Example iptables firewall #security

Blogs Networking
Posted 2022-04-23 19:12:48
0
6K

Use at your own risk.  There are probably better ways to do this, and I use this (and more)....you may want to open or close more ports depending on what you want to do.

### 1: Drop invalid packets ### 
/sbin/iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP  

### 2: Drop TCP packets that are new and are not SYN ### 
/sbin/iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP 
 
### 3: Drop SYN packets with suspicious MSS value ### 
/sbin/iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP  

### 4: Block packets with bogus TCP flags ### 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP  

### 5
### 6: Drop ICMP (you usually don't need this protocol) ### 
/sbin/iptables -t mangle -A PREROUTING -p icmp -j DROP  
# sudo iptables -A OUTPUT -p icmp –icmp-type echo-reply -j DROP

### 7: Drop fragments in all chains ### 
/sbin/iptables -t mangle -A PREROUTING -f -j DROP  

### 8: Limit connections per source IP ### 
/sbin/iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset  

### 9: Limit RST packets ### 
/sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT 
/sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP  

### 10: Limit new TCP connections per second per source IP ### 
/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT 
/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP  

### 11: Use SYNPROXY on all ports (disables connection limiting rule) ### 
# Hidden - unlock content above in "Mitigating SYN Floods With SYNPROXY" section

### SSH brute-force protection ### 
/sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set 
/sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP  

### Protection against port scanning ### 
/sbin/iptables -N port-scanning 
/sbin/iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN 
/sbin/iptables -A port-scanning -j DROP

iptables -t mangle -A PREROUTING -p tcp -m multiport --dports 4,5,8 -j DROP

iptables -t mangle -A PREROUTING  -p tcp  -m multiport --dports 10:18 -j DROP

iptables -t mangle -A PREROUTING -p tcp  -m multiport --dports 24:36 -j DROP
iptables -t mangle -A PREROUTING -p tcp  -m multiport --dports 38:52 -j DROP
iptables -t mangle -A PREROUTING  -p tcp  -m multiport --dports 54:79 -j DROP

iptables -t mangle -A PREROUTING -p tcp  -m multiport --dports 82:122 -j DROP
iptables -t mangle -A PREROUTING -p tcp  -m multiport --dports 124:442 -j DROP
iptables -t mangle -A PREROUTING -p udp  -m multiport --dports 4,5,8 -j DROP

iptables -t mangle -A PREROUTING  -p udp  -m multiport --dports 10:18 -j DROP

iptables -t mangle -A PREROUTING -p udp  -m multiport --dports 23:52 -j DROP

iptables -t mangle -A PREROUTING  -p udp  -m multiport --dports 54:79 -j DROP

iptables -t mangle -A PREROUTING -p udp  -m multiport  --dports 81:122 -j DROP
iptables -t mangle -A PREROUTING -p udp  -m multiport  --dports 124:442 -j DROP
iptables -t mangle -A PREROUTING -p tcp -m multiport --sports 4,5,8 -j DROP
iptables -t mangle -A PREROUTING  -p tcp  -m multiport --sports 10:18 -j DROP

iptables -t mangle -A PREROUTING -p tcp  -m multiport --sports 24:36 -j DROP
iptables -t mangle -A PREROUTING -p tcp  -m multiport --sports 38:52 -j DROP
iptables -t mangle -A PREROUTING  -p tcp  -m multiport --sports 54:79 -j DROP

iptables -t mangle -A PREROUTING -p tcp  -m multiport --sports 82:122 -j DROP
iptables -t mangle -A PREROUTING -p tcp  -m multiport --sports 124:442 -j DROP
iptables -t mangle -A PREROUTING -p udp  -m multiport --sports 4,5,8 -j DROP

iptables -t mangle -A PREROUTING  -p udp  -m multiport --sports 10:18 -j DROP

iptables -t mangle -A PREROUTING -p udp  -m multiport --sports 23:52 -j DROP

iptables -t mangle -A PREROUTING  -p udp  -m multiport --sports 54:79 -j DROP

iptables -t mangle -A PREROUTING -p udp  -m multiport  --sports 81:122 -j DROP
iptables -t mangle -A PREROUTING -p udp  -m multiport  --sports 124:442 -j DROP

 

 

 

Like
Love
2
Vă rugăm să vă autentificați pentru a vă dori, partaja și comenta!
Sponsor

We are 100% funded for October.

Thanks to everyone who helped out. 🥰

Xephula monthly operating expenses for 2024 - Server: $143/month - Backup Software: $6/month - Object Storage: $6/month - SMTP Service: $10/month - Stripe Processing Fees: ~$10/month - Total: $175/month

Xephula Funding Meter

Please Donate Here

Căutare
Categorii
Citeste mai mult
Alte
Arbitration Awards will be Confirmed Absent Obvious Error
Insurance Settlement’s Arbitration Provision Resolves Disputes Regarding Asbestos Claims...
By Barry Zalma 2021-05-05 12:39:06 0 5K
Politics
HUGE! Attorney Sidney Powell CONFIRMS Alleged Dominion Servers in Germany Were Confiscated — VIDEO
Last week Rep. Louie Gohmert told Chris Salcedo on Newsmax that people on the ground in Germany...
By Meme King 2020-11-19 22:48:10 0 5K
Politics
CALIFORNIA SENATOR REPLACEMENT
DOES GOVERNOR NEWSOM REALLY BELIEVE AN OUTSIDER OF CALIFORNIA IS THE RIGHT CHOICE FOR CALIFORNIA?...
By Just Plain LLOYD 2023-10-02 18:28:50 0 8K
Home
A LOT OF DISTRUCTION THIS YEAR
HURRICANES WILL DO A LOT OF DAMAGE THIS YEAR AND IT WILL BE CAUSED BY OUR STAR
By Nibbie Chase 2020-05-31 12:56:11 0 4K
Alte
Arsonist Must Serve Full Sentence
Chutzpah: Serial Arsonist & Insurance Fraudster Requests Shortened Sentence Read the...
By Barry Zalma 2024-06-20 13:32:20 0 1K
© 2024 XEPHULA Romaian
English Arabic French Spanish Portuguese Deutsch Turkish Dutch Italiano Russian Romaian Portuguese (Brazil) Greek
FAQ Contact About Termeni Confidențialitate Director