Update iptables ruleset

6 years ago · faff811a37
--- a/other/iptables.rules
+++ b/other/iptables.rules
@ -1,13 +1,15 @@
 ###############################
 # SIMPLE FIREWALL RULES FOR IPTABLES
 #
 # By Pekka Helenius (~Fincer), 2018
 #
 # These rules are intended to be used
 # without UFW. If you have additional
 # firewall settings in your system/iptables, 
 # take care adapting these rules in to your 
 # current firewall ruleset.
 # without other firewalls such as UFW. 
 # If you have additional firewall settings
 # in your system/iptables, take care adapting 
 # these rules in to your current firewall ruleset.
 #
 # It is highly recommended to remove all conflicting
 # firewall configuration
 #
 # I do not take responsibility of breaking
 # your working firewall configuration!
@ -19,14 +21,13 @@
 # A) do not respond to incoming ping requests
 # Can be used as a replacement for sysctl 'net.ipv4.icmp_echo_ignore_all=1' setting
 #
 # B) drop all incoming traffic by default, except for
 # SSH, HTTP and HTTPS protocols
 # B) Reject connection if connection cycle is too intense
 # from one client. This setting may be useful against all kind of intense brute force
 # attacks.
 #
 # C) start dropping packets if connection cycle is too intense
 # from one client. This setting may be useful against port scanners.
 # C) drop all incoming traffic by default, except for
 # SSH, HTTP and HTTPS protocols
 #
 # Ruleset C) by Anthony Maro:
 # https://www.ossramblings.com/using_iptables_rate_limiting_to_prevent_portscans
 #
 ############
 #
@ -53,7 +54,7 @@
 #        HTTP: 80
 #        HTTPS: 443
 #
 # Default setting for C) is 10 maximum connection attempts in 30 seconds
 # Default setting for bruteforce prevention is 10 maximum connection attempts in 30 seconds
 # Adapt the values to your server environment.
 #
 # 5) Save this file to /etc/iptables/iptables.rules
@ -79,6 +80,7 @@
 #
 # https://www.thegeekstuff.com/scripts/iptables-rules
 # https://gist.github.com/thomasfr/9712418
 # http://blog.sevagas.com/?Iptables-firewall-versus-nmap-and,31
 #
 ###############################
 #
@ -88,76 +90,81 @@
 *filter
 ###############################
 # DEFAULT POLICY FOR THIS CHAIN - DROP ALL INPUT TRAFFIC
 #
 # THIS IS A DANGEROUS SETTING. IF YOU DROP ALL INCOMING
 # CONNECTIONS, MAKE SURE YOU HAVE ACCEPTED AT LEAST SSH CONNECTION INPUT BELOW
 # OTHERWISE YOU WILL BE LOCKED OUT FROM THE SERVER!
 # Default policy for this chain - drop all input traffic
 # This is a dangerous setting. If you drop all incoming connections,
 # make sure you have accepted at least incoming SSH connection below.
 # Otherwise you will be locked out from the server!
 #
 # DO NOT USE 'REJECT' BECAUSE IT GIVES A RESPONSE TO A HOSTILE CLIENTS (PORT SCANNERS)
 # INSTEAD, DROP INCOMING PACKETS AND DO NOT GIVE RESPONSE AT ALL
 # Do not use 'REJECT' because it gives a response to hostile clients such
 # as bruteforcers and port scanners. Instead, drop incoming packets
 # and do not give reponse at all.
 #
 -P INPUT DROP
 ###############################
 # WE ARE NOT A ROUTER, WE DROP ALL (NON-EXISTENT) FORWARD CONNECTIONS
 # We are not a router, we drop all (non-existent) forward connections
 #
 -P FORWARD DROP
 ###############################
 # BY DEFAULT, ALL OUTGOING TRAFFIC FROM THE SERVER IS ACCEPTED
 # By default, all outgoing traffic from the server is accepted
 #
 -P OUTPUT ACCEPT
 ###############################
 # DROP ALL INCOMING PING REQUESTS
 # Drop all incoming ping requests
 #
 -A INPUT -p icmp --icmp-type echo-request -j DROP
 ###############################
 # ALLOW LOOPBACK CONNECTIONS
 # Allow loopback connections
 #
 -A INPUT -i lo -j ACCEPT
 #-A OUTPUT -o lo -j ACCEPT
 ###############################
 # ALLOW INCOMING SSH CONNECTIONS
 # Block bruteforce attacks
 # Works against dirbuster, nmap and similar tools.
 #
 # 
 # Default values are allowing max 10 connections from a client within 30 seconds
 # Please adjust these values for your server environment
 #
 # Based on: https://rudd-o.com/linux-and-free-software/a-better-way-to-block-brute-force-attacks-on-your-ssh-server
 # If you need to enable this for specific TCP ports, add the following parameter:
 # -m multiport --dports 80
 -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
 #-A OUTPUT -p tcp --sport 22 -m state --state NEW -j ACCEPT
 -A INPUT -p tcp -m tcp -m state --state NEW -m recent --set --name BRUTEFORCE --rsource
 #-A INPUT -p tcp -m tcp -m multiport --dports 80 -m recent --rcheck --seconds 30 --hitcount 10 --rttl --name BRUTEFORCE --rsource -j LOG --log-prefix "Brute force attack detected "
 -A INPUT -p tcp -m tcp -m recent --rcheck --seconds 30 --hitcount 10 --rttl --name BRUTEFORCE --rsource -j REJECT --reject-with tcp-reset
 ############################### 
 # Allow incoming SSH connections
 #
 -A INPUT -p tcp --dport 765 -m state --state NEW -j ACCEPT
 #-A OUTPUT -p tcp --sport 765 -m state --state NEW -j ACCEPT
 ###############################
 # ALLOW INCOMING HTTP/HTTPS CONNECTIONS
 # Allow incoming HTTP/HTTPS connections
 #
 -A INPUT -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT
 #-A OUTPUT -p tcp -m multiport --sports 80,443 -m state --state NEW -j ACCEPT
 ###############################
 # ALLOW ESTABLISHED AND RELATED CONNECTIONS
 # Allow established and related connections
 #
 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 #-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 ###############################
 # RULESET C)
 #
 # IF 10 NEW CONNECTIONS TO ANY PORT WITHIN 30 SECONDS IS REQUESTED BY A CLIENT, START DROPPING PACKETS FOR THE CLIENT
 #
 # SHOULD FREEZE NMAP AND OTHER PORT SCANNERS
 #
 # Source: https://www.ossramblings.com/using_iptables_rate_limiting_to_prevent_portscans
 -A INPUT -i $IFACE -p tcp -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
 -A INPUT -i $IFACE -p tcp -m state --state NEW -m recent --update --seconds 30 --hitcount 10 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
 ###############################
 COMMIT