some changes
This commit is contained in:
parent
067b4b991b
commit
40166ee91a
|
@ -25,8 +25,8 @@
|
||||||
# This template is based on http://jdem.cz/v64a3 from University of Leicester
|
# This template is based on http://jdem.cz/v64a3 from University of Leicester
|
||||||
#
|
#
|
||||||
# @author Jakub Jirutka <jakub@jirutka.cz>
|
# @author Jakub Jirutka <jakub@jirutka.cz>
|
||||||
# @version 1.0
|
# @version 1.1
|
||||||
# @date 2012-09-18
|
# @date 2012-10-05
|
||||||
#
|
#
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
@ -55,13 +55,19 @@
|
||||||
# Block remote packets claiming to be from a loopback address
|
# Block remote packets claiming to be from a loopback address
|
||||||
-A INPUT -s 127.0.0.0/8 ! -i lo -j DROP
|
-A INPUT -s 127.0.0.0/8 ! -i lo -j DROP
|
||||||
|
|
||||||
|
# Drop all packets that are going to broadcast, multicast or anycast address
|
||||||
|
-A INPUT -m addrtype --dst-type BROADCAST -j DROP
|
||||||
|
-A INPUT -m addrtype --dst-type MULTICAST -j DROP
|
||||||
|
-A INPUT -m addrtype --dst-type ANYCAST -j DROP
|
||||||
|
-A INPUT -d 224.0.0.0/4 -j DROP
|
||||||
|
|
||||||
# Chain for preventing SSH brute-force attacks.
|
# Chain for preventing SSH brute-force attacks.
|
||||||
# Permits 10 new connections within 5 minutes from a single host then drops
|
# Permits 10 new connections within 5 minutes from a single host then drops
|
||||||
# incomming connections from that host. Beyond a burst of 100 connections we
|
# incomming connections from that host. Beyond a burst of 100 connections we
|
||||||
# log at up 1 attempt per second to prevent filling of logs
|
# log at up 1 attempt per second to prevent filling of logs
|
||||||
-N SSHBRUTE
|
-N SSHBRUTE
|
||||||
-A SSHBRUTE -m recent --name SSH --set
|
-A SSHBRUTE -m recent --name SSH --set
|
||||||
-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "FW/ssh-brute: "
|
-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[SSH-brute]: "
|
||||||
-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -j DROP
|
-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -j DROP
|
||||||
-A SSHBRUTE -j ACCEPT
|
-A SSHBRUTE -j ACCEPT
|
||||||
|
|
||||||
|
@ -70,7 +76,7 @@
|
||||||
# some victim when replying to ICMP ECHO from a spoofed source
|
# some victim when replying to ICMP ECHO from a spoofed source
|
||||||
-N ICMPFLOOD
|
-N ICMPFLOOD
|
||||||
-A ICMPFLOOD -m recent --set --name ICMP --rsource
|
-A ICMPFLOOD -m recent --set --name ICMP --rsource
|
||||||
-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "FW/icmp-flood: "
|
-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "iptables[ICMP-flood]: "
|
||||||
-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP
|
-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP
|
||||||
-A ICMPFLOOD -j ACCEPT
|
-A ICMPFLOOD -j ACCEPT
|
||||||
|
|
||||||
|
@ -106,13 +112,23 @@
|
||||||
-A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ICMPFLOOD
|
-A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ICMPFLOOD
|
||||||
-A INPUT -p icmp -m icmp --icmp-type 11 -m state --state NEW -j ACCEPT
|
-A INPUT -p icmp -m icmp --icmp-type 11 -m state --state NEW -j ACCEPT
|
||||||
|
|
||||||
# May not want to log late replies from nameservers
|
# Do not log packets that are going to ports used by SMB
|
||||||
|
# (Samba / Windows Sharing)
|
||||||
|
-A INPUT -p udp -m multiport --dports 135,445 -j DROP
|
||||||
|
-A INPUT -p udp -m udp --dport 137:139 -j DROP
|
||||||
|
-A INPUT -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
|
||||||
|
-A INPUT -p tcp -m multiport --dports 135,139,445 -j DROP
|
||||||
|
|
||||||
|
# Do not log packets that are going to port used by UPnP protocol
|
||||||
|
-A INPUT -p udp -m udp --dport 1900 -j DROP
|
||||||
|
|
||||||
|
# Do not log late replies from nameservers
|
||||||
-A INPUT -p udp -m udp --sport 53 -j DROP
|
-A INPUT -p udp -m udp --sport 53 -j DROP
|
||||||
|
|
||||||
# Good practise is to explicately reject AUTH traffic so that it fails fast
|
# Good practise is to explicately reject AUTH traffic so that it fails fast
|
||||||
-A INPUT -p tcp -m tcp --dport 113 --syn -m state --state NEW -j REJECT --reject-with tcp-reset
|
-A INPUT -p tcp -m tcp --dport 113 --syn -m state --state NEW -j REJECT --reject-with tcp-reset
|
||||||
|
|
||||||
# Prevent DOS by filling log files
|
# Prevent DOS by filling log files
|
||||||
-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG
|
-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[DOS]: "
|
||||||
|
|
||||||
COMMIT
|
COMMIT
|
||||||
|
|
|
@ -25,8 +25,8 @@
|
||||||
# This template is based on http://jdem.cz/v64a3 from University of Leicester
|
# This template is based on http://jdem.cz/v64a3 from University of Leicester
|
||||||
#
|
#
|
||||||
# @author Jakub Jirutka <jakub@jirutka.cz>
|
# @author Jakub Jirutka <jakub@jirutka.cz>
|
||||||
# @version 1.0
|
# @version 1.1
|
||||||
# @date 2012-09-18
|
# @date 2012-10-05
|
||||||
#
|
#
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
@ -61,7 +61,7 @@
|
||||||
# log at up 1 attempt per second to prevent filling of logs
|
# log at up 1 attempt per second to prevent filling of logs
|
||||||
-N SSHBRUTE
|
-N SSHBRUTE
|
||||||
-A SSHBRUTE -m recent --name SSH --set
|
-A SSHBRUTE -m recent --name SSH --set
|
||||||
-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "FW/ssh-brute: "
|
-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "ip6tables[SSH-brute]: "
|
||||||
-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -j DROP
|
-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -j DROP
|
||||||
-A SSHBRUTE -j ACCEPT
|
-A SSHBRUTE -j ACCEPT
|
||||||
|
|
||||||
|
@ -70,7 +70,7 @@
|
||||||
# some victim when replying to ICMP ECHO from a spoofed source
|
# some victim when replying to ICMP ECHO from a spoofed source
|
||||||
-N ICMPFLOOD
|
-N ICMPFLOOD
|
||||||
-A ICMPFLOOD -m recent --set --name ICMP --rsource
|
-A ICMPFLOOD -m recent --set --name ICMP --rsource
|
||||||
-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "FW/icmp-flood: "
|
-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "ip6tables[ICMP-flood]: "
|
||||||
-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP
|
-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP
|
||||||
-A ICMPFLOOD -j ACCEPT
|
-A ICMPFLOOD -j ACCEPT
|
||||||
|
|
||||||
|
@ -85,9 +85,6 @@
|
||||||
# -A INPUT -p tcp -m tcp --dport 80 --syn -m state --state NEW -j ACCEPT
|
# -A INPUT -p tcp -m tcp --dport 80 --syn -m state --state NEW -j ACCEPT
|
||||||
# -A INPUT -p tcp -m tcp --dport 443 --syn -m state --state NEW -j ACCEPT
|
# -A INPUT -p tcp -m tcp --dport 443 --syn -m state --state NEW -j ACCEPT
|
||||||
|
|
||||||
# Accept limited access to Munin from hosts on CVUT network
|
|
||||||
# -A INPUT -s 147.32.0.0/15 -p tcp -m tcp --dport 4949 --syn -m state --state NEW -j ACCEPT
|
|
||||||
|
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# 3. GENERAL RULES #
|
# 3. GENERAL RULES #
|
||||||
|
@ -125,13 +122,23 @@
|
||||||
# flooding.
|
# flooding.
|
||||||
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ICMPFLOOD
|
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ICMPFLOOD
|
||||||
|
|
||||||
# May not want to log late replies from campus nameservers
|
# Do not log packets that are going to ports used by SMB
|
||||||
|
# (Samba / Windows Sharing)
|
||||||
|
-A INPUT -p udp -m multiport --dports 135,445 -j DROP
|
||||||
|
-A INPUT -p udp -m udp --dport 137:139 -j DROP
|
||||||
|
-A INPUT -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
|
||||||
|
-A INPUT -p tcp -m multiport --dports 135,139,445 -j DROP
|
||||||
|
|
||||||
|
# Do not log packets that are going to port used by UPnP protocol
|
||||||
|
-A INPUT -p udp -m udp --dport 1900 -j DROP
|
||||||
|
|
||||||
|
# Do not log late replies from nameservers
|
||||||
-A INPUT -p udp -m udp --sport 53 -j DROP
|
-A INPUT -p udp -m udp --sport 53 -j DROP
|
||||||
|
|
||||||
# Good practise is to explicately reject AUTH traffic so that it fails fast
|
# Good practise is to explicately reject AUTH traffic so that it fails fast
|
||||||
-A INPUT -p tcp -m tcp --dport 113 --syn -m state --state NEW -j REJECT --reject-with tcp-reset
|
-A INPUT -p tcp -m tcp --dport 113 --syn -m state --state NEW -j REJECT --reject-with tcp-reset
|
||||||
|
|
||||||
# Prevent DOS by filling log files
|
# Prevent DOS by filling log files
|
||||||
-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG
|
-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "ip6tables[DOS]: "
|
||||||
|
|
||||||
COMMIT
|
COMMIT
|
||||||
|
|
Loading…
Reference in New Issue