|
|
###############################
|
|
|
# SIMPLE FIREWALL RULES FOR IPTABLES
|
|
|
#
|
|
|
#
|
|
|
# These rules are intended to be used
|
|
|
# without other firewalls such as UFW.
|
|
|
# If you have additional firewall settings
|
|
|
# in your system/iptables, take care adapting
|
|
|
# these rules in to your current firewall ruleset.
|
|
|
#
|
|
|
# It is highly recommended to remove all conflicting
|
|
|
# firewall configuration
|
|
|
#
|
|
|
# I do not take responsibility of breaking
|
|
|
# your working firewall configuration!
|
|
|
#
|
|
|
############
|
|
|
#
|
|
|
# The rules in this file do the following:
|
|
|
#
|
|
|
# A) do not respond to incoming ping requests
|
|
|
# Can be used as a replacement for sysctl 'net.ipv4.icmp_echo_ignore_all=1' setting
|
|
|
#
|
|
|
# B) Reject connection if connection cycle is too intense
|
|
|
# from one client. This setting may be useful against all kind of intense brute force
|
|
|
# attacks.
|
|
|
#
|
|
|
# C) drop all incoming traffic by default, except for
|
|
|
# SSH, HTTP and HTTPS protocols
|
|
|
#
|
|
|
#
|
|
|
############
|
|
|
#
|
|
|
# INSTALLATION
|
|
|
#
|
|
|
# NOTE: Intended to be used without UFW or any other
|
|
|
# firewall settings!!
|
|
|
#
|
|
|
# 1) Recommended: Remove existing firewall front-ends such as UFW from your system
|
|
|
#
|
|
|
# 2) Delete all previous firewall rules by issuing
|
|
|
# sudo iptables --flush && sudo iptables --delete-chain
|
|
|
#
|
|
|
# 3) Check output of 'iptables -S'. It should be
|
|
|
# -P INPUT ACCEPT
|
|
|
# -P FORWARD ACCEPT
|
|
|
# -P OUTPUT ACCEPT
|
|
|
#
|
|
|
# 4) In this file, change SSH, HTTP and HTTPS port numbers to fit your server environment
|
|
|
#
|
|
|
# Default values are:
|
|
|
#
|
|
|
# SSH: 22
|
|
|
# HTTP: 80
|
|
|
# HTTPS: 443
|
|
|
#
|
|
|
# Default setting for bruteforce prevention is 10 maximum connection attempts in 30 seconds
|
|
|
# Adapt the values to your server environment.
|
|
|
#
|
|
|
# 5) Save this file to /etc/iptables/iptables.rules
|
|
|
#
|
|
|
# 6) Check that it is used by 'iptables-restore' command
|
|
|
#
|
|
|
# In systemd environments, check the value of 'ExecStart' and 'ExecReload'
|
|
|
# in file /lib/systemd/system/iptables.service. The entries should be as follows:
|
|
|
#
|
|
|
# ExecStart=/usr/bin/iptables-restore /etc/iptables/iptables.rules
|
|
|
# ExecReload=/usr/bin/iptables-restore /etc/iptables/iptables.rules
|
|
|
#
|
|
|
# 7) Once you have double-checked that the parameters in this file are correct (step 4), run
|
|
|
# sudo iptables-restore /etc/iptables/iptables.rules
|
|
|
# sudo systemctl enable iptables && sudo systemctl start iptables
|
|
|
#
|
|
|
# 8) Check that the rules have been applied:
|
|
|
# sudo iptables -S
|
|
|
#
|
|
|
#
|
|
|
###############################
|
|
|
# USEFUL LINKS
|
|
|
#
|
|
|
# https://www.thegeekstuff.com/scripts/iptables-rules
|
|
|
# https://gist.github.com/thomasfr/9712418
|
|
|
# http://blog.sevagas.com/?Iptables-firewall-versus-nmap-and,31
|
|
|
#
|
|
|
###############################
|
|
|
#
|
|
|
# BEGINNING OF FIREWALL RULES
|
|
|
#
|
|
|
|
|
|
*filter
|
|
|
|
|
|
###############################
|
|
|
# Default policy for this chain - drop all input traffic
|
|
|
# This is a dangerous setting. If you drop all incoming connections,
|
|
|
# make sure you have accepted at least incoming SSH connection below.
|
|
|
# Otherwise you will be locked out from the server!
|
|
|
#
|
|
|
# Do not use 'REJECT' because it gives a response to hostile clients such
|
|
|
# as bruteforcers and port scanners. Instead, drop incoming packets
|
|
|
# and do not give reponse at all.
|
|
|
#
|
|
|
|
|
|
-P INPUT DROP
|
|
|
|
|
|
###############################
|
|
|
# We are not a router, we drop all (non-existent) forward connections
|
|
|
#
|
|
|
|
|
|
-P FORWARD DROP
|
|
|
|
|
|
###############################
|
|
|
# By default, all outgoing traffic from the server is accepted
|
|
|
#
|
|
|
|
|
|
-P OUTPUT ACCEPT
|
|
|
|
|
|
###############################
|
|
|
# Drop all incoming ping requests
|
|
|
#
|
|
|
|
|
|
-A INPUT -p icmp --icmp-type echo-request -j DROP
|
|
|
|
|
|
###############################
|
|
|
# Allow loopback connections
|
|
|
#
|
|
|
|
|
|
-A INPUT -i lo -j ACCEPT
|
|
|
#-A OUTPUT -o lo -j ACCEPT
|
|
|
|
|
|
###############################
|
|
|
# Block bruteforce attacks
|
|
|
# Works against dirbuster, nmap and similar tools.
|
|
|
#
|
|
|
#
|
|
|
# Default values are allowing max 10 connections from a client within 30 seconds
|
|
|
# Please adjust these values for your server environment
|
|
|
#
|
|
|
# Based on: https://rudd-o.com/linux-and-free-software/a-better-way-to-block-brute-force-attacks-on-your-ssh-server
|
|
|
|
|
|
# If you need to enable this for specific TCP ports, add the following parameter:
|
|
|
# -m multiport --dports 80
|
|
|
|
|
|
-A INPUT -p tcp -m tcp -m state --state NEW -m recent --set --name BRUTEFORCE --rsource
|
|
|
#-A INPUT -p tcp -m tcp -m multiport --dports 80 -m recent --rcheck --seconds 30 --hitcount 10 --rttl --name BRUTEFORCE --rsource -j LOG --log-prefix "Brute force attack detected "
|
|
|
-A INPUT -p tcp -m tcp -m recent --rcheck --seconds 30 --hitcount 10 --rttl --name BRUTEFORCE --rsource -j REJECT --reject-with tcp-reset
|
|
|
|
|
|
###############################
|
|
|
# Allow incoming SSH connections
|
|
|
#
|
|
|
|
|
|
-A INPUT -p tcp --dport 765 -m state --state NEW -j ACCEPT
|
|
|
#-A OUTPUT -p tcp --sport 765 -m state --state NEW -j ACCEPT
|
|
|
|
|
|
###############################
|
|
|
# Allow incoming HTTP/HTTPS connections
|
|
|
#
|
|
|
|
|
|
-A INPUT -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT
|
|
|
#-A OUTPUT -p tcp -m multiport --sports 80,443 -m state --state NEW -j ACCEPT
|
|
|
|
|
|
###############################
|
|
|
# Allow established and related connections
|
|
|
#
|
|
|
|
|
|
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
|
#-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
|
|
|
|
###############################
|
|
|
|
|
|
COMMIT
|
|
|
|
|
|
# END OF FIREWALL RULES
|