###############################
# SIMPLE FIREWALL RULES FOR IPTABLES
#
#
# These rules are intended to be used
# without other firewalls such as UFW. 
# If you have additional firewall settings
# in your system/iptables, take care adapting 
# these rules in to your current firewall ruleset.
#
# It is highly recommended to remove all conflicting
# firewall configuration
#
# I do not take responsibility of breaking
# your working firewall configuration!
#
############
#
# The rules in this file do the following:
#
# A) do not respond to incoming ping requests
# Can be used as a replacement for sysctl 'net.ipv4.icmp_echo_ignore_all=1' setting
#
# B) Reject connection if connection cycle is too intense
# from one client. This setting may be useful against all kind of intense brute force
# attacks.
#
# C) drop all incoming traffic by default, except for
# SSH, HTTP and HTTPS protocols
#
#
############
#
# INSTALLATION
#
# NOTE: Intended to be used without UFW or any other
# firewall settings!!
#
# 1) Recommended: Remove existing firewall front-ends such as UFW from your system 
#
# 2) Delete all previous firewall rules by issuing
#    sudo iptables --flush && sudo iptables --delete-chain
#
# 3) Check output of 'iptables -S'. It should be
#    -P INPUT ACCEPT
#    -P FORWARD ACCEPT
#    -P OUTPUT ACCEPT
#
# 4) In this file, change SSH, HTTP and HTTPS port numbers to fit your server environment
#
#    Default values are:
#
#        SSH: 22
#        HTTP: 80
#        HTTPS: 443
#
# Default setting for bruteforce prevention is 10 maximum connection attempts in 30 seconds
# Adapt the values to your server environment.
#
# 5) Save this file to /etc/iptables/iptables.rules
#
# 6) Check that it is used by 'iptables-restore' command
#
# In systemd environments, check the value of 'ExecStart' and 'ExecReload'
# in file /lib/systemd/system/iptables.service. The entries should be as follows:
#
#    ExecStart=/usr/bin/iptables-restore /etc/iptables/iptables.rules
#    ExecReload=/usr/bin/iptables-restore /etc/iptables/iptables.rules
#
# 7) Once you have double-checked that the parameters in this file are correct (step 4), run
#    sudo iptables-restore /etc/iptables/iptables.rules
#    sudo systemctl enable iptables && sudo systemctl start iptables
#
# 8) Check that the rules have been applied:
#    sudo iptables -S
#
#
###############################
# USEFUL LINKS
#
# https://www.thegeekstuff.com/scripts/iptables-rules
# https://gist.github.com/thomasfr/9712418
# http://blog.sevagas.com/?Iptables-firewall-versus-nmap-and,31
#
###############################
#
# BEGINNING OF FIREWALL RULES
#

*filter

###############################
# Default policy for this chain - drop all input traffic
# This is a dangerous setting. If you drop all incoming connections,
# make sure you have accepted at least incoming SSH connection below.
# Otherwise you will be locked out from the server!
#
# Do not use 'REJECT' because it gives a response to hostile clients such
# as bruteforcers and port scanners. Instead, drop incoming packets
# and do not give reponse at all.
#

-P INPUT DROP

###############################
# We are not a router, we drop all (non-existent) forward connections
#

-P FORWARD DROP

###############################
# By default, all outgoing traffic from the server is accepted
#

-P OUTPUT ACCEPT

###############################
# Drop all incoming ping requests
#

-A INPUT -p icmp --icmp-type echo-request -j DROP

###############################
# Allow loopback connections
#

-A INPUT -i lo -j ACCEPT
#-A OUTPUT -o lo -j ACCEPT

###############################
# Block bruteforce attacks
# Works against agressive scanning techniques possibly used by dirbuster, nmap and similar tools.
# Please note that the following ruleset is tested only on a small server with low traffic.
# 
# Default values are allowing max 10 connections from a client within 30 seconds
# Please adjust these values for your server environment
#
# Based on: https://rudd-o.com/linux-and-free-software/a-better-way-to-block-brute-force-attacks-on-your-ssh-server

# If you need to enable this for specific TCP ports, add the following parameter:
# -m multiport --dports 80

-A INPUT -p tcp -m tcp -m state --state NEW -m recent --set --name BRUTEFORCE --rsource
#-A INPUT -p tcp -m tcp -m multiport --dports 80 -m recent --rcheck --seconds 30 --hitcount 10 --rttl --name BRUTEFORCE --rsource -j LOG --log-prefix "Brute force attack detected "
-A INPUT -p tcp -m tcp -m recent --rcheck --seconds 30 --hitcount 10 --rttl --name BRUTEFORCE --rsource -j REJECT --reject-with tcp-reset

############################### 
# Allow incoming SSH connections
#

-A INPUT -p tcp --dport 765 -m state --state NEW -j ACCEPT
#-A OUTPUT -p tcp --sport 765 -m state --state NEW -j ACCEPT

###############################
# Allow incoming HTTP/HTTPS connections
#

-A INPUT -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT
#-A OUTPUT -p tcp -m multiport --sports 80,443 -m state --state NEW -j ACCEPT

###############################
# Allow established and related connections
#

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

###############################

COMMIT

# END OF FIREWALL RULES