diff --git a/rules-ipv4.iptables b/rules-ipv4.iptables index e3d3280..615fe1e 100644 --- a/rules-ipv4.iptables +++ b/rules-ipv4.iptables @@ -1,5 +1,5 @@ ############################################################################### -# Copyright 2012 Jakub Jirutka. All rights reserved. +# Copyright 2012-2014 Jakub Jirutka. All rights reserved. # # "THE KOFOLA-WARE LICENSE" (Revision 1): # Jakub Jirutka originally wrote this file. As long as you retain this notice you @@ -25,8 +25,8 @@ # This template is based on http://jdem.cz/v64a3 from University of Leicester # # @author Jakub Jirutka -# @version 1.1 -# @date 2012-10-05 +# @version 1.2 +# @date 2014-01-01 # ############################################################################### @@ -47,10 +47,10 @@ # Continue connections that are already established or related to an established # connection --A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Drop non-conforming packets, such as malformed headers, etc. --A INPUT -m state --state INVALID -j DROP +-A INPUT -m conntrack --ctstate INVALID -j DROP # Block remote packets claiming to be from a loopback address -A INPUT -s 127.0.0.0/8 ! -i lo -j DROP @@ -89,8 +89,8 @@ ############################################################################### # Accept worldwide access to HTTP and HTTPS -# -A INPUT -p tcp -m tcp --dport 80 --syn -m state --state NEW -j ACCEPT -# -A INPUT -p tcp -m tcp --dport 443 --syn -m state --state NEW -j ACCEPT +# -A INPUT -p tcp -m tcp --dport 80 --syn -m conntrack --ctstate NEW -j ACCEPT +# -A INPUT -p tcp -m tcp --dport 443 --syn -m conntrack --ctstate NEW -j ACCEPT ############################################################################### @@ -101,16 +101,16 @@ # Accept worldwide access to SSH and use SSHBRUTE chain for preventing # brute-force attacks. --A INPUT -p tcp -m tcp --dport 22 --syn -m state --state NEW -j SSHBRUTE +-A INPUT -p tcp -m tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE # Permit useful IMCP packet types # Note: RFC 792 states that all hosts MUST respond to ICMP ECHO requests. # Blocking these can make diagnosing of even simple faults much more tricky. # Real security lies in locking down and hardening all services, not by hiding. --A INPUT -p icmp -m icmp --icmp-type 0 -m state --state NEW -j ACCEPT --A INPUT -p icmp -m icmp --icmp-type 3 -m state --state NEW -j ACCEPT --A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ICMPFLOOD --A INPUT -p icmp -m icmp --icmp-type 11 -m state --state NEW -j ACCEPT +-A INPUT -p icmp -m icmp --icmp-type 0 -m conntrack --ctstate NEW -j ACCEPT +-A INPUT -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate NEW -j ACCEPT +-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ICMPFLOOD +-A INPUT -p icmp -m icmp --icmp-type 11 -m conntrack --ctstate NEW -j ACCEPT # Do not log packets that are going to ports used by SMB # (Samba / Windows Sharing) @@ -126,7 +126,7 @@ -A INPUT -p udp -m udp --sport 53 -j DROP # Good practise is to explicately reject AUTH traffic so that it fails fast --A INPUT -p tcp -m tcp --dport 113 --syn -m state --state NEW -j REJECT --reject-with tcp-reset +-A INPUT -p tcp -m tcp --dport 113 --syn -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset # Prevent DOS by filling log files -A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[DOS]: " diff --git a/rules-ipv6.ip6tables b/rules-ipv6.ip6tables index 738dc86..14202b0 100644 --- a/rules-ipv6.ip6tables +++ b/rules-ipv6.ip6tables @@ -1,5 +1,5 @@ ############################################################################### -# Copyright 2012 Jakub Jirutka. All rights reserved. +# Copyright 2012-2014 Jakub Jirutka. All rights reserved. # # "THE KOFOLA-WARE LICENSE" (Revision 1): # Jakub Jirutka originally wrote this file. As long as you retain this notice you @@ -25,8 +25,8 @@ # This template is based on http://jdem.cz/v64a3 from University of Leicester # # @author Jakub Jirutka -# @version 1.1 -# @date 2012-10-05 +# @version 1.2 +# @date 2014-01-01 # ############################################################################### @@ -47,10 +47,10 @@ # Continue connections that are already established or related to an established # connection --A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Drop non-conforming packets, such as malformed headers, etc. --A INPUT -m state --state INVALID -j DROP +-A INPUT -m conntrack --ctstate INVALID -j DROP # Block remote packets claiming to be from a loopback address -A INPUT -s ::1/128 ! -i lo -j DROP @@ -82,8 +82,8 @@ ############################################################################### # Accept worldwide access to HTTP and HTTPS -# -A INPUT -p tcp -m tcp --dport 80 --syn -m state --state NEW -j ACCEPT -# -A INPUT -p tcp -m tcp --dport 443 --syn -m state --state NEW -j ACCEPT +# -A INPUT -p tcp -m tcp --dport 80 --syn -m conntrack --ctstate NEW -j ACCEPT +# -A INPUT -p tcp -m tcp --dport 443 --syn -m conntrack --ctstate NEW -j ACCEPT ############################################################################### @@ -94,7 +94,7 @@ # Accept worldwide access to SSH and use SSHBRUTE chain for preventing # brute-force attacks. --A INPUT -p tcp -m tcp --dport 22 --syn -m state --state NEW -j SSHBRUTE +-A INPUT -p tcp -m tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE # Permit needed ICMP packet types for IPv6 per RFC 4890 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT @@ -136,7 +136,7 @@ -A INPUT -p udp -m udp --sport 53 -j DROP # Good practise is to explicately reject AUTH traffic so that it fails fast --A INPUT -p tcp -m tcp --dport 113 --syn -m state --state NEW -j REJECT --reject-with tcp-reset +-A INPUT -p tcp -m tcp --dport 113 --syn -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset # Prevent DOS by filling log files -A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "ip6tables[DOS]: "