Fincer
/
linux-server-setup
mirror of https://github.com/Fincer/linux-server-setup
1
0
Fork 0
Code Issues 0 Projects 0 Releases 0 Wiki Activity
Instructions to set up a basic LAMP+SSH server environment
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
73 Commits
1 Branch
9.6 MiB
Tree: 79c476fc8a
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '79c476fc8a'
${ noResults }
linux-server-setup/other/iptables.rules

165 lines
4.6 KiB
Raw Normal View History

iptables: Add a sample ruleset for a simple server
6 years ago
 
  1. ###############################
  2. # SIMPLE FIREWALL RULES FOR IPTABLES
  3. #
  4. # By Pekka Helenius (~Fincer), 2018
  5. #
  6. # These rules are intended to be used
  7. # without UFW. If you have additional
  8. # firewall settings in your system/iptables, 
  9. # take care adapting these rules in to your 
  10. # current firewall ruleset.
  11. #
  12. # I do not take responsibility of breaking
  13. # your working firewall configuration!
  14. #
  15. ############
  16. #
  17. # The rules in this file do the following:
  18. #
  19. # A) do not respond to incoming ping requests
  20. # Can be used as a replacement for sysctl 'net.ipv4.icmp_echo_ignore_all=1' setting
  21. #
  22. # B) drop all incoming traffic by default, except for
  23. # SSH, HTTP and HTTPS protocols
  24. #
  25. # C) start dropping packets if connection cycle is too intense
  26. # from one client. This setting may be useful against port scanners.
  27. #
  28. # Ruleset C) by Anthony Maro:
  29. # https://www.ossramblings.com/using_iptables_rate_limiting_to_prevent_portscans
  30. #
  31. ############
  32. #
  33. # INSTALLATION
  34. #
  35. # NOTE: Intended to be used without UFW or any other
  36. # firewall settings!!
  37. #
  38. # 1) Recommended: Remove existing firewall front-ends such as UFW from your system 
  39. #
  40. # 2) Delete all previous firewall rules by issuing
  41. #    sudo iptables --flush && sudo iptables --delete-chain
  42. #
  43. # 3) Check output of 'iptables -S'. It should be
  44. #    -P INPUT ACCEPT
  45. #    -P FORWARD ACCEPT
  46. #    -P OUTPUT ACCEPT
  47. #
  48. # 4) In this file, change SSH, HTTP and HTTPS port numbers to fit your server environment
  49. #
  50. #    Default values are:
  51. #
  52. #        SSH: 22
  53. #        HTTP: 80
  54. #        HTTPS: 443
  55. #
  56. # Default setting for C) is 10 maximum connection attempts in 30 seconds
  57. # Adapt the values to your server environment.
  58. #
  59. # 5) Save this file to /etc/iptables/iptables.rules
  60. #
  61. # 6) Check that it is used by 'iptables-restore' command
  62. #
  63. # In systemd environments, check the value of 'ExecStart' and 'ExecReload'
  64. # in file /lib/systemd/system/iptables.service. The entries should be as follows:
  65. #
  66. #    ExecStart=/usr/bin/iptables-restore /etc/iptables/iptables.rules
  67. #    ExecReload=/usr/bin/iptables-restore /etc/iptables/iptables.rules
  68. #
  69. # 7) Once you have double-checked that the parameters in this file are correct (step 4), run
  70. #    sudo iptables-restore /etc/iptables/iptables.rules
  71. #    sudo systemctl enable iptables && sudo systemctl start iptables
  72. #
  73. # 8) Check that the rules have been applied:
  74. #    sudo iptables -S
  75. #
  76. #
  77. ###############################
  78. # USEFUL LINKS
  79. #
  80. # https://www.thegeekstuff.com/scripts/iptables-rules
  81. # https://gist.github.com/thomasfr/9712418
  82. #
  83. ###############################
  84. #
  85. # BEGINNING OF FIREWALL RULES
  86. #
  87. 

  88. *filter
  89. 

  90. ###############################
  91. # DEFAULT POLICY FOR THIS CHAIN - DROP ALL INPUT TRAFFIC
  92. #
  93. # THIS IS A DANGEROUS SETTING. IF YOU DROP ALL INCOMING
  94. # CONNECTIONS, MAKE SURE YOU HAVE ACCEPTED AT LEAST SSH CONNECTION INPUT BELOW
  95. # OTHERWISE YOU WILL BE LOCKED OUT FROM THE SERVER!
  96. #
  97. # DO NOT USE 'REJECT' BECAUSE IT GIVES A RESPONSE TO A HOSTILE CLIENTS (PORT SCANNERS)
  98. # INSTEAD, DROP INCOMING PACKETS AND DO NOT GIVE RESPONSE AT ALL
  99. #
  100. 

  101. -P INPUT DROP
  102. 

  103. ###############################
  104. # WE ARE NOT A ROUTER, WE DROP ALL (NON-EXISTENT) FORWARD CONNECTIONS
  105. #
  106. 

  107. -P FORWARD DROP
  108. 

  109. ###############################
  110. # BY DEFAULT, ALL OUTGOING TRAFFIC FROM THE SERVER IS ACCEPTED
  111. #
  112. 

  113. -P OUTPUT ACCEPT
  114. 

  115. ###############################
  116. # DROP ALL INCOMING PING REQUESTS
  117. #
  118. 

  119. -A INPUT -p icmp --icmp-type echo-request -j DROP
  120. 

  121. ###############################
  122. # ALLOW LOOPBACK CONNECTIONS
  123. #
  124. 

  125. -A INPUT -i lo -j ACCEPT
  126. #-A OUTPUT -o lo -j ACCEPT
  127. 

  128. ###############################
  129. # ALLOW INCOMING SSH CONNECTIONS
  130. #
  131. 

  132. -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
  133. #-A OUTPUT -p tcp --sport 22 -m state --state NEW -j ACCEPT
  134. 

  135. ###############################
  136. # ALLOW INCOMING HTTP/HTTPS CONNECTIONS
  137. #
  138. 

  139. -A INPUT -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT
  140. #-A OUTPUT -p tcp -m multiport --sports 80,443 -m state --state NEW -j ACCEPT
  141. 

  142. ###############################
  143. # ALLOW ESTABLISHED AND RELATED CONNECTIONS
  144. #
  145. 

  146. -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  147. #-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  148. 

  149. ###############################
  150. # RULESET C)
  151. #
  152. # IF 10 NEW CONNECTIONS TO ANY PORT WITHIN 30 SECONDS IS REQUESTED BY A CLIENT, START DROPPING PACKETS FOR THE CLIENT
  153. #
  154. # SHOULD FREEZE NMAP AND OTHER PORT SCANNERS
  155. #
  156. # Source: https://www.ossramblings.com/using_iptables_rate_limiting_to_prevent_portscans
  157. 

  158. -A INPUT -i $IFACE -p tcp -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
  159. -A INPUT -i $IFACE -p tcp -m state --state NEW -m recent --update --seconds 30 --hitcount 10 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
  160. 

  161. ###############################
  162. 

  163. COMMIT
  164. 

  165. # END OF FIREWALL RULES