Last active
October 28, 2016 02:35
-
-
Save tuklusan/b7e84e2212703b35df6815543920168a to your computer and use it in GitHub Desktop.
/etc/sysconfig/iptables | Centos 7 Network Hardening: How to Protect Your Server from Basic Network Attacks using IPTABLES Firewall - http://supratim-sanyal.blogspot.com/2016/09/centos-7-network-hardening-how-to_19.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# ---------- | |
# /etc/sysconfig/iptables | |
# Supratim Sanyal's Hobbyist Cloud VPS Server | |
# | |
# fail2ban and ip blocklist scripts add entries after boot, extending | |
# these initial startup filter rules | |
# | |
# See "Centos 7 Network Hardening: How to Protect Your Server from Basic Network Attacks using IPTABLES Firewall" | |
# at http://supratim-sanyal.blogspot.com/2016/09/centos-7-network-hardening-how-to_19.html | |
# ---------- | |
# | |
# | |
*filter | |
:INPUT ACCEPT [0:0] | |
:FORWARD ACCEPT [0:0] | |
:OUTPUT ACCEPT [0:0] | |
# | |
# -- | |
# Basic Network Exploit Protection from syn flood, nul, christmas and fragmented packets | |
# -- | |
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP | |
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP | |
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP | |
-A INPUT -f -j DROP | |
# | |
# -- | |
# Allow related connections to come in for processes initiating outgoing connections | |
# -- | |
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
# | |
# -- | |
# Allow everything on localhost lo (127.0.0.1) interface | |
# -- | |
-A INPUT -i lo -j ACCEPT | |
-A OUTPUT -o lo -j ACCEPT | |
# | |
# -- | |
# Accept incoming connections on the following ports | |
# -- | |
# | |
# --- SSH --- | |
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | |
# | |
# --- TELNET --- | |
-A INPUT -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT | |
# | |
# --- SMTP --- | |
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT | |
# | |
# --- DNS: TCP and UDP --- | |
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT | |
-A INPUT -p udp -m udp --dport 53 -j ACCEPT | |
# | |
# --- HTTP --- | |
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT | |
# | |
# --- POP --- | |
-A INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT | |
# | |
# --- NTP --- | |
-A INPUT -p udp -m udp --dport 123 -j ACCEPT | |
# | |
# --- IMAP --- | |
-A INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT | |
# | |
# --- HTTPS --- | |
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT | |
# | |
# --- SMTPS --- | |
-A INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT | |
-A INPUT -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT | |
# | |
# --- IMAP over SSL/TLS --- | |
-A INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT | |
# | |
# --- POP3 over SSL/TLS --- | |
-A INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT | |
# | |
# --- WEB PROXY (SQUID -> PRIVOXY -> TOR Proxy Chain) --- | |
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT | |
# | |
# --- RSYSLOG --- | |
-A INPUT -p udp -m udp --dport 65514 -j ACCEPT | |
# | |
# --- STUNNEL (to RSYSLOG) --- | |
-A INPUT -p tcp -m state --state NEW -m tcp --dport 65515 -j ACCEPT | |
# | |
# -- | |
# Reject everything else, including forwarding requests | |
# -- | |
-A INPUT -j REJECT --reject-with icmp-host-prohibited | |
-A FORWARD -j REJECT --reject-with icmp-host-prohibited | |
# | |
# -- | |
# That's all, folks | |
# -- | |
COMMIT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment