Skip to content

Instantly share code, notes, and snippets.

@tuklusan

tuklusan/iptables-sanyalnet-cloud-vps2

Last active August 16, 2017 21:58
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save tuklusan/f71e01fd6cac0219fe0b91afbfc91858 to your computer and use it in GitHub Desktop.
Save tuklusan/f71e01fd6cac0219fe0b91afbfc91858 to your computer and use it in GitHub Desktop.
Download ZIP
iptables | The /etc/sysconfig/iptables on sanyalnet-cloud-vps2 CentOS 7 VPS: Network Exploit Protection from syn flood, nul, christmas and fragmented packets; Rate limited DDOS flood protection for ssh, telnet, smtp, dns, http, pop3, ntp, IMAP, https, smtps, starttls, imap-ssl/tls, pop-ssl/tls, dovecot, sieve, managesieve, DECnet bridge (HECnet)…
Raw
iptables-sanyalnet-cloud-vps2
#------------------------------------------
# /etc/sysconfig/iptables
# CentOS 7
# Supratim Sanyal, supratim at riseup dot net, https://supratim-sanyal.blogspot.com
# fail2ban and ip blocklist script adds entries after boot, extending this default filter rules
#------------------------------------------
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#------------------------------------------
# Basic Network Exploit Protection from syn flood, nul, christmas and fragmented packets
#------------------------------------------
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -f -j DROP
#------------------------------------------
# Allow related and established connections and localhost traffic
#------------------------------------------
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
#------------------------------------------
# Rate Limit ssh connections
# For fail2ban to work, the ssh rate limit must be at least maxretry for sshd jail in /etc/fail2ban/jail.local
#------------------------------------------
-A INPUT -p tcp --dport 22 -m state --state NEW -m hashlimit --hashlimit 4/min --hashlimit-mode srcip --hashlimit-burst 6 --hashlimit-name test -j ACCEPT
-A INPUT -p tcp --dport 22 -m state --state NEW -j REJECT
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
#------------------------------------------
# Rate Limit telnet connections (MIRAI and CNC worms send telnet floods all the time)
#------------------------------------------
-A INPUT -p tcp --dport 23 -m state --state NEW -m hashlimit --hashlimit 2/min --hashlimit-mode srcip --hashlimit-burst 3 --hashlimit-name test -j ACCEPT
-A INPUT -p tcp --dport 23 -m state --state NEW -j REJECT
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT
#------------------------------------------
# Rate Limit SMTP connections
#------------------------------------------
-A INPUT -p tcp --dport 25 -m state --state NEW -m hashlimit --hashlimit 2/sec --hashlimit-mode srcip --hashlimit-burst 4 --hashlimit-name test -j ACCEPT
-A INPUT -p tcp --dport 25 -m state --state NEW -j REJECT
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
#------------------------------------------
# Rate Limit TCP DNS connections
#------------------------------------------
-A INPUT -p tcp --dport 53 -m state --state NEW -m hashlimit --hashlimit 10/sec --hashlimit-mode srcip --hashlimit-burst 20 --hashlimit-name test -j ACCEPT
-A INPUT -p tcp --dport 53 -m state --state NEW -j REJECT
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
#------------------------------------------
# Rate Limit UDP DNS connections
# Poor Man's Anti-DNS Amplification Attack
# Ref: http://www.iplux.net/2015/01/17/Blocking-DNS-Amplification-attacks
#------------------------------------------
-A INPUT -p udp -m udp --dport 53 -m limit --limit 10/sec -j LOG --log-prefix "fw-dns " --log-level 7
#-A INPUT -p udp -m udp --dport 53 -j ACCEPT
#------------------------------------------
# Rate Limit HTTP connections
#------------------------------------------
-A INPUT -p tcp --dport 80 -m state --state NEW -m hashlimit --hashlimit 4/sec --hashlimit-mode srcip --hashlimit-burst 8 --hashlimit-name test -j ACCEPT
-A INPUT -p tcp --dport 80 -m state --state NEW -j REJECT
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
#------------------------------------------
# Rate Limit POP3 connections
#------------------------------------------
-A INPUT -p tcp --dport 110 -m state --state NEW -m hashlimit --hashlimit 1/sec --hashlimit-mode srcip --hashlimit-burst 2 --hashlimit-name test -j ACCEPT
-A INPUT -p tcp --dport 110 -m state --state NEW -j REJECT
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
#------------------------------------------
# NTP Server
#------------------------------------------
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
#------------------------------------------
# Rate Limit IMAP connections
#------------------------------------------
