syn -m state --state NEW -j DROP | |
# | |
# --- | |
# Accept packets related to established connections (i.e. allow incoming connections to processes that initiated outgoing connections) | |
# --- | |
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
# | |
# --- | |
# Allow ping response | |
# --- | |
-A INPUT -p icmp -j ACCEPT | |
# | |
# --- | |
# Allow all traffic on localhost | |
# --- | |
-A INPUT -i lo -j ACCEPT | |
-A OUTPUT -o lo -j ACCEPT | |
# | |
# --- | |
# Open up incoming connections to servers on this box | |
# --- | |
# | |
# HECNET | |
-A INPUT -p udp -m udp --dport 4711 -j ACCEPT | |
# | |
# SSH | |
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | |
# | |
# Proxy Server | |
-A INPUT -p tcp -m tcp --dport 12345 -j ACCEPT | |
# | |
# SMTP | |
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT | |
# | |
# --- | |
# Reject all other incoming and forwarding requests | |
# --- | |
-A INPUT -j REJECT --reject-with icmp-host-prohibited | |
-A FORWARD -j REJECT --reject-with icmp-host-prohibited | |
# | |
# --- | |
# The End | |
# --- | |
# | |
COMMIT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment