Example iptables firewall #security

0
6χλμ.

Use at your own risk.  There are probably better ways to do this, and I use this (and more)....you may want to open or close more ports depending on what you want to do.

### 1: Drop invalid packets ### 
/sbin/iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP  

### 2: Drop TCP packets that are new and are not SYN ### 
/sbin/iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP 
 
### 3: Drop SYN packets with suspicious MSS value ### 
/sbin/iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP  

### 4: Block packets with bogus TCP flags ### 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP  

### 5
### 6: Drop ICMP (you usually don't need this protocol) ### 
/sbin/iptables -t mangle -A PREROUTING -p icmp -j DROP  
# sudo iptables -A OUTPUT -p icmp –icmp-type echo-reply -j DROP

### 7: Drop fragments in all chains ### 
/sbin/iptables -t mangle -A PREROUTING -f -j DROP  

### 8: Limit connections per source IP ### 
/sbin/iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset  

### 9: Limit RST packets ### 
/sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT 
/sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP  

### 10: Limit new TCP connections per second per source IP ### 
/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT 
/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP  

### 11: Use SYNPROXY on all ports (disables connection limiting rule) ### 
# Hidden - unlock content above in "Mitigating SYN Floods With SYNPROXY" section

### SSH brute-force protection ### 
/sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set 
/sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP  

### Protection against port scanning ### 
/sbin/iptables -N port-scanning 
/sbin/iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN 
/sbin/iptables -A port-scanning -j DROP

iptables -t mangle -A PREROUTING -p tcp -m multiport --dports 4,5,8 -j DROP

iptables -t mangle -A PREROUTING  -p tcp  -m multiport --dports 10:18 -j DROP

iptables -t mangle -A PREROUTING -p tcp  -m multiport --dports 24:36 -j DROP
iptables -t mangle -A PREROUTING -p tcp  -m multiport --dports 38:52 -j DROP
iptables -t mangle -A PREROUTING  -p tcp  -m multiport --dports 54:79 -j DROP

iptables -t mangle -A PREROUTING -p tcp  -m multiport --dports 82:122 -j DROP
iptables -t mangle -A PREROUTING -p tcp  -m multiport --dports 124:442 -j DROP
iptables -t mangle -A PREROUTING -p udp  -m multiport --dports 4,5,8 -j DROP

iptables -t mangle -A PREROUTING  -p udp  -m multiport --dports 10:18 -j DROP

iptables -t mangle -A PREROUTING -p udp  -m multiport --dports 23:52 -j DROP

iptables -t mangle -A PREROUTING  -p udp  -m multiport --dports 54:79 -j DROP

iptables -t mangle -A PREROUTING -p udp  -m multiport  --dports 81:122 -j DROP
iptables -t mangle -A PREROUTING -p udp  -m multiport  --dports 124:442 -j DROP
iptables -t mangle -A PREROUTING -p tcp -m multiport --sports 4,5,8 -j DROP
iptables -t mangle -A PREROUTING  -p tcp  -m multiport --sports 10:18 -j DROP

iptables -t mangle -A PREROUTING -p tcp  -m multiport --sports 24:36 -j DROP
iptables -t mangle -A PREROUTING -p tcp  -m multiport --sports 38:52 -j DROP
iptables -t mangle -A PREROUTING  -p tcp  -m multiport --sports 54:79 -j DROP

iptables -t mangle -A PREROUTING -p tcp  -m multiport --sports 82:122 -j DROP
iptables -t mangle -A PREROUTING -p tcp  -m multiport --sports 124:442 -j DROP
iptables -t mangle -A PREROUTING -p udp  -m multiport --sports 4,5,8 -j DROP

iptables -t mangle -A PREROUTING  -p udp  -m multiport --sports 10:18 -j DROP

iptables -t mangle -A PREROUTING -p udp  -m multiport --sports 23:52 -j DROP

iptables -t mangle -A PREROUTING  -p udp  -m multiport --sports 54:79 -j DROP

iptables -t mangle -A PREROUTING -p udp  -m multiport  --sports 81:122 -j DROP
iptables -t mangle -A PREROUTING -p udp  -m multiport  --sports 124:442 -j DROP

 

 

 

Like
Love
2
Προωθημένο

We are 100% funded for October.

Thanks to everyone who helped out. 🥰

Xephula monthly operating expenses for 2024 - Server: $143/month - Backup Software: $6/month - Object Storage: $6/month - SMTP Service: $10/month - Stripe Processing Fees: ~$10/month - Total: $175/month

Xephula Funding Meter

Please Donate Here

Αναζήτηση
Κατηγορίες
Διαβάζω περισσότερα
άλλο
- Lock-down rebellion may be part of a plan to generate a larger body count
The Satan Worshiping Globalist Cult Jumped On The Pandemic Bandwagon Because It's Too Tempting...
από KIRK TRIMBLE 2020-05-27 00:42:25 0 7χλμ.
άλλο
Steelements and the Ethical Obligations of Lawyers
A Video Explaining the Ethical Requirements on a Lawyer to Settle Read the full article at...
από Barry Zalma 2021-10-27 13:07:38 0 4χλμ.
Politics
"So let it be written! So let it be done!"
For someone who didn’t live through the era, it may be difficult to understand the...
από Ronnie James 2020-10-11 21:48:36 2 10χλμ.
άλλο
The Danger of Suing Defense Counsel Hired by Insurer for Malpractice
Insurers Must Careful When Considering Suing Counsel Appointed to Defend an Insured Read the full...
από Barry Zalma 2021-01-06 14:07:56 0 3χλμ.
Crime
Barry Zalma Will Speak at the California Conference of Arson Investigators Fall Seminar
Barry Zalma Will Speak at the California Conference of Arson Investigators Fall Seminar on taking...
από Barry Zalma 2023-09-11 14:01:04 0 5χλμ.