Skip to content

Instantly share code, notes, and snippets.

@zoonderkins

zoonderkins/temp-dns-iptables.md

Last active March 16, 2019 14:27
Show Gist options
  • Save zoonderkins/f5c29b0503136822bc3a48e456557a53 to your computer and use it in GitHub Desktop.
Save zoonderkins/f5c29b0503136822bc3a48e456557a53 to your computer and use it in GitHub Desktop.
Download ZIP
temp-dns-iptables.md
Raw
temp-dns-iptables.md 
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:f2b-sshd - [0:0]
:f2b-SSH - [0:0]
:RATE-LIMIT - [0:0]

-A INPUT -i lo -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 8 -m hashlimit --hashlimit-upto 5/sec --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name icmp-echo-drop -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -s 159.69.70.41 -j DROP

## Try hash limit

-A INPUT -p tcp -m multiport --dports 53,443,853 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m multiport --dports 8443,53 -m state --state NEW -j ACCEPT

-A RATE-LIMIT --match hashlimit --hashlimit-upto 1/sec --hashlimit-burst 20 --hashlimit-mode srcip --hashlimit-name conn_rate_limit -j ACCEPT
-A RATE-LIMIT --match limit --limit 1/sec -j LOG --log-prefix "IPTables-Rejected: "
-A RATE-LIMIT -j REJECT --reject-with icmp-port-unreachable

-A INPUT -m conntrack --ctstate INVALID -j DROP
COMMIT

OR


-A INPUT -p tcp -m multiport --dports 53 -m state --state NEW -m recent --rcheck --seconds 1 --hitcount 10 --name DNS --rsource -j REJECT --reject-with tcp-res$
-A INPUT -p tcp -m multiport --dports 53 -m state --state NEW -m recent --set --name DNS --rsource -j ACCEPT
-A INPUT -p udp -m multiport --dports 53 -m state --state NEW -m recent --rcheck --seconds 1 --hitcount 10 --name DNS --rsource -j REJECT --reject-with icmp-po$
-A INPUT -p udp -m multiport --dports 53 -m state --state NEW -m recent --set --name DNS --rsource -j ACCEPT

-A INPUT -p tcp -m multiport --dports 443,853,8443 -m state --state NEW -m recent --rcheck --seconds 2 --hitcount 20 --name DNS --rsource -j REJECT --reject-wi$
-A INPUT -p tcp -m multiport --dports 443,853,8443 -m state --state NEW -m recent --set --name DNS --rsource -j ACCEPT

-A INPUT -p udp -m multiport --dports 8443 -m state --state NEW -m recent --rcheck --seconds 2 --hitcount 20 --name DNS --rsource -j REJECT --reject-with icmp-$
-A INPUT -p udp -m multiport --dports 8443 -m state --state NEW -m recent --set --name DNS --rsource -j ACCEPT
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment