Browse Source

Update iptables ruleset

master
Pekka Helenius 5 years ago
committed by GitHub
parent
commit
faff811a37
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 47 additions and 40 deletions
  1. +47
    -40
      other/iptables.rules

+ 47
- 40
other/iptables.rules View File

@ -1,13 +1,15 @@
############################### ###############################
# SIMPLE FIREWALL RULES FOR IPTABLES # SIMPLE FIREWALL RULES FOR IPTABLES
# #
# By Pekka Helenius (~Fincer), 2018
# #
# These rules are intended to be used # These rules are intended to be used
# without UFW. If you have additional
# firewall settings in your system/iptables,
# take care adapting these rules in to your
# current firewall ruleset.
# without other firewalls such as UFW.
# If you have additional firewall settings
# in your system/iptables, take care adapting
# these rules in to your current firewall ruleset.
#
# It is highly recommended to remove all conflicting
# firewall configuration
# #
# I do not take responsibility of breaking # I do not take responsibility of breaking
# your working firewall configuration! # your working firewall configuration!
@ -19,14 +21,13 @@
# A) do not respond to incoming ping requests # A) do not respond to incoming ping requests
# Can be used as a replacement for sysctl 'net.ipv4.icmp_echo_ignore_all=1' setting # Can be used as a replacement for sysctl 'net.ipv4.icmp_echo_ignore_all=1' setting
# #
# B) drop all incoming traffic by default, except for
# SSH, HTTP and HTTPS protocols
# B) Reject connection if connection cycle is too intense
# from one client. This setting may be useful against all kind of intense brute force
# attacks.
# #
# C) start dropping packets if connection cycle is too intense
# from one client. This setting may be useful against port scanners.
# C) drop all incoming traffic by default, except for
# SSH, HTTP and HTTPS protocols
# #
# Ruleset C) by Anthony Maro:
# https://www.ossramblings.com/using_iptables_rate_limiting_to_prevent_portscans
# #
############ ############
# #
@ -53,7 +54,7 @@
# HTTP: 80 # HTTP: 80
# HTTPS: 443 # HTTPS: 443
# #
# Default setting for C) is 10 maximum connection attempts in 30 seconds
# Default setting for bruteforce prevention is 10 maximum connection attempts in 30 seconds
# Adapt the values to your server environment. # Adapt the values to your server environment.
# #
# 5) Save this file to /etc/iptables/iptables.rules # 5) Save this file to /etc/iptables/iptables.rules
@ -79,6 +80,7 @@
# #
# https://www.thegeekstuff.com/scripts/iptables-rules # https://www.thegeekstuff.com/scripts/iptables-rules
# https://gist.github.com/thomasfr/9712418 # https://gist.github.com/thomasfr/9712418
# http://blog.sevagas.com/?Iptables-firewall-versus-nmap-and,31
# #
############################### ###############################
# #
@ -88,76 +90,81 @@
*filter *filter
############################### ###############################
# DEFAULT POLICY FOR THIS CHAIN - DROP ALL INPUT TRAFFIC
#
# THIS IS A DANGEROUS SETTING. IF YOU DROP ALL INCOMING
# CONNECTIONS, MAKE SURE YOU HAVE ACCEPTED AT LEAST SSH CONNECTION INPUT BELOW
# OTHERWISE YOU WILL BE LOCKED OUT FROM THE SERVER!
# Default policy for this chain - drop all input traffic
# This is a dangerous setting. If you drop all incoming connections,
# make sure you have accepted at least incoming SSH connection below.
# Otherwise you will be locked out from the server!
# #
# DO NOT USE 'REJECT' BECAUSE IT GIVES A RESPONSE TO A HOSTILE CLIENTS (PORT SCANNERS)
# INSTEAD, DROP INCOMING PACKETS AND DO NOT GIVE RESPONSE AT ALL
# Do not use 'REJECT' because it gives a response to hostile clients such
# as bruteforcers and port scanners. Instead, drop incoming packets
# and do not give reponse at all.
# #
-P INPUT DROP -P INPUT DROP
############################### ###############################
# WE ARE NOT A ROUTER, WE DROP ALL (NON-EXISTENT) FORWARD CONNECTIONS
# We are not a router, we drop all (non-existent) forward connections
# #
-P FORWARD DROP -P FORWARD DROP
############################### ###############################
# BY DEFAULT, ALL OUTGOING TRAFFIC FROM THE SERVER IS ACCEPTED
# By default, all outgoing traffic from the server is accepted
# #
-P OUTPUT ACCEPT -P OUTPUT ACCEPT
############################### ###############################
# DROP ALL INCOMING PING REQUESTS
# Drop all incoming ping requests
# #
-A INPUT -p icmp --icmp-type echo-request -j DROP -A INPUT -p icmp --icmp-type echo-request -j DROP
############################### ###############################
# ALLOW LOOPBACK CONNECTIONS
# Allow loopback connections
# #
-A INPUT -i lo -j ACCEPT -A INPUT -i lo -j ACCEPT
#-A OUTPUT -o lo -j ACCEPT #-A OUTPUT -o lo -j ACCEPT
############################### ###############################
# ALLOW INCOMING SSH CONNECTIONS
# Block bruteforce attacks
# Works against dirbuster, nmap and similar tools.
# #
#
# Default values are allowing max 10 connections from a client within 30 seconds
# Please adjust these values for your server environment
#
# Based on: https://rudd-o.com/linux-and-free-software/a-better-way-to-block-brute-force-attacks-on-your-ssh-server
# If you need to enable this for specific TCP ports, add the following parameter:
# -m multiport --dports 80
-A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
#-A OUTPUT -p tcp --sport 22 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --state NEW -m recent --set --name BRUTEFORCE --rsource
#-A INPUT -p tcp -m tcp -m multiport --dports 80 -m recent --rcheck --seconds 30 --hitcount 10 --rttl --name BRUTEFORCE --rsource -j LOG --log-prefix "Brute force attack detected "
-A INPUT -p tcp -m tcp -m recent --rcheck --seconds 30 --hitcount 10 --rttl --name BRUTEFORCE --rsource -j REJECT --reject-with tcp-reset
###############################
# Allow incoming SSH connections
#
-A INPUT -p tcp --dport 765 -m state --state NEW -j ACCEPT
#-A OUTPUT -p tcp --sport 765 -m state --state NEW -j ACCEPT
############################### ###############################
# ALLOW INCOMING HTTP/HTTPS CONNECTIONS
# Allow incoming HTTP/HTTPS connections
# #
-A INPUT -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT
#-A OUTPUT -p tcp -m multiport --sports 80,443 -m state --state NEW -j ACCEPT #-A OUTPUT -p tcp -m multiport --sports 80,443 -m state --state NEW -j ACCEPT
############################### ###############################
# ALLOW ESTABLISHED AND RELATED CONNECTIONS
# Allow established and related connections
# #
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT #-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
###############################
# RULESET C)
#
# IF 10 NEW CONNECTIONS TO ANY PORT WITHIN 30 SECONDS IS REQUESTED BY A CLIENT, START DROPPING PACKETS FOR THE CLIENT
#
# SHOULD FREEZE NMAP AND OTHER PORT SCANNERS
#
# Source: https://www.ossramblings.com/using_iptables_rate_limiting_to_prevent_portscans
-A INPUT -i $IFACE -p tcp -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
-A INPUT -i $IFACE -p tcp -m state --state NEW -m recent --update --seconds 30 --hitcount 10 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
############################### ###############################
COMMIT COMMIT


Loading…
Cancel
Save