Created
March 26, 2016 10:35
-
-
Save nagubal/823ef5e1ca36b8a24ee2 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| *filter | |
| # Base policy | |
| :INPUT DROP [0:0] | |
| :FORWARD DROP [0:0] | |
| :OUTPUT ACCEPT [0:0] | |
| # Don't attempt to firewall internal traffic on the loopback device. | |
| -A INPUT -i lo -j ACCEPT | |
| # Continue connections that are already established or related to an established | |
| # connection. | |
| -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| # Drop non-conforming packets, such as malformed headers, etc. | |
| -A INPUT -m conntrack --ctstate INVALID -j DROP | |
| # Block remote packets claiming to be from a loopback address. | |
| -A INPUT -s 127.0.0.0/8 ! -i lo -j DROP | |
| # Drop all packets that are going to broadcast, multicast or anycast address. | |
| -4 -A INPUT -m addrtype --dst-type BROADCAST -j DROP | |
| -4 -A INPUT -m addrtype --dst-type MULTICAST -j DROP | |
| -4 -A INPUT -m addrtype --dst-type ANYCAST -j DROP | |
| -4 -A INPUT -d 224.0.0.0/4 -j DROP | |
| # Chain for preventing SSH brute-force attacks. | |
| # Permits 10 new connections within 5 minutes from a single host then drops | |
| # incomming connections from that host. Beyond a burst of 100 connections we | |
| # log at up 1 attempt per second to prevent filling of logs. | |
| -N SSHBRUTE | |
| -A SSHBRUTE -m recent --name SSH --set | |
| -A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[SSH-brute]: " | |
| -A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -j DROP | |
| -A SSHBRUTE -j ACCEPT | |
| # Chain for preventing ping flooding - up to 6 pings per second from a single | |
| # source, again with log limiting. Also prevents us from ICMP REPLY flooding | |
| # some victim when replying to ICMP ECHO from a spoofed source. | |
| -N ICMPFLOOD | |
| -A ICMPFLOOD -m recent --set --name ICMP --rsource | |
| -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "iptables[ICMP-flood]: " | |
| -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP | |
| -A ICMPFLOOD -j ACCEPT | |
| # Allow all outbound traffic - you can modify this to only allow certain traffic | |
| -A OUTPUT -j ACCEPT | |
| # Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL). | |
| -A INPUT -p tcp -m multiport --dports 80,443 --syn -m conntrack --ctstate NEW -j ACCEPT | |
| #-A INPUT -p tcp --dport 8080 -j ACCEPT | |
| # Allows SMTP access | |
| # Disabled ! | |
| #-A INPUT -p tcp --dport 25 -j ACCEPT | |
| #-A INPUT -p tcp --dport 465 -j ACCEPT | |
| #-A INPUT -p tcp --dport 587 -j ACCEPT | |
| # Allows pop and pops connections | |
| # Disabled ! | |
| # -A INPUT -p tcp --dport 110 -j ACCEPT | |
| # -A INPUT -p tcp --dport 995 -j ACCEPT | |
| # Allows imap and imaps connections | |
| # Disabled | |
| #-A INPUT -p tcp --dport 143 -j ACCEPT | |
| #-A INPUT -p tcp --dport 993 -j ACCEPT | |
| # DNS | |
| -A INPUT -p udp --dport 53 -j ACCEPT | |
| -A INPUT -p tcp --dport 53 -j ACCEPT | |
| # NTP Server | |
| -A INPUT -p udp --dport 123 -j ACCEPT | |
| -A OUTPUT -p udp --sport 123 -j ACCEPT | |
| # Accept worldwide access to SSH and use SSHBRUTE chain for preventing | |
| # brute-force attacks. | |
| -A INPUT -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE | |
| # git-daemon | |
| -A INPUT -p tcp -m tcp --dport 9418 -j ACCEPT | |
| # jekyll | |
| -A INPUT -p tcp -m tcp --dport 4000 -j ACCEPT | |
| # Permit useful IMCP packet types for IPv4 | |
| # Note: RFC 792 states that all hosts MUST respond to ICMP ECHO requests. | |
| # Blocking these can make diagnosing of even simple faults much more tricky. | |
| # Real security lies in locking down and hardening all services, not by hiding. | |
| -A INPUT -p icmp --icmp-type 0 -m conntrack --ctstate NEW -j ACCEPT | |
| -A INPUT -p icmp --icmp-type 3 -m conntrack --ctstate NEW -j ACCEPT | |
| -A INPUT -p icmp --icmp-type 11 -m conntrack --ctstate NEW -j ACCEPT | |
| # Permit IMCP echo requests (ping) and use ICMPFLOOD chain for preventing ping | |
| # flooding. | |
| -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ICMPFLOOD | |
| # Allow ping | |
| -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT | |
| # Log iptables denied calls | |
| -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 | |
| # Drop all other inbound - default deny unless explicitly allowed policy | |
| -A INPUT -j DROP | |
| -A FORWARD -j DROP | |
| COMMIT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment