-
Notifications
You must be signed in to change notification settings - Fork 0
/
iptables.rules
172 lines (149 loc) · 5.18 KB
/
iptables.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
###############################
# SIMPLE FIREWALL RULES FOR IPTABLES
#
#
# These rules are intended to be used
# without other firewalls such as UFW.
# If you have additional firewall settings
# in your system/iptables, take care adapting
# these rules in to your current firewall ruleset.
#
# It is highly recommended to remove all conflicting
# firewall configuration
#
# I do not take responsibility of breaking
# your working firewall configuration!
#
############
#
# The rules in this file do the following:
#
# A) do not respond to incoming ping requests
# Can be used as a replacement for sysctl 'net.ipv4.icmp_echo_ignore_all=1' setting
#
# B) Reject connection if connection cycle is too intense
# from one client. This setting may be useful against all kind of intense brute force
# attacks.
#
# C) drop all incoming traffic by default, except for
# SSH, HTTP and HTTPS protocols
#
#
############
#
# INSTALLATION
#
# NOTE: Intended to be used without UFW or any other
# firewall settings!!
#
# 1) Recommended: Remove existing firewall front-ends such as UFW from your system
#
# 2) Delete all previous firewall rules by issuing
# sudo iptables --flush && sudo iptables --delete-chain
#
# 3) Check output of 'iptables -S'. It should be
# -P INPUT ACCEPT
# -P FORWARD ACCEPT
# -P OUTPUT ACCEPT
#
# 4) In this file, change SSH, HTTP and HTTPS port numbers to fit your server environment
#
# Default values are:
#
# SSH: 22
# HTTP: 80
# HTTPS: 443
#
# Default setting for bruteforce prevention is 10 maximum connection attempts in 30 seconds
# Adapt the values to your server environment.
#
# 5) Save this file to /etc/iptables/iptables.rules
#
# 6) Check that it is used by 'iptables-restore' command
#
# In systemd environments, check the value of 'ExecStart' and 'ExecReload'
# in file /lib/systemd/system/iptables.service. The entries should be as follows:
#
# ExecStart=/usr/bin/iptables-restore /etc/iptables/iptables.rules
# ExecReload=/usr/bin/iptables-restore /etc/iptables/iptables.rules
#
# 7) Once you have double-checked that the parameters in this file are correct (step 4), run
# sudo iptables-restore /etc/iptables/iptables.rules
# sudo systemctl enable iptables && sudo systemctl start iptables
#
# 8) Check that the rules have been applied:
# sudo iptables -S
#
#
###############################
# USEFUL LINKS
#
# https://www.thegeekstuff.com/scripts/iptables-rules
# https://gist.github.com/thomasfr/9712418
# http://blog.sevagas.com/?Iptables-firewall-versus-nmap-and,31
#
###############################
#
# BEGINNING OF FIREWALL RULES
#
*filter
###############################
# Default policy for this chain - drop all input traffic
# This is a dangerous setting. If you drop all incoming connections,
# make sure you have accepted at least incoming SSH connection below.
# Otherwise you will be locked out from the server!
#
# Do not use 'REJECT' because it gives a response to hostile clients such
# as bruteforcers and port scanners. Instead, drop incoming packets
# and do not give reponse at all.
#
-P INPUT DROP
###############################
# We are not a router, we drop all (non-existent) forward connections
#
-P FORWARD DROP
###############################
# By default, all outgoing traffic from the server is accepted
#
-P OUTPUT ACCEPT
###############################
# Drop all incoming ping requests
#
-A INPUT -p icmp --icmp-type echo-request -j DROP
###############################
# Allow loopback connections
#
-A INPUT -i lo -j ACCEPT
#-A OUTPUT -o lo -j ACCEPT
###############################
# Block bruteforce attacks
# Works against agressive scanning techniques possibly used by dirbuster, nmap and similar tools.
# Please note that the following ruleset is tested only on a small server with low traffic.
#
# Default values are allowing max 10 connections from a client within 30 seconds
# Please adjust these values for your server environment
#
# Based on: https://rudd-o.com/linux-and-free-software/a-better-way-to-block-brute-force-attacks-on-your-ssh-server
# If you need to enable this for specific TCP ports, add the following parameter:
# -m multiport --dports 80
-A INPUT -p tcp -m tcp -m state --state NEW -m recent --set --name BRUTEFORCE --rsource
#-A INPUT -p tcp -m tcp -m multiport --dports 80 -m recent --rcheck --seconds 30 --hitcount 10 --rttl --name BRUTEFORCE --rsource -j LOG --log-prefix "Brute force attack detected "
-A INPUT -p tcp -m tcp -m recent --rcheck --seconds 30 --hitcount 10 --rttl --name BRUTEFORCE --rsource -j REJECT --reject-with tcp-reset
###############################
# Allow incoming SSH connections
#
-A INPUT -p tcp --dport 765 -m state --state NEW -j ACCEPT
#-A OUTPUT -p tcp --sport 765 -m state --state NEW -j ACCEPT
###############################
# Allow incoming HTTP/HTTPS connections
#
-A INPUT -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT
#-A OUTPUT -p tcp -m multiport --sports 80,443 -m state --state NEW -j ACCEPT
###############################
# Allow established and related connections
#
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
###############################
COMMIT
# END OF FIREWALL RULES