Last active
December 16, 2015 19:19
-
-
Save skl/5484738 to your computer and use it in GitHub Desktop.
iptables base firewall
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # usgae: iptables-restore < firewall.rules | |
| *filter | |
| :INPUT ACCEPT [0:0] | |
| :FORWARD ACCEPT [0:0] | |
| :OUTPUT ACCEPT [606:306949] | |
| -A INPUT -i lo -j ACCEPT | |
| -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| # Reject packets from RFC1918 class networks (i.e., spoofed) | |
| -A INPUT -s 10.0.0.0/8 -j DROP | |
| -A INPUT -s 169.254.0.0/16 -j DROP | |
| -A INPUT -s 172.16.0.0/12 -j DROP | |
| -A INPUT -s 127.0.0.0/8 -j DROP | |
| -A INPUT -s 224.0.0.0/4 -j DROP | |
| -A INPUT -d 224.0.0.0/4 -j DROP | |
| -A INPUT -s 240.0.0.0/5 -j DROP | |
| -A INPUT -d 240.0.0.0/5 -j DROP | |
| -A INPUT -s 0.0.0.0/8 -j DROP | |
| -A INPUT -d 0.0.0.0/8 -j DROP | |
| -A INPUT -d 239.255.255.0/24 -j DROP | |
| -A INPUT -d 255.255.255.255 -j DROP | |
| # Allow most ICMP packets to be received (so people can check our | |
| # presence), but restrict the flow to avoid ping flood attacks | |
| -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP | |
| -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP | |
| -A INPUT -p icmp -m icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT | |
| # Drop invalid packets immediately | |
| -A INPUT -m state --state INVALID -j DROP | |
| -A FORWARD -m state --state INVALID -j DROP | |
| -A OUTPUT -m state --state INVALID -j DROP | |
| # Drop bogus TCP packets | |
| -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP | |
| -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP | |
| # Drop excessive RST packets to avoid SMURF attacks, by given the | |
| # next real data packet in the sequence a better chance to arrive first. | |
| -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT | |
| # Protect against SYN floods by rate limiting the number of new | |
| # connections from any host to 60 per second. This does *not* do rate | |
| # limiting overall, because then someone could easily shut us down by | |
| # saturating the limit. | |
| #-A INPUT -m state --state NEW -p tcp -m tcp --syn -m recent --name synflood --set | |
| #-A INPUT -m state --state NEW -p tcp -m tcp --syn -m recent --name synflood --update --seconds 1 --hitcount 60 -j DROP | |
| # The above doesn't seem to work? | |
| # Anyone who tried to portscan us is locked out for an entire day. | |
| -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP | |
| -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP | |
| # Once the day has passed, remove them from the portscan list | |
| -A INPUT -m recent --name portscan --remove | |
| -A FORWARD -m recent --name portscan --remove | |
| # These rules add scanners to the portscan list, and log the attempt. | |
| -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:" | |
| -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP | |
| -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:" | |
| -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP | |
| # Allow SSH from LAN | |
| -A INPUT -s 192.168.0.0/16 -p tcp -m tcp --dport 22 -j ACCEPT | |
| # Allow web traffic | |
| -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT | |
| # Drop everything else | |
| -A INPUT -j DROP | |
| COMMIT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment