-
-
Save googkhan/be38eaeaa1c48e4034ed96203ef11ece to your computer and use it in GitHub Desktop.
Revisions
-
jirutka revised this gist
Jan 27, 2014 . 3 changed files with 256 additions and 49 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,205 @@ ############################################################################### # The MIT License # # Copyright 2012-2014 Jakub Jirutka <[email protected]>. # # Permission is hereby granted, free of charge, to any person obtaining a copy # of this software and associated documentation files (the "Software"), to deal # in the Software without restriction, including without limitation the rights # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell # copies of the Software, and to permit persons to whom the Software is # furnished to do so, subject to the following conditions: # # The above copyright notice and this permission notice shall be included in # all copies or substantial portions of the Software. # # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN # THE SOFTWARE. # ############################################################################### # # Basic ip(6)tables (both IPv4 and IPv6) template for an ordinary servers # # This file is in iptables-restore (ip6tables-restore) format. See the man # pages for iptables-restore (ip6tables-restore). Rules that should be loaded # only by iptables (ip6tables) uses the -4 (-6) option. # # The following is a set of firewall rules that should be applicable to Linux # servers running within departments. It is intended to provide a useful # starting point from which to devise a comprehensive firewall policy for # a host. # # Parts 1 and 3 of these rules are the same for each host, whilst part 2 can be # populated with rules specific to particular hosts. The optional part 4 is # prepared for a NAT rules, e.g. for port forwarding, redirect, masquerade... # # This template is based on http://jdem.cz/v64a3 from University of Leicester # # For the newest version go to https://gist.github.com/jirutka/3742890. # # @author Jakub Jirutka <[email protected]> # @version 1.3.1 # @date 2014-01-28 # ############################################################################### # 1. COMMON HEADER # # # # This section is a generic header that should be suitable for most hosts. # ############################################################################### *filter # Base policy :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] # Don't attempt to firewall internal traffic on the loopback device. -A INPUT -i lo -j ACCEPT # Continue connections that are already established or related to an established # connection. -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Drop non-conforming packets, such as malformed headers, etc. -A INPUT -m conntrack --ctstate INVALID -j DROP # Block remote packets claiming to be from a loopback address. -4 -A INPUT -s 127.0.0.0/8 ! -i lo -j DROP -6 -A INPUT -s ::1/128 ! -i lo -j DROP # Drop all packets that are going to broadcast, multicast or anycast address. -4 -A INPUT -m addrtype --dst-type BROADCAST -j DROP -4 -A INPUT -m addrtype --dst-type MULTICAST -j DROP -4 -A INPUT -m addrtype --dst-type ANYCAST -j DROP -4 -A INPUT -d 224.0.0.0/4 -j DROP # Chain for preventing SSH brute-force attacks. # Permits 10 new connections within 5 minutes from a single host then drops # incomming connections from that host. Beyond a burst of 100 connections we # log at up 1 attempt per second to prevent filling of logs. -N SSHBRUTE -A SSHBRUTE -m recent --name SSH --set -A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[SSH-brute]: " -A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -j DROP -A SSHBRUTE -j ACCEPT # Chain for preventing ping flooding - up to 6 pings per second from a single # source, again with log limiting. Also prevents us from ICMP REPLY flooding # some victim when replying to ICMP ECHO from a spoofed source. -N ICMPFLOOD -A ICMPFLOOD -m recent --set --name ICMP --rsource -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "iptables[ICMP-flood]: " -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP -A ICMPFLOOD -j ACCEPT ############################################################################### # 2. HOST SPECIFIC RULES # # # # This section is a good place to enable your host-specific services. # ############################################################################### # Accept HTTP and HTTPS #-A INPUT -p tcp -m multiport --dports 80,443 --syn -m conntrack --ctstate NEW -j ACCEPT # Accept FTP only for IPv4 #-4 -A INPUT -p tcp --dport 21 --syn -m conntrack --ctstate NEW -j ACCEPT ############################################################################### # 3. GENERAL RULES # # # # This section contains general rules that should be suitable for most hosts. # ############################################################################### # Accept worldwide access to SSH and use SSHBRUTE chain for preventing # brute-force attacks. -A INPUT -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE # Permit useful IMCP packet types for IPv4 # Note: RFC 792 states that all hosts MUST respond to ICMP ECHO requests. # Blocking these can make diagnosing of even simple faults much more tricky. # Real security lies in locking down and hardening all services, not by hiding. -4 -A INPUT -p icmp --icmp-type 0 -m conntrack --ctstate NEW -j ACCEPT -4 -A INPUT -p icmp --icmp-type 3 -m conntrack --ctstate NEW -j ACCEPT -4 -A INPUT -p icmp --icmp-type 11 -m conntrack --ctstate NEW -j ACCEPT # Permit needed ICMP packet types for IPv6 per RFC 4890. -6 -A INPUT -p ipv6-icmp --icmpv6-type 1 -j ACCEPT -6 -A INPUT -p ipv6-icmp --icmpv6-type 2 -j ACCEPT -6 -A INPUT -p ipv6-icmp --icmpv6-type 3 -j ACCEPT -6 -A INPUT -p ipv6-icmp --icmpv6-type 4 -j ACCEPT -6 -A INPUT -p ipv6-icmp --icmpv6-type 133 -j ACCEPT -6 -A INPUT -p ipv6-icmp --icmpv6-type 134 -j ACCEPT -6 -A INPUT -p ipv6-icmp --icmpv6-type 135 -j ACCEPT -6 -A INPUT -p ipv6-icmp --icmpv6-type 136 -j ACCEPT -6 -A INPUT -p ipv6-icmp --icmpv6-type 137 -j ACCEPT -6 -A INPUT -p ipv6-icmp --icmpv6-type 141 -j ACCEPT -6 -A INPUT -p ipv6-icmp --icmpv6-type 142 -j ACCEPT -6 -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 130 -j ACCEPT -6 -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 131 -j ACCEPT -6 -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 132 -j ACCEPT -6 -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 143 -j ACCEPT -6 -A INPUT -p ipv6-icmp --icmpv6-type 148 -j ACCEPT -6 -A INPUT -p ipv6-icmp --icmpv6-type 149 -j ACCEPT -6 -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 151 -j ACCEPT -6 -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 152 -j ACCEPT -6 -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 153 -j ACCEPT # Permit IMCP echo requests (ping) and use ICMPFLOOD chain for preventing ping # flooding. -4 -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ICMPFLOOD -6 -A INPUT -p ipv6-icmp --icmpv6-type 128 -j ICMPFLOOD # Do not log packets that are going to ports used by SMB # (Samba / Windows Sharing). -A INPUT -p udp -m multiport --dports 135,445 -j DROP -A INPUT -p udp --dport 137:139 -j DROP -A INPUT -p udp --sport 137 --dport 1024:65535 -j DROP -A INPUT -p tcp -m multiport --dports 135,139,445 -j DROP # Do not log packets that are going to port used by UPnP protocol. -A INPUT -p udp --dport 1900 -j DROP # Do not log late replies from nameservers. -A INPUT -p udp --sport 53 -j DROP # Good practise is to explicately reject AUTH traffic so that it fails fast. -A INPUT -p tcp --dport 113 --syn -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset # Prevent DOS by filling log files. -A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[DOS]: " COMMIT ############################################################################### # 4. HOST SPECIFIC NAT RULES # # # # Uncomment this section if you want to use NAT table, e.g. for port # # forwarding, redirect, masquerade... If you want to load this section only # # for IPv4 and ignore for IPv6, use ip6tables-restore with -T filter. # ############################################################################### #*nat # Base policy #:PREROUTING ACCEPT [0:0] #:POSTROUTING ACCEPT [0:0] #:OUTPUT ACCEPT [0:0] # Redirect port 21 to local port 2121 #-A PREROUTING -i eth0 -p tcp --dport 21 -j REDIRECT --to-port 2121 # Forward port 8080 to port 80 on host 192.168.1.10 #-4 -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.10:80 #COMMIT This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -38,11 +38,13 @@ # populated with rules specific to particular hosts. The optional part 4 is # prepared for a NAT rules, e.g. for port forwarding, redirect, masquerade... # # This template is based on http://jdem.cz/v64a3 from University of Leicester. # # For the newest version go to https://gist.github.com/jirutka/3742890. # # @author Jakub Jirutka <[email protected]> # @version 1.3.1 # @date 2014-01-28 # ############################################################################### @@ -58,20 +60,20 @@ :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] # Don't attempt to firewall internal traffic on the loopback device. -A INPUT -i lo -j ACCEPT # Continue connections that are already established or related to an established # connection. -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Drop non-conforming packets, such as malformed headers, etc. -A INPUT -m conntrack --ctstate INVALID -j DROP # Block remote packets claiming to be from a loopback address. -A INPUT -s 127.0.0.0/8 ! -i lo -j DROP # Drop all packets that are going to broadcast, multicast or anycast address. -A INPUT -m addrtype --dst-type BROADCAST -j DROP -A INPUT -m addrtype --dst-type MULTICAST -j DROP -A INPUT -m addrtype --dst-type ANYCAST -j DROP @@ -80,7 +82,7 @@ # Chain for preventing SSH brute-force attacks. # Permits 10 new connections within 5 minutes from a single host then drops # incomming connections from that host. Beyond a burst of 100 connections we # log at up 1 attempt per second to prevent filling of logs. -N SSHBRUTE -A SSHBRUTE -m recent --name SSH --set -A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[SSH-brute]: " @@ -89,7 +91,7 @@ # Chain for preventing ping flooding - up to 6 pings per second from a single # source, again with log limiting. Also prevents us from ICMP REPLY flooding # some victim when replying to ICMP ECHO from a spoofed source. -N ICMPFLOOD -A ICMPFLOOD -m recent --set --name ICMP --rsource -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "iptables[ICMP-flood]: " @@ -104,9 +106,8 @@ # ! DO NOT FORGOT TO COPY THESE RULES TO firewall.ip6tables TO ALLOW IPV6 ! # ############################################################################### # Accept HTTP and HTTPS #-A INPUT -p tcp -m multiport --dports 80,443 --syn -m conntrack --ctstate NEW -j ACCEPT ############################################################################### @@ -119,7 +120,7 @@ # brute-force attacks. -A INPUT -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE # Permit useful IMCP packet types. # Note: RFC 792 states that all hosts MUST respond to ICMP ECHO requests. # Blocking these can make diagnosing of even simple faults much more tricky. # Real security lies in locking down and hardening all services, not by hiding. @@ -129,22 +130,22 @@ -A INPUT -p icmp --icmp-type 11 -m conntrack --ctstate NEW -j ACCEPT # Do not log packets that are going to ports used by SMB # (Samba / Windows Sharing). -A INPUT -p udp -m multiport --dports 135,445 -j DROP -A INPUT -p udp --dport 137:139 -j DROP -A INPUT -p udp --sport 137 --dport 1024:65535 -j DROP -A INPUT -p tcp -m multiport --dports 135,139,445 -j DROP # Do not log packets that are going to port used by UPnP protocol. -A INPUT -p udp --dport 1900 -j DROP # Do not log late replies from nameservers. -A INPUT -p udp --sport 53 -j DROP # Good practise is to explicately reject AUTH traffic so that it fails fast. -A INPUT -p tcp --dport 113 --syn -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset # Prevent DOS by filling log files. -A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[DOS]: " COMMIT This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -37,11 +37,13 @@ # Parts 1 and 3 of these rules are the same for each host, whilst part 2 can be # populated with rules specific to particular hosts. # # This template is based on http://jdem.cz/v64a3 from University of Leicester. # # For the newest version go to https://gist.github.com/jirutka/3742890. # # @author Jakub Jirutka <[email protected]> # @version 1.3.1 # @date 2014-01-28 # ############################################################################### @@ -57,23 +59,23 @@ :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] # Don't attempt to firewall internal traffic on the loopback device. -A INPUT -i lo -j ACCEPT # Continue connections that are already established or related to an established # connection. -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Drop non-conforming packets, such as malformed headers, etc. -A INPUT -m conntrack --ctstate INVALID -j DROP # Block remote packets claiming to be from a loopback address. -A INPUT -s ::1/128 ! -i lo -j DROP # Chain for preventing SSH brute-force attacks. # Permits 10 new connections within 5 minutes from a single host then drops # incomming connections from that host. Beyond a burst of 100 connections we # log at up 1 attempt per second to prevent filling of logs. -N SSHBRUTE -A SSHBRUTE -m recent --name SSH --set -A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "ip6tables[SSH-brute]: " @@ -82,7 +84,7 @@ # Chain for preventing ping flooding - up to 6 pings per second from a single # source, again with log limiting. Also prevents us from ICMP REPLY flooding # some victim when replying to ICMP ECHO from a spoofed source. -N ICMPFLOOD -A ICMPFLOOD -m recent --set --name ICMP --rsource -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "ip6tables[ICMP-flood]: " @@ -96,9 +98,8 @@ # This section is a good place to enable your host-specific services. # ############################################################################### # Accept HTTP and HTTPS #-A INPUT -p tcp -m multiport --dports 80,443 --syn -m conntrack --ctstate NEW -j ACCEPT ############################################################################### @@ -111,24 +112,24 @@ # brute-force attacks. -A INPUT -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE # Permit needed ICMP packet types for IPv6 per RFC 4890. -A INPUT -p ipv6-icmp --icmpv6-type 1 -j ACCEPT -A INPUT -p ipv6-icmp --icmpv6-type 2 -j ACCEPT -A INPUT -p ipv6-icmp --icmpv6-type 3 -j ACCEPT -A INPUT -p ipv6-icmp --icmpv6-type 4 -j ACCEPT -A INPUT -p ipv6-icmp --icmpv6-type 133 -j ACCEPT -A INPUT -p ipv6-icmp --icmpv6-type 134 -j ACCEPT -A INPUT -p ipv6-icmp --icmpv6-type 135 -j ACCEPT -A INPUT -p ipv6-icmp --icmpv6-type 136 -j ACCEPT -A INPUT -p ipv6-icmp --icmpv6-type 137 -j ACCEPT -A INPUT -p ipv6-icmp --icmpv6-type 141 -j ACCEPT -A INPUT -p ipv6-icmp --icmpv6-type 142 -j ACCEPT -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 130 -j ACCEPT -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 131 -j ACCEPT -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 132 -j ACCEPT -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 143 -j ACCEPT -A INPUT -p ipv6-icmp --icmpv6-type 148 -j ACCEPT -A INPUT -p ipv6-icmp --icmpv6-type 149 -j ACCEPT -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 151 -j ACCEPT -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 152 -j ACCEPT -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 153 -j ACCEPT @@ -137,23 +138,23 @@ # flooding. -A INPUT -p ipv6-icmp --icmpv6-type 128 -j ICMPFLOOD # Do not log packets that are going to ports used by SMB # (Samba / Windows Sharing). -A INPUT -p udp -m multiport --dports 135,445 -j DROP -A INPUT -p udp --dport 137:139 -j DROP -A INPUT -p udp --sport 137 --dport 1024:65535 -j DROP -A INPUT -p tcp -m multiport --dports 135,139,445 -j DROP # Do not log packets that are going to port used by UPnP protocol. -A INPUT -p udp --dport 1900 -j DROP # Do not log late replies from nameservers. -A INPUT -p udp --sport 53 -j DROP # Good practise is to explicately reject AUTH traffic so that it fails fast. -A INPUT -p tcp --dport 113 --syn -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset # Prevent DOS by filling log files. -A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "ip6tables[DOS]: " COMMIT -
Jan 25, 2014 . 1 changed file with 26 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -35,12 +35,13 @@ # a host. # # Parts 1 and 3 of these rules are the same for each host, whilst part 2 can be # populated with rules specific to particular hosts. The optional part 4 is # prepared for a NAT rules, e.g. for port forwarding, redirect, masquerade... # # This template is based on http://jdem.cz/v64a3 from University of Leicester # # @author Jakub Jirutka <[email protected]> # @version 1.3 # @date 2014-01-26 # @@ -147,3 +148,26 @@ -A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[DOS]: " COMMIT ############################################################################### # 4. HOST SPECIFIC NAT RULES # # # # Uncomment this section if you want to use NAT table, e.g. for port # # forwarding, redirect, masquerade... # ############################################################################### #*nat # Base policy #:PREROUTING ACCEPT [0:0] #:POSTROUTING ACCEPT [0:0] #:OUTPUT ACCEPT [0:0] # Redirect port 21 to local port 2121 #-A PREROUTING -i eth0 -p tcp --dport 21 -j REDIRECT --to-port 2121 # Forward port 8080 to port 80 on host 192.168.1.10 #-A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.10:80 #COMMIT -
Jan 25, 2014 . 2 changed files with 47 additions and 47 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -24,7 +24,7 @@ ############################################################################### # # Basic iptables/IPv4 template for an ordinary servers # # This file is in iptables-restore format. See the man pages for # iptables-restore(8) and iptables-save(8). @@ -40,8 +40,8 @@ # This template is based on http://jdem.cz/v64a3 from University of Leicester # # @author Jakub Jirutka <[email protected]> # @version 1.2.1 # @date 2014-01-26 # ############################################################################### @@ -104,8 +104,8 @@ ############################################################################### # Accept worldwide access to HTTP and HTTPS # -A INPUT -p tcp --dport 80 --syn -m conntrack --ctstate NEW -j ACCEPT # -A INPUT -p tcp --dport 443 --syn -m conntrack --ctstate NEW -j ACCEPT ############################################################################### @@ -116,32 +116,32 @@ # Accept worldwide access to SSH and use SSHBRUTE chain for preventing # brute-force attacks. -A INPUT -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE # Permit useful IMCP packet types # Note: RFC 792 states that all hosts MUST respond to ICMP ECHO requests. # Blocking these can make diagnosing of even simple faults much more tricky. # Real security lies in locking down and hardening all services, not by hiding. -A INPUT -p icmp --icmp-type 0 -m conntrack --ctstate NEW -j ACCEPT -A INPUT -p icmp --icmp-type 3 -m conntrack --ctstate NEW -j ACCEPT -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ICMPFLOOD -A INPUT -p icmp --icmp-type 11 -m conntrack --ctstate NEW -j ACCEPT # Do not log packets that are going to ports used by SMB # (Samba / Windows Sharing) -A INPUT -p udp -m multiport --dports 135,445 -j DROP -A INPUT -p udp --dport 137:139 -j DROP -A INPUT -p udp --sport 137 --dport 1024:65535 -j DROP -A INPUT -p tcp -m multiport --dports 135,139,445 -j DROP # Do not log packets that are going to port used by UPnP protocol -A INPUT -p udp --dport 1900 -j DROP # Do not log late replies from nameservers -A INPUT -p udp --sport 53 -j DROP # Good practise is to explicately reject AUTH traffic so that it fails fast -A INPUT -p tcp --dport 113 --syn -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset # Prevent DOS by filling log files -A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[DOS]: " This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -24,7 +24,7 @@ ############################################################################### # # Basic ip6tables/IPv6 template for an ordinary servers # # This file is in iptables-restore format. See the man pages for # ip6tables-restore(8) and ip6tables-save(8). @@ -40,8 +40,8 @@ # This template is based on http://jdem.cz/v64a3 from University of Leicester # # @author Jakub Jirutka <[email protected]> # @version 1.2.1 # @date 2014-01-26 # ############################################################################### @@ -97,8 +97,8 @@ ############################################################################### # Accept worldwide access to HTTP and HTTPS # -A INPUT -p tcp --dport 80 --syn -m conntrack --ctstate NEW -j ACCEPT # -A INPUT -p tcp --dport 443 --syn -m conntrack --ctstate NEW -j ACCEPT ############################################################################### @@ -109,49 +109,49 @@ # Accept worldwide access to SSH and use SSHBRUTE chain for preventing # brute-force attacks. -A INPUT -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE # Permit needed ICMP packet types for IPv6 per RFC 4890 -A INPUT -p ipv6-icmp --icmpv6-type 1 -j ACCEPT -A INPUT -p ipv6-icmp --icmpv6-type 2 -j ACCEPT -A INPUT -p ipv6-icmp --icmpv6-type 3 -j ACCEPT -A INPUT -p ipv6-icmp --icmpv6-type 4 -j ACCEPT -A INPUT -p ipv6-icmp --icmpv6-type 133 -j ACCEPT -A INPUT -p ipv6-icmp --icmpv6-type 134 -j ACCEPT -A INPUT -p ipv6-icmp --icmpv6-type 135 -j ACCEPT -A INPUT -p ipv6-icmp --icmpv6-type 136 -j ACCEPT -A INPUT -p ipv6-icmp --icmpv6-type 137 -j ACCEPT -A INPUT -p ipv6-icmp --icmpv6-type 141 -j ACCEPT -A INPUT -p ipv6-icmp --icmpv6-type 142 -j ACCEPT -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 130 -j ACCEPT -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 131 -j ACCEPT -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 132 -j ACCEPT -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 143 -j ACCEPT -A INPUT -p ipv6-icmp --icmpv6-type 148 -j ACCEPT -A INPUT -p ipv6-icmp --icmpv6-type 149 -j ACCEPT -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 151 -j ACCEPT -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 152 -j ACCEPT -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 153 -j ACCEPT # Permit IMCP echo requests (ping) and use ICMPFLOOD chain for preventing ping # flooding. -A INPUT -p ipv6-icmp --icmpv6-type 128 -j ICMPFLOOD # Do not log packets that are going to ports used by SMB # (Samba / Windows Sharing) -A INPUT -p udp -m multiport --dports 135,445 -j DROP -A INPUT -p udp --dport 137:139 -j DROP -A INPUT -p udp --sport 137 --dport 1024:65535 -j DROP -A INPUT -p tcp -m multiport --dports 135,139,445 -j DROP # Do not log packets that are going to port used by UPnP protocol -A INPUT -p udp --dport 1900 -j DROP # Do not log late replies from nameservers -A INPUT -p udp --sport 53 -j DROP # Good practise is to explicately reject AUTH traffic so that it fails fast -A INPUT -p tcp --dport 113 --syn -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset # Prevent DOS by filling log files -A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "ip6tables[DOS]: " -
Jan 1, 2014 . 2 changed files with 40 additions and 10 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,10 +1,25 @@ ############################################################################### # The MIT License # # Copyright 2012-2014 Jakub Jirutka <[email protected]>. # # Permission is hereby granted, free of charge, to any person obtaining a copy # of this software and associated documentation files (the "Software"), to deal # in the Software without restriction, including without limitation the rights # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell # copies of the Software, and to permit persons to whom the Software is # furnished to do so, subject to the following conditions: # # The above copyright notice and this permission notice shall be included in # all copies or substantial portions of the Software. # # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN # THE SOFTWARE. # ############################################################################### This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,10 +1,25 @@ ############################################################################### # The MIT License # # Copyright 2012-2014 Jakub Jirutka <[email protected]>. # # Permission is hereby granted, free of charge, to any person obtaining a copy # of this software and associated documentation files (the "Software"), to deal # in the Software without restriction, including without limitation the rights # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell # copies of the Software, and to permit persons to whom the Software is # furnished to do so, subject to the following conditions: # # The above copyright notice and this permission notice shall be included in # all copies or substantial portions of the Software. # # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN # THE SOFTWARE. # ############################################################################### -
Jan 1, 2014 . 2 changed files with 22 additions and 22 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,5 +1,5 @@ ############################################################################### # Copyright 2012-2014 Jakub Jirutka. All rights reserved. # # "THE KOFOLA-WARE LICENSE" (Revision 1): # Jakub Jirutka originally wrote this file. As long as you retain this notice you @@ -25,8 +25,8 @@ # This template is based on http://jdem.cz/v64a3 from University of Leicester # # @author Jakub Jirutka <[email protected]> # @version 1.2 # @date 2014-01-01 # ############################################################################### @@ -47,10 +47,10 @@ # Continue connections that are already established or related to an established # connection -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Drop non-conforming packets, such as malformed headers, etc. -A INPUT -m conntrack --ctstate INVALID -j DROP # Block remote packets claiming to be from a loopback address -A INPUT -s 127.0.0.0/8 ! -i lo -j DROP @@ -89,8 +89,8 @@ ############################################################################### # Accept worldwide access to HTTP and HTTPS # -A INPUT -p tcp -m tcp --dport 80 --syn -m conntrack --ctstate NEW -j ACCEPT # -A INPUT -p tcp -m tcp --dport 443 --syn -m conntrack --ctstate NEW -j ACCEPT ############################################################################### @@ -101,16 +101,16 @@ # Accept worldwide access to SSH and use SSHBRUTE chain for preventing # brute-force attacks. -A INPUT -p tcp -m tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE # Permit useful IMCP packet types # Note: RFC 792 states that all hosts MUST respond to ICMP ECHO requests. # Blocking these can make diagnosing of even simple faults much more tricky. # Real security lies in locking down and hardening all services, not by hiding. -A INPUT -p icmp -m icmp --icmp-type 0 -m conntrack --ctstate NEW -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate NEW -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ICMPFLOOD -A INPUT -p icmp -m icmp --icmp-type 11 -m conntrack --ctstate NEW -j ACCEPT # Do not log packets that are going to ports used by SMB # (Samba / Windows Sharing) @@ -126,7 +126,7 @@ -A INPUT -p udp -m udp --sport 53 -j DROP # Good practise is to explicately reject AUTH traffic so that it fails fast -A INPUT -p tcp -m tcp --dport 113 --syn -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset # Prevent DOS by filling log files -A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[DOS]: " This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,5 +1,5 @@ ############################################################################### # Copyright 2012-2014 Jakub Jirutka. All rights reserved. # # "THE KOFOLA-WARE LICENSE" (Revision 1): # Jakub Jirutka originally wrote this file. As long as you retain this notice you @@ -25,8 +25,8 @@ # This template is based on http://jdem.cz/v64a3 from University of Leicester # # @author Jakub Jirutka <[email protected]> # @version 1.2 # @date 2014-01-01 # ############################################################################### @@ -47,10 +47,10 @@ # Continue connections that are already established or related to an established # connection -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Drop non-conforming packets, such as malformed headers, etc. -A INPUT -m conntrack --ctstate INVALID -j DROP # Block remote packets claiming to be from a loopback address -A INPUT -s ::1/128 ! -i lo -j DROP @@ -82,8 +82,8 @@ ############################################################################### # Accept worldwide access to HTTP and HTTPS # -A INPUT -p tcp -m tcp --dport 80 --syn -m conntrack --ctstate NEW -j ACCEPT # -A INPUT -p tcp -m tcp --dport 443 --syn -m conntrack --ctstate NEW -j ACCEPT ############################################################################### @@ -94,7 +94,7 @@ # Accept worldwide access to SSH and use SSHBRUTE chain for preventing # brute-force attacks. -A INPUT -p tcp -m tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE # Permit needed ICMP packet types for IPv6 per RFC 4890 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT @@ -136,7 +136,7 @@ -A INPUT -p udp -m udp --sport 53 -j DROP # Good practise is to explicately reject AUTH traffic so that it fails fast -A INPUT -p tcp -m tcp --dport 113 --syn -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset # Prevent DOS by filling log files -A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "ip6tables[DOS]: " -
Oct 5, 2012 . 2 changed files with 40 additions and 17 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -25,8 +25,8 @@ # This template is based on http://jdem.cz/v64a3 from University of Leicester # # @author Jakub Jirutka <[email protected]> # @version 1.1 # @date 2012-10-05 # ############################################################################### @@ -55,13 +55,19 @@ # Block remote packets claiming to be from a loopback address -A INPUT -s 127.0.0.0/8 ! -i lo -j DROP # Drop all packets that are going to broadcast, multicast or anycast address -A INPUT -m addrtype --dst-type BROADCAST -j DROP -A INPUT -m addrtype --dst-type MULTICAST -j DROP -A INPUT -m addrtype --dst-type ANYCAST -j DROP -A INPUT -d 224.0.0.0/4 -j DROP # Chain for preventing SSH brute-force attacks. # Permits 10 new connections within 5 minutes from a single host then drops # incomming connections from that host. Beyond a burst of 100 connections we # log at up 1 attempt per second to prevent filling of logs -N SSHBRUTE -A SSHBRUTE -m recent --name SSH --set -A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[SSH-brute]: " -A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -j DROP -A SSHBRUTE -j ACCEPT @@ -70,7 +76,7 @@ # some victim when replying to ICMP ECHO from a spoofed source -N ICMPFLOOD -A ICMPFLOOD -m recent --set --name ICMP --rsource -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "iptables[ICMP-flood]: " -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP -A ICMPFLOOD -j ACCEPT @@ -106,13 +112,23 @@ -A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ICMPFLOOD -A INPUT -p icmp -m icmp --icmp-type 11 -m state --state NEW -j ACCEPT # Do not log packets that are going to ports used by SMB # (Samba / Windows Sharing) -A INPUT -p udp -m multiport --dports 135,445 -j DROP -A INPUT -p udp -m udp --dport 137:139 -j DROP -A INPUT -p udp -m udp --sport 137 --dport 1024:65535 -j DROP -A INPUT -p tcp -m multiport --dports 135,139,445 -j DROP # Do not log packets that are going to port used by UPnP protocol -A INPUT -p udp -m udp --dport 1900 -j DROP # Do not log late replies from nameservers -A INPUT -p udp -m udp --sport 53 -j DROP # Good practise is to explicately reject AUTH traffic so that it fails fast -A INPUT -p tcp -m tcp --dport 113 --syn -m state --state NEW -j REJECT --reject-with tcp-reset # Prevent DOS by filling log files -A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[DOS]: " COMMIT This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -25,8 +25,8 @@ # This template is based on http://jdem.cz/v64a3 from University of Leicester # # @author Jakub Jirutka <[email protected]> # @version 1.1 # @date 2012-10-05 # ############################################################################### @@ -61,7 +61,7 @@ # log at up 1 attempt per second to prevent filling of logs -N SSHBRUTE -A SSHBRUTE -m recent --name SSH --set -A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "ip6tables[SSH-brute]: " -A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -j DROP -A SSHBRUTE -j ACCEPT @@ -70,7 +70,7 @@ # some victim when replying to ICMP ECHO from a spoofed source -N ICMPFLOOD -A ICMPFLOOD -m recent --set --name ICMP --rsource -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "ip6tables[ICMP-flood]: " -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP -A ICMPFLOOD -j ACCEPT @@ -85,9 +85,6 @@ # -A INPUT -p tcp -m tcp --dport 80 --syn -m state --state NEW -j ACCEPT # -A INPUT -p tcp -m tcp --dport 443 --syn -m state --state NEW -j ACCEPT ############################################################################### # 3. GENERAL RULES # @@ -125,13 +122,23 @@ # flooding. -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ICMPFLOOD # Do not log packets that are going to ports used by SMB # (Samba / Windows Sharing) -A INPUT -p udp -m multiport --dports 135,445 -j DROP -A INPUT -p udp -m udp --dport 137:139 -j DROP -A INPUT -p udp -m udp --sport 137 --dport 1024:65535 -j DROP -A INPUT -p tcp -m multiport --dports 135,139,445 -j DROP # Do not log packets that are going to port used by UPnP protocol -A INPUT -p udp -m udp --dport 1900 -j DROP # Do not log late replies from nameservers -A INPUT -p udp -m udp --sport 53 -j DROP # Good practise is to explicately reject AUTH traffic so that it fails fast -A INPUT -p tcp -m tcp --dport 113 --syn -m state --state NEW -j REJECT --reject-with tcp-reset # Prevent DOS by filling log files -A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "ip6tables[DOS]: " COMMIT -
Sep 18, 2012 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,118 @@ ############################################################################### # Copyright 2012 Jakub Jirutka. All rights reserved. # # "THE KOFOLA-WARE LICENSE" (Revision 1): # Jakub Jirutka originally wrote this file. As long as you retain this notice you # can do whatever you want with this stuff. If we meet some day, and you think # this stuff is worth it, you can buy me a Kofola in return. <[email protected]> # ############################################################################### # # Basic iptables/IPv4 template for ordinary servers # # This file is in iptables-restore format. See the man pages for # iptables-restore(8) and iptables-save(8). # # The following is a set of firewall rules that should be applicable to Linux # servers running within departments. It is intended to provide a useful # starting point from which to devise a comprehensive firewall policy for # a host. # # Parts 1 and 3 of these rules are the same for each host, whilst part 2 can be # populated with rules specific to particular hosts. # # This template is based on http://jdem.cz/v64a3 from University of Leicester # # @author Jakub Jirutka <[email protected]> # @version 1.0 # @date 2012-09-18 # ############################################################################### # 1. COMMON HEADER # # # # This section is a generic header that should be suitable for most hosts. # ############################################################################### *filter # Base policy :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] # Don't attempt to firewall internal traffic on the loopback device -A INPUT -i lo -j ACCEPT # Continue connections that are already established or related to an established # connection -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Drop non-conforming packets, such as malformed headers, etc. -A INPUT -m state --state INVALID -j DROP # Block remote packets claiming to be from a loopback address -A INPUT -s 127.0.0.0/8 ! -i lo -j DROP # Chain for preventing SSH brute-force attacks. # Permits 10 new connections within 5 minutes from a single host then drops # incomming connections from that host. Beyond a burst of 100 connections we # log at up 1 attempt per second to prevent filling of logs -N SSHBRUTE -A SSHBRUTE -m recent --name SSH --set -A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "FW/ssh-brute: " -A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -j DROP -A SSHBRUTE -j ACCEPT # Chain for preventing ping flooding - up to 6 pings per second from a single # source, again with log limiting. Also prevents us from ICMP REPLY flooding # some victim when replying to ICMP ECHO from a spoofed source -N ICMPFLOOD -A ICMPFLOOD -m recent --set --name ICMP --rsource -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "FW/icmp-flood: " -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP -A ICMPFLOOD -j ACCEPT ############################################################################### # 2. HOST SPECIFIC RULES # # # # This section is a good place to enable your host-specific services. # # ! DO NOT FORGOT TO COPY THESE RULES TO firewall.ip6tables TO ALLOW IPV6 ! # ############################################################################### # Accept worldwide access to HTTP and HTTPS # -A INPUT -p tcp -m tcp --dport 80 --syn -m state --state NEW -j ACCEPT # -A INPUT -p tcp -m tcp --dport 443 --syn -m state --state NEW -j ACCEPT ############################################################################### # 3. GENERAL RULES # # # # This section contains general rules that should be suitable for most hosts. # ############################################################################### # Accept worldwide access to SSH and use SSHBRUTE chain for preventing # brute-force attacks. -A INPUT -p tcp -m tcp --dport 22 --syn -m state --state NEW -j SSHBRUTE # Permit useful IMCP packet types # Note: RFC 792 states that all hosts MUST respond to ICMP ECHO requests. # Blocking these can make diagnosing of even simple faults much more tricky. # Real security lies in locking down and hardening all services, not by hiding. -A INPUT -p icmp -m icmp --icmp-type 0 -m state --state NEW -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 3 -m state --state NEW -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ICMPFLOOD -A INPUT -p icmp -m icmp --icmp-type 11 -m state --state NEW -j ACCEPT # May not want to log late replies from nameservers -A INPUT -p udp -m udp --sport 53 -j