Skip to content

Instantly share code, notes, and snippets.

@potem
Created December 22, 2011 21:40
Show Gist options
  • Save potem/1511984 to your computer and use it in GitHub Desktop.
Save potem/1511984 to your computer and use it in GitHub Desktop.
Basic IPTables server firewall
# This script is a basic IPTables server firewall with defenses against some
# of the most common attack types.
#
# Basically you just have to add/remove ports in the first part of this script
# and you should be ready to go.
#
# Help, comments and improvements always appreciated, also, feel free to
# use, change and distribute. Cheers
ip=/usr/sbin/iptables
# basic setup, chains
$ip --flush
$ip --delete-chain
$ip -P OUTPUT DROP
$ip -P INPUT DROP
$ip -P FORWARD DROP
# SSH
$ip -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name ssh
$ip -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 10 --rttl --name ssh -j DROP
$ip -A INPUT -p tcp --dport 22 -m limit --limit 2/s -j ACCEPT
$ip -A INPUT -p tcp --dport 22 -m connlimit --connlimit-above 5 -j DROP
# HTTP
$ip -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
$ip -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
# DNS lookups
$ip -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
# loopback device
$ip -A INPUT -i lo -j ACCEPT
$ip -A OUTPUT -o lo -j ACCEPT
# already established in-/outgoing connections
$ip -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ip -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# log and ban portscans
$ip -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
$ip -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
$ip -A INPUT -m recent --name portscan --remove
$ip -A FORWARD -m recent --name portscan --remove
$ip -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
$ip -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
$ip -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
$ip -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
# drop LAN/Multicast IP's (RFC1918)
$ip -A INPUT -s 10.0.0.0/8 -j DROP
$ip -A INPUT -s 169.254.0.0/16 -j DROP
$ip -A INPUT -s 172.16.0.0/12 -j DROP
$ip -A INPUT -s 127.0.0.0/8 -j DROP
$ip -A INPUT -s 224.0.0.0/4 -j DROP
$ip -A INPUT -d 224.0.0.0/4 -j DROP
$ip -A INPUT -s 240.0.0.0/5 -j DROP
$ip -A INPUT -d 240.0.0.0/5 -j DROP
$ip -A INPUT -s 0.0.0.0/8 -j DROP
$ip -A INPUT -d 0.0.0.0/8 -j DROP
$ip -A INPUT -d 239.255.255.0/24 -j DROP
$ip -A INPUT -d 255.255.255.255 -j DROP
# drop broadcast and multicast packets
$ip -A INPUT -m pkttype --pkt-type broadcast -j DROP
$ip -A INPUT -m pkttype --pkt-type multicast -j DROP
# drop INVALID packets
$ip -A INPUT -m state --state INVALID -j DROP
$ip -A FORWARD -m state --state INVALID -j DROP
$ip -A OUTPUT -m state --state INVALID -j DROP
# limit RST packets
$ipt -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
# block syn flood
$ip -A INPUT -p tcp --syn -m limit --limit 3/s -j ACCEPT
$ip -A INPUT -p tcp --syn -j DROP
# everything has to start with SYN
$ip -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# block smurf attacks
$ip -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
$ip -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
# limit ICMP packets
$ip -A INPUT -p icmp -m limit --limit 1/s -j ACCEPT
# allow ping
$ip -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# block fragmented packets
$ip -A INPUT -f -j DROP
# block oversized unfragmented packets
$ip -t raw -A PREROUTING -p icmp -m length --length 1492:65535 -j DROP
# defend against SYN-FIN, SYN-RST, X-Mas, nmap FIN, NULLflags and ALLflags attacks
$ip -t raw -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
$ip -t raw -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$ip -t raw -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
$ip -t raw -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
$ip -t raw -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
$ip -t raw -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
#
# Kernel sysctl configuration
#
# Disables packet forwarding
net.ipv4.ip_forward = 0
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.lo.log_martians = 1
net.ipv4.conf.eth0.log_martians = 1
# Disables the magic-sysrq key
kernel.sysrq = 0
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 10
# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800
# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0
# Turn off the tcp_sack
net.ipv4.tcp_sack = 0
# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1
# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024
# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000
# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536
# protect against tcp time-wait assassination hazards
# drop RST packets for sockets in the time-wait state
# (not widely supported outside of linux, but conforms to RFC)
net.ipv4.tcp_rfc1337 = 1
# send redirects (not a router, disable it)
net.ipv4.conf.all.send_redirects = 0
# ICMP routing redirects (only secure)
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment