Iptables for web servers

iptables-web.sh

#!/bin/sh
DEF_IF=$(route | grep '^default' | grep -o '[^ ]*$')
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -X
iptables -X -t nat
iptables -F
iptables -F -t nat

##############################
### ATTACKS
##############################
# All TCP sessions should begin with SYN
iptables -A INPUT -p tcp ! --syn -m state --state NEW -s 0.0.0.0/0 -j DROP
# Limit the number of incoming tcp connections
# incoming syn-flood protection
iptables -N syn_flood
iptables -A INPUT -p tcp --syn -j syn_flood
iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A syn_flood -j DROP
# fragmented ICMP - sign of DoS attack
iptables -A INPUT --fragment -p ICMP -j DROP
#Limiting the incoming icmp ping request:
iptables -A INPUT -p icmp -m limit --limit  1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -j ACCEPT
#Force Fragments packets check
iptables -A INPUT -f -j DROP
#Incoming malformed XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# Drop all NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# invalid and suspicious packets
iptables -A INPUT -m state --state INVALID -j DROP
# Stealth scan 1
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "FWLOG: Stealth scan (1): "
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Stealth scan 2
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "FWLOG: Stealth scan (2): "
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# Stealth scan 3
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix "FWLOG: Stealth scan (3): "
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
# Stealth scan 4
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "FWLOG: Stealth scan (4): "
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# Stealth scan 5
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "FWLOG: Stealth scan (5): "
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# Stealth scan 6
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "FWLOG: Stealth scan (6): "
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# Port scan
iptables -N port-scan
iptables -A port-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
iptables -A port-scan -j DROP



#iptables -A OUTPUT -p udp -o $DEF_IF -j ACCEPT
#iptables -A INPUT -p udp -i $DEF_IF -j ACCEPT

#minecraft
#iptables -A INPUT -i $DEF_IF -m state --state NEW,ESTABLISHED,RELATED -p tcp -m multiport --dports 25655:25680 -j ACCEPT
#iptables -A OUTPUT -o $DEF_IF -p tcp -m multiport --sports 25655:25680 -m state --state RELATED,ESTABLISHED -j ACCEPT

# #allow tun+
# iptables -A INPUT -i tun+ -j ACCEPT
# iptables -A OUTPUT -o tun+ -j ACCEPT
# iptables -A FORWARD -i tun+ -j ACCEPT
# iptables -A FORWARD -i tun+ -o $DEF_IF -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -i $DEF_IF -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -i tun+ -o ens0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -i ens0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT

# #redirect TNT ports to SoftEther VPN TCP
# iptables -t nat -A PREROUTING -i $DEF_IF -p tcp -m multiport --dports 5242,4244,9200,9201,21,137,8484,82 -j REDIRECT --to-port 995
# iptables -A INPUT -i $DEF_IF -p tcp -m multiport --dports 5242,4244,9200,9201,21,137,8484,82 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o $DEF_IF -p tcp -m multiport --sports 5242,4244,9200,9201,21,137,8484,82 -m state --state ESTABLISHED -j ACCEPT

# iptables -t nat -A PREROUTING -i $DEF_IF -p udp -m multiport --dports 5242,4244,3128,9200,9201,21,137,8484,82 -j REDIRECT --to-port 1194
# iptables -A INPUT -i $DEF_IF -p udp -m multiport --dports 5242,4244,3128,9200,9201,21,137,8484,82,443,80 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o $DEF_IF -p udp -m multiport --sports 5242,4244,3128,9200,9201,21,137,8484,82,443,80 -m state --state ESTABLISHED -j ACCEPT

# iptables -t nat -A PREROUTING -i $DEF_IF -p udp -m multiport --dports 5243,9785 -j REDIRECT --to-port 1194
# iptables -A INPUT -i $DEF_IF -p udp -m multiport --dports 5243,9785 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o $DEF_IF -p udp -m multiport --sports 5243,9785 -m state --state ESTABLISHED -j ACCEPT

# iptables -t nat -A PREROUTING -i $DEF_IF -p udp -m multiport --dports 2000:4499,4501:8000 -j REDIRECT --to-port 1194
# iptables -A INPUT -i $DEF_IF -p udp -m multiport --dports 2000:4499,4501:8000 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o $DEF_IF -p udp -m multiport --sports 2000:4499,4501:8000 -m state --state ESTABLISHED -j ACCEPT

# iptables -t nat -A PREROUTING -i tap_soft -p udp --dport 53 -j DNAT --to-destination 172.16.0.1:53
# iptables -t nat -A PREROUTING -i tap_soft -p udp --dport 5353 -j DNAT --to-destination 172.16.0.1:53
# iptables -t nat -A PREROUTING -i tap_soft -p tcp --dport 5353 -j DNAT --to-destination 172.16.0.1:53
# iptables -t nat -A PREROUTING -i tap_soft -p tcp --dport 53 -j DNAT --to-destination 172.16.0.1:53
# iptables -A INPUT -i tap_soft -p tcp --dport 53 -d 208.67.222.123 -j ACCEPT
# iptables -A INPUT -i tap_soft -p tcp --dport 53 -d 208.67.220.123 -j ACCEPT
# iptables -A INPUT -i tap_soft -p tcp --dport 53 -d 81.218.119.11 -j ACCEPT
# iptables -A INPUT -i tap_soft -p tcp --dport 53 -d 209.88.198.133 -j ACCEPT
# iptables -A INPUT -i tap_soft -p tcp --dport 53 -d 199.85.126.20 -j ACCEPT
# iptables -A INPUT -i tap_soft -p tcp --dport 53 -d 199.85.127.20 -j ACCEPT
# iptables -A INPUT -i tap_soft -p tcp --dport 53 -d 172.16.0.1 -j ACCEPT
# iptables -A INPUT -i tap_soft -p tcp --dport 53 -d 8.8.8.8 -j ACCEPT
# iptables -A INPUT -i tap_soft -p tcp --dport 53 -d 8.8.4.4 -j ACCEPT
# iptables -A INPUT -i tap_soft -p tcp --dport 53 -d 208.67.220.220 -j ACCEPT
# iptables -A INPUT -i tap_soft -p tcp --dport 53 -d 208.67.222.222 -j ACCEPT
# iptables -A INPUT -i tap_soft -p tcp --dport 53 -j DROP
# iptables -A INPUT -i tap_soft -p tcp --dport 5353 -j DROP


#allow ssh,www,https, letsencrypt
iptables -A INPUT -i $DEF_IF -m state --state NEW,ESTABLISHED,RELATED -p tcp -m multiport --dports 22,80,443 -j ACCEPT
iptables -A OUTPUT -o $DEF_IF -p tcp -m multiport --sports 22,80,443 -m state --state RELATED,ESTABLISHED -j ACCEPT


#loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#dns dhcp
iptables -A OUTPUT -p udp -m multiport --dports 53,67,68 -j ACCEPT
iptables -A INPUT -p udp -m multiport --sports 53,67,68 -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --dports 53,67,68 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --sports 53,67,68 -j ACCEPT

#mosh
iptables -A INPUT -i $DEF_IF -m state --state NEW,ESTABLISHED,RELATED -p udp -m multiport --dports 60001:60010 -j ACCEPT
iptables -A OUTPUT -o $DEF_IF -p udp -m multiport --sports 60001:60010 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -m multiport --dports 60000:61000 -j ACCEPT
iptables -A INPUT -p udp -m multiport --sports 60000:61000 -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --dports 60000:61000 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --sports 60000:61000 -j ACCEPT

iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT


# iptables -A OUTPUT -p tcp -m multiport --dports 22,80,443,54321 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A INPUT -p tcp -m multiport --sports 22,80,443,54321 -m state --state ESTABLISHED -j ACCEPT
# iptables -A INPUT -p tcp -m multiport --dports 22,80,443,54321 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -p tcp -m multiport --sports 22,80,443,54321 -m state --state ESTABLISHED -j ACCEPT

# iptables -A OUTPUT -p tcp -m multiport --dports 995,3128,992,5555,8080 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A INPUT -p tcp -m multiport --sports 995,3128,992,5555,8080 -m state --state ESTABLISHED -j ACCEPT
# iptables -A INPUT -p tcp -m multiport --dports 995,3128,992,5555,8080 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -p tcp -m multiport --sport 995,3128,992,5555,8080 -m state --state ESTABLISHED -j ACCEPT


#rsync
iptables -A INPUT -p tcp --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT

#mysql
# iptables -A INPUT -p tcp --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT

# iptables -A INPUT -i tap_soft -j ACCEPT
# iptables -A OUTPUT -o tap_soft -j ACCEPT
# iptables -A FORWARD -i tap_soft -j ACCEPT
# iptables -A FORWARD -i tap_soft -o $DEF_IF -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -i $DEF_IF -o tap_soft -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -i tap_soft -o ens0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -i ens0 -o tap_soft -m state --state RELATED,ESTABLISHED -j ACCEPT


#nat
# iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -j MASQUERADE
# iptables -t nat -A POSTROUTING -s 172.16.0.0/12 -j MASQUERADE
# iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -j MASQUERADE

#ping
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
#save rules
iptables-save > /etc/iptables/rules.v4
echo 1 > /proc/sys/net/ipv4/ip_forward
sudo sed -i 's/#net.ipv4.ip_forward/net.ipv4.ip_forward/g' /etc/sysctl.conf
sudo sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf