Quantcast
Channel: linuxadmin: Expanding Linux SysAdmin knowledge
Viewing all articles
Browse latest Browse all 17828

For your consideration: my strict iptables

April 12, 2014, 9:19 am
$
0
0

*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0]

## Basic ## #Unlimited lo access -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT #Drop sync -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP #Drop Specific IPS -A INPUT -i eth0 -s 23.22.14.163 -j DROP #Drop Fragments -A INPUT -i eth0 -f -j DROP -A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP #Drop NULL packets -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix " NULL Packets " -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP #Drop XMAS -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix " XMAS Packets " -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #Drop FIN packet scans -A INPUT -i eth0 -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix " Fin Packets Scan " -A INPUT -i eth0 -p tcp --tcp-flags FIN,ACK FIN -j DROP -A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP #Log and get rid of broadcast / multicast and invalid -A INPUT -i eth0 -m pkttype --pkt-type broadcast -j LOG --log-prefix " Broadcast " -A INPUT -i eth0 -m pkttype --pkt-type broadcast -j DROP -A INPUT -i eth0 -m pkttype --pkt-type multicast -j LOG --log-prefix " Multicast " -A INPUT -i eth0 -m pkttype --pkt-type multicast -j DROP -A INPUT -i eth0 -m state --state INVALID -j LOG --log-prefix " Invalid " -A INPUT -i eth0 -m state --state INVALID -j DROP #allow incoming ICMP ping pong stuff -A INPUT -i eth0 -p icmp --icmp-type 8 -s 0/0 -m state --state NEW,ESTABLISHED,RELATED -m limit --limit 30/sec -j ACCEPT -A OUTPUT -o eth0 -p icmp --icmp-type 0 -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT ## Clients ## #SSH -A OUTPUT -o eth0 -p tcp --dport 22 -j ACCEPT -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT #SMTP -A OUTPUT -o eth0 -p tcp --dport 25 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp --sport 25 --dport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT #DNS -A OUTPUT -o eth0 -p udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT #DHCP -A OUTPUT -o eth0 -p udp --sport 1024:65535 --dport 67 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p udp --sport 67 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT #HTTP -A OUTPUT -o eth0 -p tcp --dport 80 -d 0/0 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp -s 0/0 --dport 1024:65535 --sport 80 -m state --state ESTABLISHED -j ACCEPT -A OUTPUT -o eth0 -p tcp --dport 443 -d 0/0 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp -s 0/0 --dport 1024:65535 --sport 443 -m state --state ESTABLISHED -j ACCEPT #NTP-A INPUT -i eth0 -p udp --sport 123 -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -o eth0 -p udp --dport 123 -m state --state ESTABLISHED -j ACCEPT #IMAP -A OUTPUT -o eth0 -p tcp --dport 143 -d 0/0 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp -s 0/0 --dport 1024:65535 --sport 143 -m state --state ESTABLISHED -j ACCEPT ## Servers ## #SSH -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT #SMTP -A INPUT -i eth0 -p tcp --dport 25 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -o eth0 -p tcp --sport 25 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp --dport 587 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -o eth0 -p tcp --sport 587 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT #DNS -A INPUT -i eth0 -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -o eth0 -p udp --dport 1024:65535 --sport 53 -m state --state ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp -s 54.184.251.162/32 --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -o eth0 -p tcp -d 54.184.251.162/32 --dport 1024:65535 --sport 53 -m state --state ESTABLISHED -j ACCEPT #HTTP -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -o eth0 -p tcp --sport 80 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -o eth0 -p tcp --sport 443 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT #IMAP -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -o eth0 -p tcp --sport 143 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -o eth0 -p tcp --sport 993 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT ####################### # drop and log everything else -A INPUT -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix " DEFAULT DROP " -A OUTPUT -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix " DEFAULT DROP " -A INPUT -j DROP -A OUTPUT -j DROP -A FORWARD -j DROP COMMIT
submitted by iamakevin
[link][10 comments]
Search
Viewing all articles
Browse latest Browse all 17828

Trending Articles

Scuffham Amps - S-GEAR 2.6.0 VST, AAX, STANDALONE x86 x64 (R2R NO iLok2, +NO...

November 19, 2017, 7:24 am

Practice Sheet of Right form of verbs for HSC Students

September 22, 2019, 11:40 pm

VHSE First (1st) Allotment 2025 - vhscap.kerala.gov.in

May 24, 2025, 11:58 pm

UNIVERSE LEAGUE – UNIVERSE LEAGUE – WAR (We Are Ready) – EP [iTunes Plus M4A]

January 26, 2025, 11:12 am

City Hunter Teledrama – Episode 18 – 07th May 2016

May 6, 2016, 2:05 pm

Comment on Proposed Criteria for Identifying Predatory Conferences by Luke...

July 4, 2016, 3:53 am

Bureau of Internal Revenue: Regional Offices (Directory)

January 9, 2014, 11:06 pm

Kendrick Lamar – Not Like Us (2024) [24Bit-88.2kHz] [PMEDIA] ⭐️

May 14, 2024, 7:14 pm

Inception 2010 Hindi Dual Audio 650MB BRRip 720p ESubs HEVC

December 27, 2016, 4:23 pm

East Hull MD admits sexual assaults after another victim comes forward

January 14, 2013, 12:20 am

Download: FK ft Shenky – Nakuyewa ”Prod by: Shenky”

February 16, 2017, 4:24 pm

R. v. Sargeant, 2023 ONSC 6406 (CanLII)

November 13, 2023, 9:00 pm

Rajasthan Board 10th Result 2016 Roll No wise & Name Wise

August 20, 2016, 5:13 pm

Who’s been sentenced at Northampton Magistrates’ Court

March 30, 2019, 10:00 pm

मतलबी दोस्त स्टेट्स | Matlabi Dost Status in Hindi – Selfish Friends Status

February 13, 2020, 3:12 am

Family cries out as traditional ruler allegedly abducts brother, extorts N2.5m

September 15, 2024, 1:15 am

Long-Running Conflict In Springfield (MA) Gangland Sphere Has Manzi Family &...

December 26, 2017, 3:59 pm

Wondershare Filmora X v10.1.20.16 x64

February 8, 2021, 5:34 am

Man arrested after fracas in flat

January 16, 2017, 10:10 pm

Man charged in ongoing Sexual Assault Investigation Derek Nyilas, 46, Faces...

May 27, 2019, 8:00 am
Search