Example iptables firewall #security

Posted 2022-04-23 19:12:48

783

Use at your own risk. There are probably better ways to do this, and I use this (and more)....you may want to open or close more ports depending on what you want to do.

### 1: Drop invalid packets ###
/sbin/iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP

### 2: Drop TCP packets that are new and are not SYN ###
/sbin/iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP

### 3: Drop SYN packets with suspicious MSS value ###
/sbin/iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP

### 4: Block packets with bogus TCP flags ###
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

### 5
### 6: Drop ICMP (you usually don't need this protocol) ###
/sbin/iptables -t mangle -A PREROUTING -p icmp -j DROP
# sudo iptables -A OUTPUT -p icmp –icmp-type echo-reply -j DROP

### 7: Drop fragments in all chains ###
/sbin/iptables -t mangle -A PREROUTING -f -j DROP

### 8: Limit connections per source IP ###
/sbin/iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset

### 9: Limit RST packets ###
/sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP

### 10: Limit new TCP connections per second per source IP ###
/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP

### 11: Use SYNPROXY on all ports (disables connection limiting rule) ###
# Hidden - unlock content above in "Mitigating SYN Floods With SYNPROXY" section

### SSH brute-force protection ###
/sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
/sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP

### Protection against port scanning ###
/sbin/iptables -N port-scanning
/sbin/iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
/sbin/iptables -A port-scanning -j DROP

iptables -t mangle -A PREROUTING -p tcp -m multiport --dports 4,5,8 -j DROP

iptables -t mangle -A PREROUTING -p tcp -m multiport --dports 10:18 -j DROP

iptables -t mangle -A PREROUTING -p tcp -m multiport --dports 24:36 -j DROP
iptables -t mangle -A PREROUTING -p tcp -m multiport --dports 38:52 -j DROP
iptables -t mangle -A PREROUTING -p tcp -m multiport --dports 54:79 -j DROP

iptables -t mangle -A PREROUTING -p tcp -m multiport --dports 82:122 -j DROP
iptables -t mangle -A PREROUTING -p tcp -m multiport --dports 124:442 -j DROP
iptables -t mangle -A PREROUTING -p udp -m multiport --dports 4,5,8 -j DROP

iptables -t mangle -A PREROUTING -p udp -m multiport --dports 10:18 -j DROP

iptables -t mangle -A PREROUTING -p udp -m multiport --dports 23:52 -j DROP

iptables -t mangle -A PREROUTING -p udp -m multiport --dports 54:79 -j DROP

iptables -t mangle -A PREROUTING -p udp -m multiport --dports 81:122 -j DROP
iptables -t mangle -A PREROUTING -p udp -m multiport --dports 124:442 -j DROP
iptables -t mangle -A PREROUTING -p tcp -m multiport --sports 4,5,8 -j DROP
iptables -t mangle -A PREROUTING -p tcp -m multiport --sports 10:18 -j DROP

iptables -t mangle -A PREROUTING -p tcp -m multiport --sports 24:36 -j DROP
iptables -t mangle -A PREROUTING -p tcp -m multiport --sports 38:52 -j DROP
iptables -t mangle -A PREROUTING -p tcp -m multiport --sports 54:79 -j DROP

iptables -t mangle -A PREROUTING -p tcp -m multiport --sports 82:122 -j DROP
iptables -t mangle -A PREROUTING -p tcp -m multiport --sports 124:442 -j DROP
iptables -t mangle -A PREROUTING -p udp -m multiport --sports 4,5,8 -j DROP

iptables -t mangle -A PREROUTING -p udp -m multiport --sports 10:18 -j DROP

iptables -t mangle -A PREROUTING -p udp -m multiport --sports 23:52 -j DROP

iptables -t mangle -A PREROUTING -p udp -m multiport --sports 54:79 -j DROP

iptables -t mangle -A PREROUTING -p udp -m multiport --sports 81:122 -j DROP
iptables -t mangle -A PREROUTING -p udp -m multiport --sports 124:442 -j DROP

#security_#network_#iptables

Please log in to like, share and comment!