2012-09-18 14:42:48 +02:00
|
|
|
###############################################################################
|
2014-01-01 15:57:31 +01:00
|
|
|
# Copyright 2012-2014 Jakub Jirutka. All rights reserved.
|
2012-09-18 14:42:48 +02:00
|
|
|
#
|
|
|
|
|
# "THE KOFOLA-WARE LICENSE" (Revision 1):
|
|
|
|
|
# Jakub Jirutka originally wrote this file. As long as you retain this notice you
|
|
|
|
|
# can do whatever you want with this stuff. If we meet some day, and you think
|
|
|
|
|
# this stuff is worth it, you can buy me a Kofola in return. <jakub@jirutka.cz>
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
###############################################################################
|
|
|
|
|
#
|
|
|
|
|
# Basic iptables/IPv4 template for ordinary servers
|
|
|
|
|
#
|
|
|
|
|
# This file is in iptables-restore format. See the man pages for
|
|
|
|
|
# iptables-restore(8) and iptables-save(8).
|
|
|
|
|
#
|
|
|
|
|
# The following is a set of firewall rules that should be applicable to Linux
|
|
|
|
|
# servers running within departments. It is intended to provide a useful
|
|
|
|
|
# starting point from which to devise a comprehensive firewall policy for
|
|
|
|
|
# a host.
|
|
|
|
|
#
|
|
|
|
|
# Parts 1 and 3 of these rules are the same for each host, whilst part 2 can be
|
|
|
|
|
# populated with rules specific to particular hosts.
|
|
|
|
|
#
|
|
|
|
|
# This template is based on http://jdem.cz/v64a3 from University of Leicester
|
|
|
|
|
#
|
|
|
|
|
# @author Jakub Jirutka <jakub@jirutka.cz>
|
2014-01-01 15:57:31 +01:00
|
|
|
# @version 1.2
|
|
|
|
|
# @date 2014-01-01
|
2012-09-18 14:42:48 +02:00
|
|
|
#
|
|
|
|
|
|
|
|
|
|
###############################################################################
|
|
|
|
|
# 1. COMMON HEADER #
|
|
|
|
|
# #
|
|
|
|
|
# This section is a generic header that should be suitable for most hosts. #
|
|
|
|
|
###############################################################################
|
|
|
|
|
|
|
|
|
|
*filter
|
|
|
|
|
|
|
|
|
|
# Base policy
|
|
|
|
|
:INPUT DROP [0:0]
|
|
|
|
|
:FORWARD DROP [0:0]
|
|
|
|
|
:OUTPUT ACCEPT [0:0]
|
|
|
|
|
|
|
|
|
|
# Don't attempt to firewall internal traffic on the loopback device
|
|
|
|
|
-A INPUT -i lo -j ACCEPT
|
|
|
|
|
|
|
|
|
|
# Continue connections that are already established or related to an established
|
|
|
|
|
# connection
|
2014-01-01 15:57:31 +01:00
|
|
|
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
2012-09-18 14:42:48 +02:00
|
|
|
|
|
|
|
|
# Drop non-conforming packets, such as malformed headers, etc.
|
2014-01-01 15:57:31 +01:00
|
|
|
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
2012-09-18 14:42:48 +02:00
|
|
|
|
|
|
|
|
# Block remote packets claiming to be from a loopback address
|
|
|
|
|
-A INPUT -s 127.0.0.0/8 ! -i lo -j DROP
|
|
|
|
|
|
2012-10-05 16:15:17 +02:00
|
|
|
# Drop all packets that are going to broadcast, multicast or anycast address
|
|
|
|
|
-A INPUT -m addrtype --dst-type BROADCAST -j DROP
|
|
|
|
|
-A INPUT -m addrtype --dst-type MULTICAST -j DROP
|
|
|
|
|
-A INPUT -m addrtype --dst-type ANYCAST -j DROP
|
|
|
|
|
-A INPUT -d 224.0.0.0/4 -j DROP
|
|
|
|
|
|
2012-09-18 14:42:48 +02:00
|
|
|
# Chain for preventing SSH brute-force attacks.
|
|
|
|
|
# Permits 10 new connections within 5 minutes from a single host then drops
|
|
|
|
|
# incomming connections from that host. Beyond a burst of 100 connections we
|
|
|
|
|
# log at up 1 attempt per second to prevent filling of logs
|
|
|
|
|
-N SSHBRUTE
|
|
|
|
|
-A SSHBRUTE -m recent --name SSH --set
|
2012-10-05 16:15:17 +02:00
|
|
|
-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[SSH-brute]: "
|
2012-09-18 14:42:48 +02:00
|
|
|
-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -j DROP
|
|
|
|
|
-A SSHBRUTE -j ACCEPT
|
|
|
|
|
|
|
|
|
|
# Chain for preventing ping flooding - up to 6 pings per second from a single
|
|
|
|
|
# source, again with log limiting. Also prevents us from ICMP REPLY flooding
|
|
|
|
|
# some victim when replying to ICMP ECHO from a spoofed source
|
|
|
|
|
-N ICMPFLOOD
|
|
|
|
|
-A ICMPFLOOD -m recent --set --name ICMP --rsource
|
2012-10-05 16:15:17 +02:00
|
|
|
-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "iptables[ICMP-flood]: "
|
2012-09-18 14:42:48 +02:00
|
|
|
-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP
|
|
|
|
|
-A ICMPFLOOD -j ACCEPT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
###############################################################################
|
|
|
|
|
# 2. HOST SPECIFIC RULES #
|
|
|
|
|
# #
|
|
|
|
|
# This section is a good place to enable your host-specific services. #
|
|
|
|
|
# ! DO NOT FORGOT TO COPY THESE RULES TO firewall.ip6tables TO ALLOW IPV6 ! #
|
|
|
|
|
###############################################################################
|
|
|
|
|
|
|
|
|
|
# Accept worldwide access to HTTP and HTTPS
|
2014-01-01 15:57:31 +01:00
|
|
|
# -A INPUT -p tcp -m tcp --dport 80 --syn -m conntrack --ctstate NEW -j ACCEPT
|
|
|
|
|
# -A INPUT -p tcp -m tcp --dport 443 --syn -m conntrack --ctstate NEW -j ACCEPT
|
2012-09-18 14:42:48 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
###############################################################################
|
|
|
|
|
# 3. GENERAL RULES #
|
|
|
|
|
# #
|
|
|
|
|
# This section contains general rules that should be suitable for most hosts. #
|
|
|
|
|
###############################################################################
|
|
|
|
|
|
|
|
|
|
# Accept worldwide access to SSH and use SSHBRUTE chain for preventing
|
|
|
|
|
# brute-force attacks.
|
2014-01-01 15:57:31 +01:00
|
|
|
-A INPUT -p tcp -m tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE
|
2012-09-18 14:42:48 +02:00
|
|
|
|
|
|
|
|
# Permit useful IMCP packet types
|
|
|
|
|
# Note: RFC 792 states that all hosts MUST respond to ICMP ECHO requests.
|
|
|
|
|
# Blocking these can make diagnosing of even simple faults much more tricky.
|
|
|
|
|
# Real security lies in locking down and hardening all services, not by hiding.
|
2014-01-01 15:57:31 +01:00
|
|
|
-A INPUT -p icmp -m icmp --icmp-type 0 -m conntrack --ctstate NEW -j ACCEPT
|
|
|
|
|
-A INPUT -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate NEW -j ACCEPT
|
|
|
|
|
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ICMPFLOOD
|
|
|
|
|
-A INPUT -p icmp -m icmp --icmp-type 11 -m conntrack --ctstate NEW -j ACCEPT
|
2012-09-18 14:42:48 +02:00
|
|
|
|
2012-10-05 16:15:17 +02:00
|
|
|
# Do not log packets that are going to ports used by SMB
|
|
|
|
|
# (Samba / Windows Sharing)
|
|
|
|
|
-A INPUT -p udp -m multiport --dports 135,445 -j DROP
|
|
|
|
|
-A INPUT -p udp -m udp --dport 137:139 -j DROP
|
|
|
|
|
-A INPUT -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
|
|
|
|
|
-A INPUT -p tcp -m multiport --dports 135,139,445 -j DROP
|
|
|
|
|
|
|
|
|
|
# Do not log packets that are going to port used by UPnP protocol
|
|
|
|
|
-A INPUT -p udp -m udp --dport 1900 -j DROP
|
|
|
|
|
|
|
|
|
|
# Do not log late replies from nameservers
|
2012-09-18 14:42:48 +02:00
|
|
|
-A INPUT -p udp -m udp --sport 53 -j DROP
|
|
|
|
|
|
|
|
|
|
# Good practise is to explicately reject AUTH traffic so that it fails fast
|
2014-01-01 15:57:31 +01:00
|
|
|
-A INPUT -p tcp -m tcp --dport 113 --syn -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
|
2012-09-18 14:42:48 +02:00
|
|
|
|
|
|
|
|
# Prevent DOS by filling log files
|
2012-10-05 16:15:17 +02:00
|
|
|
-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[DOS]: "
|
2012-09-18 14:42:48 +02:00
|
|
|
|
2012-10-05 16:15:17 +02:00
|
|
|
COMMIT
|
