rules v4

Rédigé par paul Aucun commentaire
Classé dans : Linux-admin Mots clés : aucun
################################################################################ The MIT License# Copyright 2012-2014 Jakub Jirutka .################################################################################ @author Jakub Jirutka # @version 1.3.1# @date 2014-01-28################################################################################# 1. COMMON HEADER                                                            ##                                                                             ## This section is a generic header that should be suitable for most hosts.    ################################################################################*filter# Base policy:INPUT DROP [0:0]:FORWARD DROP [0:0]:OUTPUT ACCEPT [0:0]# Don't attempt to firewall internal traffic on the loopback device.-A INPUT -i lo -j ACCEPT# Continue connections that are already established or related to an established # connection.-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT# Drop non-conforming packets, such as malformed headers, etc.-A INPUT -m conntrack --ctstate INVALID -j DROP# Block remote packets claiming to be from a loopback address.-A INPUT -s 127.0.0.0/8 ! -i lo -j DROP# Drop all packets that are going to broadcast, multicast or anycast address.-A INPUT -m addrtype --dst-type BROADCAST -j DROP-A INPUT -m addrtype --dst-type MULTICAST -j DROP-A INPUT -m addrtype --dst-type ANYCAST -j DROP-A INPUT -d 224.0.0.0/4 -j DROP# Chain for preventing SSH brute-force attacks.# Permits 10 new connections within 5 minutes from a single host then drops # incomming connections from that host. Beyond a burst of 100 connections we # log at up 1 attempt per second to prevent filling of logs.-N SSHBRUTE-A SSHBRUTE -m recent --name SSH --set-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[SSH-brute]: "-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -j DROP-A SSHBRUTE -j ACCEPT# Chain for preventing ping flooding - up to 6 pings per second from a single # source, again with log limiting. Also prevents us from ICMP REPLY flooding # some victim when replying to ICMP ECHO from a spoofed source.-N ICMPFLOOD-A ICMPFLOOD -m recent --set --name ICMP --rsource-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "iptables[ICMP-flood]: "-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP-A ICMPFLOOD -j ACCEPT################################################################################ 2. HOST SPECIFIC RULES                                                      ##                                                                             ## This section is a good place to enable your host-specific services.         ## ! DO NOT FORGOT TO COPY THESE RULES TO firewall.ip6tables TO ALLOW IPV6 !   ################################################################################# Accept HTTP and HTTPS#-A INPUT -p tcp -m multiport --dports 80,443 --syn -m conntrack --ctstate NEW -j ACCEPT################################################################################ 3. GENERAL RULES                                                            ##                                                                             ## This section contains general rules that should be suitable for most hosts. ################################################################################# Accept worldwide access to SSH and use SSHBRUTE chain for preventing # brute-force attacks.#-A INPUT -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE# Permit useful IMCP packet types.# Note: RFC 792 states that all hosts MUST respond to ICMP ECHO requests.# Blocking these can make diagnosing of even simple faults much more tricky.# Real security lies in locking down and hardening all services, not by hiding.-A INPUT -p icmp --icmp-type 0  -m conntrack --ctstate NEW -j ACCEPT-A INPUT -p icmp --icmp-type 3  -m conntrack --ctstate NEW -j ACCEPT-A INPUT -p icmp --icmp-type 8  -m conntrack --ctstate NEW -j ICMPFLOOD-A INPUT -p icmp --icmp-type 11 -m conntrack --ctstate NEW -j ACCEPT# Do not log packets that are going to ports used by SMB # (Samba / Windows Sharing).-A INPUT -p udp -m multiport --dports 135,445 -j DROP-A INPUT -p udp --dport 137:139 -j DROP-A INPUT -p udp --sport 137 --dport 1024:65535 -j DROP-A INPUT -p tcp -m multiport --dports 135,139,445 -j DROP# Do not log packets that are going to port used by UPnP protocol.-A INPUT -p udp --dport 1900 -j DROP# Do not log late replies from nameservers.-A INPUT -p udp --sport 53 -j DROP# Good practise is to explicately reject AUTH traffic so that it fails fast.-A INPUT -p tcp --dport 113 --syn -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset# Prevent DOS by filling log files.-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[DOS]: "COMMIT################################################################################ 4. HOST SPECIFIC NAT RULES                                                  ##                                                                             ## Uncomment this section if you want to use NAT table, e.g. for port          ## forwarding, redirect, masquerade...                                         #################################################################################*nat# Base policy#:PREROUTING ACCEPT [0:0]#:POSTROUTING ACCEPT [0:0]#:OUTPUT ACCEPT [0:0]# Redirect port 21 to local port 2121#-A PREROUTING -i eth0 -p tcp --dport 21 -j REDIRECT --to-port 2121# Forward port 8080 to port 80 on host 192.168.1.10#-A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.10:80#COMMIT

Les commentaires sont fermés.

Fil RSS des commentaires de cet article