-A INPUT -p tcp --dport 143 -m state --state NEW -m hashlimit --hashlimit 1/sec --hashlimit-mode srcip --hashlimit-burst 2 --hashlimit-name test -j ACCEPT
-A INPUT -p tcp --dport 143 -m state --state NEW -j REJECT
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT
#------------------------------------------
# Rate Limit HTTPS connections
#------------------------------------------
-A INPUT -p tcp --dport 443 -m state --state NEW -m hashlimit --hashlimit 4/sec --hashlimit-mode srcip --hashlimit-burst 8 --hashlimit-name test -j ACCEPT
-A INPUT -p tcp --dport 443 -m state --state NEW -j REJECT
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
#------------------------------------------
# Rate Limit STARTTLS/SMTPS connections
#------------------------------------------
-A INPUT -p tcp --dport 465 -m state --state NEW -m hashlimit --hashlimit 1/sec --hashlimit-mode srcip --hashlimit-burst 2 --hashlimit-name test -j ACCEPT
-A INPUT -p tcp --dport 465 -m state --state NEW -j REJECT
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT
#------------------------------------------
# Rate Limit SMTP connections
#------------------------------------------
-A INPUT -p tcp --dport 587 -m state --state NEW -m hashlimit --hashlimit 1/sec --hashlimit-mode srcip --hashlimit-burst 2 --hashlimit-name test -j ACCEPT
-A INPUT -p tcp --dport 587 -m state --state NEW -j REJECT
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT
#------------------------------------------
# Rate Limit IMAP-SSL/TLS connections
#------------------------------------------
-A INPUT -p tcp --dport 993 -m state --state NEW -m hashlimit --hashlimit 1/sec --hashlimit-mode srcip --hashlimit-burst 2 --hashlimit-name test -j ACCEPT
-A INPUT -p tcp --dport 993 -m state --state NEW -j REJECT
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT
#------------------------------------------
# Rate Limit POP-SSL/TLS connections
#------------------------------------------
-A INPUT -p tcp --dport 995 -m state --state NEW -m hashlimit --hashlimit 1/sec --hashlimit-mode srcip --hashlimit-burst 2 --hashlimit-name test -j ACCEPT
-A INPUT -p tcp --dport 995 -m state --state NEW -j REJECT
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT
#------------------------------------------
# Rate Limit Dovecot ManageSieve connections
#------------------------------------------
-A INPUT -p tcp --dport 4190 -m state --state NEW -m hashlimit --hashlimit 4/sec --hashlimit-mode srcip --hashlimit-burst 8 --hashlimit-name test -j ACCEPT
-A INPUT -p tcp --dport 4190 -m state --state NEW -j REJECT
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 4190 -j ACCEPT
#------------------------------------------
# DECnet bridge
# Bridges QCOCAL MicroVAX 3900 and JUICHI PDP-11/24 on remote host with CLOUDY VAX-11/780 on this host
# Bridge software by Johnny Bilquist - http://www.update.uu.se/~bqt/hecnet.html
#------------------------------------------
-A INPUT -p udp -m udp --dport 4712 -j ACCEPT
#------------------------------------------
# Rate Limit TOR Proxy Port (Authentication Required to access proxy)
#------------------------------------------
-A INPUT -p tcp --dport 8080 -m state --state NEW -m hashlimit --hashlimit 2/sec --hashlimit-mode srcip --hashlimit-burst 4 --hashlimit-name test -j ACCEPT
-A INPUT -p tcp --dport 8080 -m state --state NEW -j REJECT
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
#------------------------------------------
# Rate Limit stunnel Port
#------------------------------------------
-A INPUT -p tcp --dport 65514 -m state --state NEW -m hashlimit --hashlimit 2/sec --hashlimit-mode srcip --hashlimit-burst 4 --hashlimit-name test -j ACCEPT
-A INPUT -p tcp --dport 65514 -m state --state NEW -j REJECT
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 65514 -j ACCEPT
#------------------------------------------
# Rate Limit rsyslog Ports (TCP and UDP)
#------------------------------------------
-A INPUT -p tcp --dport 65515 -m state --state NEW -m hashlimit --hashlimit 2/sec --hashlimit-mode srcip --hashlimit-burst 4 --hashlimit-name test -j ACCEPT
-A INPUT -p tcp --dport 65515 -m state --state NEW -j REJECT
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 65515 -j ACCEPT
#
-A INPUT -p udp -m udp --dport 65515 -m limit --limit 400/sec -j ACCEPT
#-A INPUT -p udp -m udp --dport 65515 -j ACCEPT
#------------------------------------------
# TOR Relay Port
#------------------------------------------
-A INPUT -p tcp -m state --state NEW -m tcp --dport 65443 -j ACCEPT
#
#------------------------------------------
#------------------------------------------
# Reject everything else and commit
#------------------------------------------
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
#
# -- EOF --
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment