Example iptables firewall #security

0
6K

Use at your own risk.  There are probably better ways to do this, and I use this (and more)....you may want to open or close more ports depending on what you want to do.

### 1: Drop invalid packets ### 
/sbin/iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP  

### 2: Drop TCP packets that are new and are not SYN ### 
/sbin/iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP 
 
### 3: Drop SYN packets with suspicious MSS value ### 
/sbin/iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP  

### 4: Block packets with bogus TCP flags ### 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP  

### 5
### 6: Drop ICMP (you usually don't need this protocol) ### 
/sbin/iptables -t mangle -A PREROUTING -p icmp -j DROP  
# sudo iptables -A OUTPUT -p icmp –icmp-type echo-reply -j DROP

### 7: Drop fragments in all chains ### 
/sbin/iptables -t mangle -A PREROUTING -f -j DROP  

### 8: Limit connections per source IP ### 
/sbin/iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset  

### 9: Limit RST packets ### 
/sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT 
/sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP  

### 10: Limit new TCP connections per second per source IP ### 
/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT 
/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP  

### 11: Use SYNPROXY on all ports (disables connection limiting rule) ### 
# Hidden - unlock content above in "Mitigating SYN Floods With SYNPROXY" section

### SSH brute-force protection ### 
/sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set 
/sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP  

### Protection against port scanning ### 
/sbin/iptables -N port-scanning 
/sbin/iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN 
/sbin/iptables -A port-scanning -j DROP

iptables -t mangle -A PREROUTING -p tcp -m multiport --dports 4,5,8 -j DROP

iptables -t mangle -A PREROUTING  -p tcp  -m multiport --dports 10:18 -j DROP

iptables -t mangle -A PREROUTING -p tcp  -m multiport --dports 24:36 -j DROP
iptables -t mangle -A PREROUTING -p tcp  -m multiport --dports 38:52 -j DROP
iptables -t mangle -A PREROUTING  -p tcp  -m multiport --dports 54:79 -j DROP

iptables -t mangle -A PREROUTING -p tcp  -m multiport --dports 82:122 -j DROP
iptables -t mangle -A PREROUTING -p tcp  -m multiport --dports 124:442 -j DROP
iptables -t mangle -A PREROUTING -p udp  -m multiport --dports 4,5,8 -j DROP

iptables -t mangle -A PREROUTING  -p udp  -m multiport --dports 10:18 -j DROP

iptables -t mangle -A PREROUTING -p udp  -m multiport --dports 23:52 -j DROP

iptables -t mangle -A PREROUTING  -p udp  -m multiport --dports 54:79 -j DROP

iptables -t mangle -A PREROUTING -p udp  -m multiport  --dports 81:122 -j DROP
iptables -t mangle -A PREROUTING -p udp  -m multiport  --dports 124:442 -j DROP
iptables -t mangle -A PREROUTING -p tcp -m multiport --sports 4,5,8 -j DROP
iptables -t mangle -A PREROUTING  -p tcp  -m multiport --sports 10:18 -j DROP

iptables -t mangle -A PREROUTING -p tcp  -m multiport --sports 24:36 -j DROP
iptables -t mangle -A PREROUTING -p tcp  -m multiport --sports 38:52 -j DROP
iptables -t mangle -A PREROUTING  -p tcp  -m multiport --sports 54:79 -j DROP

iptables -t mangle -A PREROUTING -p tcp  -m multiport --sports 82:122 -j DROP
iptables -t mangle -A PREROUTING -p tcp  -m multiport --sports 124:442 -j DROP
iptables -t mangle -A PREROUTING -p udp  -m multiport --sports 4,5,8 -j DROP

iptables -t mangle -A PREROUTING  -p udp  -m multiport --sports 10:18 -j DROP

iptables -t mangle -A PREROUTING -p udp  -m multiport --sports 23:52 -j DROP

iptables -t mangle -A PREROUTING  -p udp  -m multiport --sports 54:79 -j DROP

iptables -t mangle -A PREROUTING -p udp  -m multiport  --sports 81:122 -j DROP
iptables -t mangle -A PREROUTING -p udp  -m multiport  --sports 124:442 -j DROP

 

 

 

Like
Love
2
Sponsor

We are 100% funded for October.

Thanks to everyone who helped out. 🥰

Xephula monthly operating expenses for 2024 - Server: $143/month - Backup Software: $6/month - Object Storage: $6/month - SMTP Service: $10/month - Stripe Processing Fees: ~$10/month - Total: $175/month

Xephula Funding Meter

Please Donate Here