Last active
December 17, 2020 10:43
-
-
Save marshyski/9103221e28c9a7d2df26 to your computer and use it in GitHub Desktop.
DigitalOcean IPTables
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| *nat | |
| :PREROUTING ACCEPT [235:14024] | |
| :INPUT ACCEPT [235:14024] | |
| :OUTPUT ACCEPT [418:29744] | |
| :POSTROUTING ACCEPT [418:29744] | |
| COMMIT | |
| *filter | |
| :INPUT ACCEPT [0:0] | |
| :FORWARD ACCEPT [0:0] | |
| :OUTPUT ACCEPT [229:47805] | |
| -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| -A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| -A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| -A INPUT -m state --state INVALID -j DROP | |
| -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j LOG --log-prefix "FIN: " | |
| -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP | |
| -A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j LOG --log-prefix "PSH: " | |
| -A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP | |
| -A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j LOG --log-prefix "URG: " | |
| -A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP | |
| -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j LOG --log-prefix "XMAS scan: " | |
| -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP | |
| -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG --log-prefix "NULL scan: " | |
| -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP | |
| -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j LOG --log-prefix "pscan: " | |
| -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP | |
| -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LOG --log-prefix "pscan 2: " | |
| -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP | |
| -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j LOG --log-prefix "pscan 2: " | |
| -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP | |
| -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN -j LOG --log-prefix "SYNFIN-SCAN: " | |
| -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN -j DROP | |
| -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j LOG --log-prefix "NMAP-XMAS-SCAN: " | |
| -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP | |
| -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j LOG --log-prefix "FIN-SCAN: " | |
| -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP | |
| -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH,URG -j LOG --log-prefix "NMAP-ID: " | |
| -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH,URG -j DROP | |
| -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "SYN-RST: " | |
| -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP | |
| -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP | |
| -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP | |
| -A INPUT -f -j DROP | |
| -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT | |
| -A INPUT -p tcp -m tcp --dport 80 -m limit --limit 25/min --limit-burst 100 -j ACCEPT | |
| -A INPUT -p tcp -m tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT | |
| -A INPUT -p tcp -m tcp --dport 8080 -m limit --limit 25/min --limit-burst 100 -j ACCEPT | |
| -A INPUT -p udp -m udp --dport 520 -j REJECT --reject-with icmp-port-unreachable | |
| -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -j ACCEPT | |
| -A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "SSH_brute_force " | |
| -A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP | |
| -A INPUT -s 10.0.0.0/8 -j DROP | |
| -A INPUT -s 169.254.0.0/16 -j DROP | |
| -A INPUT -s 172.16.0.0/12 -j DROP | |
| -A INPUT -s 127.0.0.0/8 -j DROP | |
| -A INPUT -s 224.0.0.0/4 -j DROP | |
| -A INPUT -d 224.0.0.0/4 -j DROP | |
| -A INPUT -s 240.0.0.0/5 -j DROP | |
| -A INPUT -d 240.0.0.0/5 -j DROP | |
| -A INPUT -s 0.0.0.0/8 -j DROP | |
| -A INPUT -d 0.0.0.0/8 -j DROP | |
| -A INPUT -d 239.255.255.0/24 -j DROP | |
| -A INPUT -d 255.255.255.255/32 -j DROP | |
| -A INPUT -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF B: " | |
| -A INPUT -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF E: " | |
| -A INPUT -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK: " | |
| -A OUTPUT -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT | |
| -A OUTPUT -p tcp -m tcp --sport 8080 -m state --state ESTABLISHED -j ACCEPT | |
| COMMIT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment