commit 067b4b991b9c30808bbab76b9bd95459a1d5f207 Author: Jakub Jirutka Date: Tue Sep 18 05:42:48 2012 -0700 diff --git a/rules-ipv4.iptables b/rules-ipv4.iptables new file mode 100644 index 0000000..ec1e1c4 --- /dev/null +++ b/rules-ipv4.iptables @@ -0,0 +1,118 @@ +############################################################################### +# Copyright 2012 Jakub Jirutka. All rights reserved. +# +# "THE KOFOLA-WARE LICENSE" (Revision 1): +# Jakub Jirutka originally wrote this file. As long as you retain this notice you +# can do whatever you want with this stuff. If we meet some day, and you think +# this stuff is worth it, you can buy me a Kofola in return. +# + +############################################################################### +# +# Basic iptables/IPv4 template for ordinary servers +# +# This file is in iptables-restore format. See the man pages for +# iptables-restore(8) and iptables-save(8). +# +# The following is a set of firewall rules that should be applicable to Linux +# servers running within departments. It is intended to provide a useful +# starting point from which to devise a comprehensive firewall policy for +# a host. +# +# Parts 1 and 3 of these rules are the same for each host, whilst part 2 can be +# populated with rules specific to particular hosts. +# +# This template is based on http://jdem.cz/v64a3 from University of Leicester +# +# @author Jakub Jirutka +# @version 1.0 +# @date 2012-09-18 +# + +############################################################################### +# 1. COMMON HEADER # +# # +# This section is a generic header that should be suitable for most hosts. # +############################################################################### + +*filter + +# Base policy +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] + +# Don't attempt to firewall internal traffic on the loopback device +-A INPUT -i lo -j ACCEPT + +# Continue connections that are already established or related to an established +# connection +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + +# Drop non-conforming packets, such as malformed headers, etc. +-A INPUT -m state --state INVALID -j DROP + +# Block remote packets claiming to be from a loopback address +-A INPUT -s 127.0.0.0/8 ! -i lo -j DROP + +# Chain for preventing SSH brute-force attacks. +# Permits 10 new connections within 5 minutes from a single host then drops +# incomming connections from that host. Beyond a burst of 100 connections we +# log at up 1 attempt per second to prevent filling of logs +-N SSHBRUTE +-A SSHBRUTE -m recent --name SSH --set +-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "FW/ssh-brute: " +-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -j DROP +-A SSHBRUTE -j ACCEPT + +# Chain for preventing ping flooding - up to 6 pings per second from a single +# source, again with log limiting. Also prevents us from ICMP REPLY flooding +# some victim when replying to ICMP ECHO from a spoofed source +-N ICMPFLOOD +-A ICMPFLOOD -m recent --set --name ICMP --rsource +-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "FW/icmp-flood: " +-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP +-A ICMPFLOOD -j ACCEPT + + +############################################################################### +# 2. HOST SPECIFIC RULES # +# # +# This section is a good place to enable your host-specific services. # +# ! DO NOT FORGOT TO COPY THESE RULES TO firewall.ip6tables TO ALLOW IPV6 ! # +############################################################################### + +# Accept worldwide access to HTTP and HTTPS +# -A INPUT -p tcp -m tcp --dport 80 --syn -m state --state NEW -j ACCEPT +# -A INPUT -p tcp -m tcp --dport 443 --syn -m state --state NEW -j ACCEPT + + +############################################################################### +# 3. GENERAL RULES # +# # +# This section contains general rules that should be suitable for most hosts. # +############################################################################### + +# Accept worldwide access to SSH and use SSHBRUTE chain for preventing +# brute-force attacks. +-A INPUT -p tcp -m tcp --dport 22 --syn -m state --state NEW -j SSHBRUTE + +# Permit useful IMCP packet types +# Note: RFC 792 states that all hosts MUST respond to ICMP ECHO requests. +# Blocking these can make diagnosing of even simple faults much more tricky. +# Real security lies in locking down and hardening all services, not by hiding. +-A INPUT -p icmp -m icmp --icmp-type 0 -m state --state NEW -j ACCEPT +-A INPUT -p icmp -m icmp --icmp-type 3 -m state --state NEW -j ACCEPT +-A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ICMPFLOOD +-A INPUT -p icmp -m icmp --icmp-type 11 -m state --state NEW -j ACCEPT + +# May not want to log late replies from nameservers +-A INPUT -p udp -m udp --sport 53 -j DROP + +# Good practise is to explicately reject AUTH traffic so that it fails fast +-A INPUT -p tcp -m tcp --dport 113 --syn -m state --state NEW -j REJECT --reject-with tcp-reset + +# Prevent DOS by filling log files +-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG + +COMMIT \ No newline at end of file diff --git a/rules-ipv6.ip6tables b/rules-ipv6.ip6tables new file mode 100644 index 0000000..e02f2d5 --- /dev/null +++ b/rules-ipv6.ip6tables @@ -0,0 +1,137 @@ +############################################################################### +# Copyright 2012 Jakub Jirutka. All rights reserved. +# +# "THE KOFOLA-WARE LICENSE" (Revision 1): +# Jakub Jirutka originally wrote this file. As long as you retain this notice you +# can do whatever you want with this stuff. If we meet some day, and you think +# this stuff is worth it, you can buy me a Kofola in return. +# + +############################################################################### +# +# Basic ip6tables/IPv6 template for ordinary servers +# +# This file is in iptables-restore format. See the man pages for +# ip6tables-restore(8) and ip6tables-save(8). +# +# The following is a set of firewall rules that should be applicable to Linux +# servers running within departments. It is intended to provide a useful +# starting point from which to devise a comprehensive firewall policy for +# a host. +# +# Parts 1 and 3 of these rules are the same for each host, whilst part 2 can be +# populated with rules specific to particular hosts. +# +# This template is based on http://jdem.cz/v64a3 from University of Leicester +# +# @author Jakub Jirutka +# @version 1.0 +# @date 2012-09-18 +# + +############################################################################### +# 1. COMMON HEADER # +# # +# This section is a generic header that should be suitable for most hosts. # +############################################################################### + +*filter + +# Base policy +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] + +# Don't attempt to firewall internal traffic on the loopback device +-A INPUT -i lo -j ACCEPT + +# Continue connections that are already established or related to an established +# connection +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + +# Drop non-conforming packets, such as malformed headers, etc. +-A INPUT -m state --state INVALID -j DROP + +# Block remote packets claiming to be from a loopback address +-A INPUT -s ::1/128 ! -i lo -j DROP + +# Chain for preventing SSH brute-force attacks. +# Permits 10 new connections within 5 minutes from a single host then drops +# incomming connections from that host. Beyond a burst of 100 connections we +# log at up 1 attempt per second to prevent filling of logs +-N SSHBRUTE +-A SSHBRUTE -m recent --name SSH --set +-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "FW/ssh-brute: " +-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -j DROP +-A SSHBRUTE -j ACCEPT + +# Chain for preventing ping flooding - up to 6 pings per second from a single +# source, again with log limiting. Also prevents us from ICMP REPLY flooding +# some victim when replying to ICMP ECHO from a spoofed source +-N ICMPFLOOD +-A ICMPFLOOD -m recent --set --name ICMP --rsource +-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "FW/icmp-flood: " +-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP +-A ICMPFLOOD -j ACCEPT + + +############################################################################### +# 2. HOST SPECIFIC RULES # +# # +# This section is a good place to enable your host-specific services. # +############################################################################### + +# Accept worldwide access to HTTP and HTTPS +# -A INPUT -p tcp -m tcp --dport 80 --syn -m state --state NEW -j ACCEPT +# -A INPUT -p tcp -m tcp --dport 443 --syn -m state --state NEW -j ACCEPT + +# Accept limited access to Munin from hosts on CVUT network +# -A INPUT -s 147.32.0.0/15 -p tcp -m tcp --dport 4949 --syn -m state --state NEW -j ACCEPT + + +############################################################################### +# 3. GENERAL RULES # +# # +# This section contains general rules that should be suitable for most hosts. # +############################################################################### + +# Accept worldwide access to SSH and use SSHBRUTE chain for preventing +# brute-force attacks. +-A INPUT -p tcp -m tcp --dport 22 --syn -m state --state NEW -j SSHBRUTE + +# Permit needed ICMP packet types for IPv6 per RFC 4890 +-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT +-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT +-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT +-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT +-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT +-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT +-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT +-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT +-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 137 -j ACCEPT +-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 141 -j ACCEPT +-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 142 -j ACCEPT +-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j ACCEPT +-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j ACCEPT +-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j ACCEPT +-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143 -j ACCEPT +-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 148 -j ACCEPT +-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 149 -j ACCEPT +-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 151 -j ACCEPT +-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 152 -j ACCEPT +-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 153 -j ACCEPT + +# Permit IMCP echo requests (ping) and use ICMPFLOOD chain for preventing ping +# flooding. +-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ICMPFLOOD + +# May not want to log late replies from campus nameservers +-A INPUT -p udp -m udp --sport 53 -j DROP + +# Good practise is to explicately reject AUTH traffic so that it fails fast +-A INPUT -p tcp -m tcp --dport 113 --syn -m state --state NEW -j REJECT --reject-with tcp-reset + +# Prevent DOS by filling log files +-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG + +COMMIT \ No newline at end of file