|
|
- ###############################
- # SIMPLE FIREWALL RULES FOR IPTABLES
- #
- #
- # These rules are intended to be used
- # without other firewalls such as UFW.
- # If you have additional firewall settings
- # in your system/iptables, take care adapting
- # these rules in to your current firewall ruleset.
- #
- # It is highly recommended to remove all conflicting
- # firewall configuration
- #
- # I do not take responsibility of breaking
- # your working firewall configuration!
- #
- ############
- #
- # The rules in this file do the following:
- #
- # A) do not respond to incoming ping requests
- # Can be used as a replacement for sysctl 'net.ipv4.icmp_echo_ignore_all=1' setting
- #
- # B) Reject connection if connection cycle is too intense
- # from one client. This setting may be useful against all kind of intense brute force
- # attacks.
- #
- # C) drop all incoming traffic by default, except for
- # SSH, HTTP and HTTPS protocols
- #
- #
- ############
- #
- # INSTALLATION
- #
- # NOTE: Intended to be used without UFW or any other
- # firewall settings!!
- #
- # 1) Recommended: Remove existing firewall front-ends such as UFW from your system
- #
- # 2) Delete all previous firewall rules by issuing
- # sudo iptables --flush && sudo iptables --delete-chain
- #
- # 3) Check output of 'iptables -S'. It should be
- # -P INPUT ACCEPT
- # -P FORWARD ACCEPT
- # -P OUTPUT ACCEPT
- #
- # 4) In this file, change SSH, HTTP and HTTPS port numbers to fit your server environment
- #
- # Default values are:
- #
- # SSH: 22
- # HTTP: 80
- # HTTPS: 443
- #
- # Default setting for bruteforce prevention is 10 maximum connection attempts in 30 seconds
- # Adapt the values to your server environment.
- #
- # 5) Save this file to /etc/iptables/iptables.rules
- #
- # 6) Check that it is used by 'iptables-restore' command
- #
- # In systemd environments, check the value of 'ExecStart' and 'ExecReload'
- # in file /lib/systemd/system/iptables.service. The entries should be as follows:
- #
- # ExecStart=/usr/bin/iptables-restore /etc/iptables/iptables.rules
- # ExecReload=/usr/bin/iptables-restore /etc/iptables/iptables.rules
- #
- # 7) Once you have double-checked that the parameters in this file are correct (step 4), run
- # sudo iptables-restore /etc/iptables/iptables.rules
- # sudo systemctl enable iptables && sudo systemctl start iptables
- #
- # 8) Check that the rules have been applied:
- # sudo iptables -S
- #
- #
- ###############################
- # USEFUL LINKS
- #
- # https://www.thegeekstuff.com/scripts/iptables-rules
- # https://gist.github.com/thomasfr/9712418
- # http://blog.sevagas.com/?Iptables-firewall-versus-nmap-and,31
- #
- ###############################
- #
- # BEGINNING OF FIREWALL RULES
- #
-
- *filter
-
- ###############################
- # Default policy for this chain - drop all input traffic
- # This is a dangerous setting. If you drop all incoming connections,
- # make sure you have accepted at least incoming SSH connection below.
- # Otherwise you will be locked out from the server!
- #
- # Do not use 'REJECT' because it gives a response to hostile clients such
- # as bruteforcers and port scanners. Instead, drop incoming packets
- # and do not give reponse at all.
- #
-
- -P INPUT DROP
-
- ###############################
- # We are not a router, we drop all (non-existent) forward connections
- #
-
- -P FORWARD DROP
-
- ###############################
- # By default, all outgoing traffic from the server is accepted
- #
-
- -P OUTPUT ACCEPT
-
- ###############################
- # Drop all incoming ping requests
- #
-
- -A INPUT -p icmp --icmp-type echo-request -j DROP
-
- ###############################
- # Allow loopback connections
- #
-
- -A INPUT -i lo -j ACCEPT
- #-A OUTPUT -o lo -j ACCEPT
-
- ###############################
- # Block bruteforce attacks
- # Works against dirbuster, nmap and similar tools.
- #
- #
- # Default values are allowing max 10 connections from a client within 30 seconds
- # Please adjust these values for your server environment
- #
- # Based on: https://rudd-o.com/linux-and-free-software/a-better-way-to-block-brute-force-attacks-on-your-ssh-server
-
- # If you need to enable this for specific TCP ports, add the following parameter:
- # -m multiport --dports 80
-
- -A INPUT -p tcp -m tcp -m state --state NEW -m recent --set --name BRUTEFORCE --rsource
- #-A INPUT -p tcp -m tcp -m multiport --dports 80 -m recent --rcheck --seconds 30 --hitcount 10 --rttl --name BRUTEFORCE --rsource -j LOG --log-prefix "Brute force attack detected "
- -A INPUT -p tcp -m tcp -m recent --rcheck --seconds 30 --hitcount 10 --rttl --name BRUTEFORCE --rsource -j REJECT --reject-with tcp-reset
-
- ###############################
- # Allow incoming SSH connections
- #
-
- -A INPUT -p tcp --dport 765 -m state --state NEW -j ACCEPT
- #-A OUTPUT -p tcp --sport 765 -m state --state NEW -j ACCEPT
-
- ###############################
- # Allow incoming HTTP/HTTPS connections
- #
-
- -A INPUT -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT
- #-A OUTPUT -p tcp -m multiport --sports 80,443 -m state --state NEW -j ACCEPT
-
- ###############################
- # Allow established and related connections
- #
-
- -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- #-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-
- ###############################
-
- COMMIT
-
- # END OF FIREWALL RULES
|
