diff --git a/rules-ipv4.iptables b/rules-ipv4.iptables index ec1e1c4..e3d3280 100644 --- a/rules-ipv4.iptables +++ b/rules-ipv4.iptables @@ -25,8 +25,8 @@ # This template is based on http://jdem.cz/v64a3 from University of Leicester # # @author Jakub Jirutka -# @version 1.0 -# @date 2012-09-18 +# @version 1.1 +# @date 2012-10-05 # ############################################################################### @@ -55,13 +55,19 @@ # Block remote packets claiming to be from a loopback address -A INPUT -s 127.0.0.0/8 ! -i lo -j DROP +# Drop all packets that are going to broadcast, multicast or anycast address +-A INPUT -m addrtype --dst-type BROADCAST -j DROP +-A INPUT -m addrtype --dst-type MULTICAST -j DROP +-A INPUT -m addrtype --dst-type ANYCAST -j DROP +-A INPUT -d 224.0.0.0/4 -j DROP + # Chain for preventing SSH brute-force attacks. # Permits 10 new connections within 5 minutes from a single host then drops # incomming connections from that host. Beyond a burst of 100 connections we # log at up 1 attempt per second to prevent filling of logs -N SSHBRUTE -A SSHBRUTE -m recent --name SSH --set --A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "FW/ssh-brute: " +-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[SSH-brute]: " -A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -j DROP -A SSHBRUTE -j ACCEPT @@ -70,7 +76,7 @@ # some victim when replying to ICMP ECHO from a spoofed source -N ICMPFLOOD -A ICMPFLOOD -m recent --set --name ICMP --rsource --A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "FW/icmp-flood: " +-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "iptables[ICMP-flood]: " -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP -A ICMPFLOOD -j ACCEPT @@ -106,13 +112,23 @@ -A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ICMPFLOOD -A INPUT -p icmp -m icmp --icmp-type 11 -m state --state NEW -j ACCEPT -# May not want to log late replies from nameservers +# Do not log packets that are going to ports used by SMB +# (Samba / Windows Sharing) +-A INPUT -p udp -m multiport --dports 135,445 -j DROP +-A INPUT -p udp -m udp --dport 137:139 -j DROP +-A INPUT -p udp -m udp --sport 137 --dport 1024:65535 -j DROP +-A INPUT -p tcp -m multiport --dports 135,139,445 -j DROP + +# Do not log packets that are going to port used by UPnP protocol +-A INPUT -p udp -m udp --dport 1900 -j DROP + +# Do not log late replies from nameservers -A INPUT -p udp -m udp --sport 53 -j DROP # Good practise is to explicately reject AUTH traffic so that it fails fast -A INPUT -p tcp -m tcp --dport 113 --syn -m state --state NEW -j REJECT --reject-with tcp-reset # Prevent DOS by filling log files --A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG +-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[DOS]: " -COMMIT \ No newline at end of file +COMMIT diff --git a/rules-ipv6.ip6tables b/rules-ipv6.ip6tables index e02f2d5..738dc86 100644 --- a/rules-ipv6.ip6tables +++ b/rules-ipv6.ip6tables @@ -25,8 +25,8 @@ # This template is based on http://jdem.cz/v64a3 from University of Leicester # # @author Jakub Jirutka -# @version 1.0 -# @date 2012-09-18 +# @version 1.1 +# @date 2012-10-05 # ############################################################################### @@ -61,7 +61,7 @@ # log at up 1 attempt per second to prevent filling of logs -N SSHBRUTE -A SSHBRUTE -m recent --name SSH --set --A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "FW/ssh-brute: " +-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "ip6tables[SSH-brute]: " -A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -j DROP -A SSHBRUTE -j ACCEPT @@ -70,7 +70,7 @@ # some victim when replying to ICMP ECHO from a spoofed source -N ICMPFLOOD -A ICMPFLOOD -m recent --set --name ICMP --rsource --A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "FW/icmp-flood: " +-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "ip6tables[ICMP-flood]: " -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP -A ICMPFLOOD -j ACCEPT @@ -85,9 +85,6 @@ # -A INPUT -p tcp -m tcp --dport 80 --syn -m state --state NEW -j ACCEPT # -A INPUT -p tcp -m tcp --dport 443 --syn -m state --state NEW -j ACCEPT -# Accept limited access to Munin from hosts on CVUT network -# -A INPUT -s 147.32.0.0/15 -p tcp -m tcp --dport 4949 --syn -m state --state NEW -j ACCEPT - ############################################################################### # 3. GENERAL RULES # @@ -125,13 +122,23 @@ # flooding. -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ICMPFLOOD -# May not want to log late replies from campus nameservers +# Do not log packets that are going to ports used by SMB +# (Samba / Windows Sharing) +-A INPUT -p udp -m multiport --dports 135,445 -j DROP +-A INPUT -p udp -m udp --dport 137:139 -j DROP +-A INPUT -p udp -m udp --sport 137 --dport 1024:65535 -j DROP +-A INPUT -p tcp -m multiport --dports 135,139,445 -j DROP + +# Do not log packets that are going to port used by UPnP protocol +-A INPUT -p udp -m udp --dport 1900 -j DROP + +# Do not log late replies from nameservers -A INPUT -p udp -m udp --sport 53 -j DROP # Good practise is to explicately reject AUTH traffic so that it fails fast -A INPUT -p tcp -m tcp --dport 113 --syn -m state --state NEW -j REJECT --reject-with tcp-reset # Prevent DOS by filling log files --A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG +-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "ip6tables[DOS]: " -COMMIT \ No newline at end of file +COMMIT