some changes
This commit is contained in:
Jakub Jirutka
parent
067b4b991b
commit
40166ee91a
|
|
@ -25,8 +25,8 @@
|
|||
# This template is based on http://jdem.cz/v64a3 from University of Leicester
|
||||
#
|
||||
# @author Jakub Jirutka <jakub@jirutka.cz>
|
||||
# @version 1.0
|
||||
# @date 2012-09-18
|
||||
# @version 1.1
|
||||
# @date 2012-10-05
|
||||
#
|
||||
|
||||
###############################################################################
|
||||
|
|
@ -55,13 +55,19 @@
|
|||
# Block remote packets claiming to be from a loopback address
|
||||
-A INPUT -s 127.0.0.0/8 ! -i lo -j DROP
|
||||
|
||||
# Drop all packets that are going to broadcast, multicast or anycast address
|
||||
-A INPUT -m addrtype --dst-type BROADCAST -j DROP
|
||||
-A INPUT -m addrtype --dst-type MULTICAST -j DROP
|
||||
-A INPUT -m addrtype --dst-type ANYCAST -j DROP
|
||||
-A INPUT -d 224.0.0.0/4 -j DROP
|
||||
|
||||
# Chain for preventing SSH brute-force attacks.
|
||||
# Permits 10 new connections within 5 minutes from a single host then drops
|
||||
# incomming connections from that host. Beyond a burst of 100 connections we
|
||||
# log at up 1 attempt per second to prevent filling of logs
|
||||
-N SSHBRUTE
|
||||
-A SSHBRUTE -m recent --name SSH --set
|
||||
-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "FW/ssh-brute: "
|
||||
-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[SSH-brute]: "
|
||||
-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -j DROP
|
||||
-A SSHBRUTE -j ACCEPT
|
||||
|
||||
|
|
@ -70,7 +76,7 @@
|
|||
# some victim when replying to ICMP ECHO from a spoofed source
|
||||
-N ICMPFLOOD
|
||||
-A ICMPFLOOD -m recent --set --name ICMP --rsource
|
||||
-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "FW/icmp-flood: "
|
||||
-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "iptables[ICMP-flood]: "
|
||||
-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP
|
||||
-A ICMPFLOOD -j ACCEPT
|
||||
|
||||
|
|
@ -106,13 +112,23 @@
|
|||
-A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ICMPFLOOD
|
||||
-A INPUT -p icmp -m icmp --icmp-type 11 -m state --state NEW -j ACCEPT
|
||||
|
||||
# May not want to log late replies from nameservers
|
||||
# Do not log packets that are going to ports used by SMB
|
||||
# (Samba / Windows Sharing)
|
||||
-A INPUT -p udp -m multiport --dports 135,445 -j DROP
|
||||
-A INPUT -p udp -m udp --dport 137:139 -j DROP
|
||||
-A INPUT -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
|
||||
-A INPUT -p tcp -m multiport --dports 135,139,445 -j DROP
|
||||
|
||||
# Do not log packets that are going to port used by UPnP protocol
|
||||
-A INPUT -p udp -m udp --dport 1900 -j DROP
|
||||
|
||||
# Do not log late replies from nameservers
|
||||
-A INPUT -p udp -m udp --sport 53 -j DROP
|
||||
|
||||
# Good practise is to explicately reject AUTH traffic so that it fails fast
|
||||
-A INPUT -p tcp -m tcp --dport 113 --syn -m state --state NEW -j REJECT --reject-with tcp-reset
|
||||
|
||||
# Prevent DOS by filling log files
|
||||
-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG
|
||||
-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[DOS]: "
|
||||
|
||||
COMMIT
|
||||
COMMIT
|
||||
|
|
|
|||
|
|
@ -25,8 +25,8 @@
|
|||
# This template is based on http://jdem.cz/v64a3 from University of Leicester
|
||||
#
|
||||
# @author Jakub Jirutka <jakub@jirutka.cz>
|
||||
# @version 1.0
|
||||
# @date 2012-09-18
|
||||
# @version 1.1
|
||||
# @date 2012-10-05
|
||||
#
|
||||
|
||||
###############################################################################
|
||||
|
|
@ -61,7 +61,7 @@
|
|||
# log at up 1 attempt per second to prevent filling of logs
|
||||
-N SSHBRUTE
|
||||
-A SSHBRUTE -m recent --name SSH --set
|
||||
-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "FW/ssh-brute: "
|
||||
-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "ip6tables[SSH-brute]: "
|
||||
-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -j DROP
|
||||
-A SSHBRUTE -j ACCEPT
|
||||
|
||||
|
|
@ -70,7 +70,7 @@
|
|||
# some victim when replying to ICMP ECHO from a spoofed source
|
||||
-N ICMPFLOOD
|
||||
-A ICMPFLOOD -m recent --set --name ICMP --rsource
|
||||
-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "FW/icmp-flood: "
|
||||
-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "ip6tables[ICMP-flood]: "
|
||||
-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP
|
||||
-A ICMPFLOOD -j ACCEPT
|
||||
|
||||
|
|
@ -85,9 +85,6 @@
|
|||
# -A INPUT -p tcp -m tcp --dport 80 --syn -m state --state NEW -j ACCEPT
|
||||
# -A INPUT -p tcp -m tcp --dport 443 --syn -m state --state NEW -j ACCEPT
|
||||
|
||||
# Accept limited access to Munin from hosts on CVUT network
|
||||
# -A INPUT -s 147.32.0.0/15 -p tcp -m tcp --dport 4949 --syn -m state --state NEW -j ACCEPT
|
||||
|
||||
|
||||
###############################################################################
|
||||
# 3. GENERAL RULES #
|
||||
|
|
@ -125,13 +122,23 @@
|
|||
# flooding.
|
||||
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ICMPFLOOD
|
||||
|
||||
# May not want to log late replies from campus nameservers
|
||||
# Do not log packets that are going to ports used by SMB
|
||||
# (Samba / Windows Sharing)
|
||||
-A INPUT -p udp -m multiport --dports 135,445 -j DROP
|
||||
-A INPUT -p udp -m udp --dport 137:139 -j DROP
|
||||
-A INPUT -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
|
||||
-A INPUT -p tcp -m multiport --dports 135,139,445 -j DROP
|
||||
|
||||
# Do not log packets that are going to port used by UPnP protocol
|
||||
-A INPUT -p udp -m udp --dport 1900 -j DROP
|
||||
|
||||
# Do not log late replies from nameservers
|
||||
-A INPUT -p udp -m udp --sport 53 -j DROP
|
||||
|
||||
# Good practise is to explicately reject AUTH traffic so that it fails fast
|
||||
-A INPUT -p tcp -m tcp --dport 113 --syn -m state --state NEW -j REJECT --reject-with tcp-reset
|
||||
|
||||
# Prevent DOS by filling log files
|
||||
-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG
|
||||
-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "ip6tables[DOS]: "
|
||||
|
||||
COMMIT
|
||||
COMMIT
|
||||
|
|
|
|||
Loading…
Reference in New Issue