DROP # Good practise is to explicately reject AUTH traffic so that it fails fast -A INPUT -p tcp -m tcp --dport 113 --syn -m state --state NEW -j REJECT --reject-with tcp-reset # Prevent DOS by filling log files -A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG COMMIT This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,137 @@ ############################################################################### # Copyright 2012 Jakub Jirutka. All rights reserved. # # "THE KOFOLA-WARE LICENSE" (Revision 1): # Jakub Jirutka originally wrote this file. As long as you retain this notice you # can do whatever you want with this stuff. If we meet some day, and you think # this stuff is worth it, you can buy me a Kofola in return. <[email protected]> # ############################################################################### # # Basic ip6tables/IPv6 template for ordinary servers # # This file is in iptables-restore format. See the man pages for # ip6tables-restore(8) and ip6tables-save(8). # # The following is a set of firewall rules that should be applicable to Linux # servers running within departments. It is intended to provide a useful # starting point from which to devise a comprehensive firewall policy for # a host. # # Parts 1 and 3 of these rules are the same for each host, whilst part 2 can be # populated with rules specific to particular hosts. # # This template is based on http://jdem.cz/v64a3 from University of Leicester # # @author Jakub Jirutka <[email protected]> # @version 1.0 # @date 2012-09-18 # ############################################################################### # 1. COMMON HEADER # # # # This section is a generic header that should be suitable for most hosts. # ############################################################################### *filter # Base policy :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] # Don't attempt to firewall internal traffic on the loopback device -A INPUT -i lo -j ACCEPT # Continue connections that are already established or related to an established # connection -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Drop non-conforming packets, such as malformed headers, etc. -A INPUT -m state --state INVALID -j DROP # Block remote packets claiming to be from a loopback address -A INPUT -s ::1/128 ! -i lo -j DROP # Chain for preventing SSH brute-force attacks. # Permits 10 new connections within 5 minutes from a single host then drops # incomming connections from that host. Beyond a burst of 100 connections we # log at up 1 attempt per second to prevent filling of logs -N SSHBRUTE -A SSHBRUTE -m recent --name SSH --set -A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "FW/ssh-brute: " -A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -j DROP -A SSHBRUTE -j ACCEPT # Chain for preventing ping flooding - up to 6 pings per second from a single # source, again with log limiting. Also prevents us from ICMP REPLY flooding # some victim when replying to ICMP ECHO from a spoofed source -N ICMPFLOOD -A ICMPFLOOD -m recent --set --name ICMP --rsource -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "FW/icmp-flood: " -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP -A ICMPFLOOD -j ACCEPT ############################################################################### # 2. HOST SPECIFIC RULES # # # # This section is a good place to enable your host-specific services. # ############################################################################### # Accept worldwide access to HTTP and HTTPS # -A INPUT -p tcp -m tcp --dport 80 --syn -m state --state NEW -j ACCEPT # -A INPUT -p tcp -m tcp --dport 443 --syn -m state --state NEW -j ACCEPT # Accept limited access to Munin from hosts on CVUT network # -A INPUT -s 147.32.0.0/15 -p tcp -m tcp --dport 4949 --syn -m state --state NEW -j ACCEPT ############################################################################### # 3. GENERAL RULES # # # # This section contains general rules that should be suitable for most hosts. # ############################################################################### # Accept worldwide access to SSH and use SSHBRUTE chain for preventing # brute-force attacks. -A INPUT -p tcp -m tcp --dport 22 --syn -m state --state NEW -j SSHBRUTE # Permit needed ICMP packet types for IPv6 per RFC 4890 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 137 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 141 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 142 -j ACCEPT -A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j ACCEPT -A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j ACCEPT -A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j ACCEPT -A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 148 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 149 -j ACCEPT -A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 151 -j ACCEPT -A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 152 -j ACCEPT -A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 153 -j ACCEPT # Permit IMCP echo requests (ping) and use ICMPFLOOD chain for preventing ping # flooding. -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ICMPFLOOD # May not want to log late replies from campus nameservers -A INPUT -p udp -m udp --sport 53 -j DROP # Good practise is to explicately reject AUTH traffic so that it fails fast -A INPUT -p tcp -m tcp --dport 113 --syn -m state --state NEW -j REJECT --reject-with tcp-reset # Prevent DOS by filling log files -A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG COMMIT