Remove unnecessary `-m` options
This commit is contained in:
Jakub Jirutka
parent
fb68a33dfb
commit
aed1e6f71a
|
|
@ -24,7 +24,7 @@
|
|||
|
||||
###############################################################################
|
||||
#
|
||||
# Basic iptables/IPv4 template for ordinary servers
|
||||
# Basic iptables/IPv4 template for an ordinary servers
|
||||
#
|
||||
# This file is in iptables-restore format. See the man pages for
|
||||
# iptables-restore(8) and iptables-save(8).
|
||||
|
|
@ -40,8 +40,8 @@
|
|||
# This template is based on http://jdem.cz/v64a3 from University of Leicester
|
||||
#
|
||||
# @author Jakub Jirutka <jakub@jirutka.cz>
|
||||
# @version 1.2
|
||||
# @date 2014-01-01
|
||||
# @version 1.2.1
|
||||
# @date 2014-01-26
|
||||
#
|
||||
|
||||
###############################################################################
|
||||
|
|
@ -104,8 +104,8 @@
|
|||
###############################################################################
|
||||
|
||||
# Accept worldwide access to HTTP and HTTPS
|
||||
# -A INPUT -p tcp -m tcp --dport 80 --syn -m conntrack --ctstate NEW -j ACCEPT
|
||||
# -A INPUT -p tcp -m tcp --dport 443 --syn -m conntrack --ctstate NEW -j ACCEPT
|
||||
# -A INPUT -p tcp --dport 80 --syn -m conntrack --ctstate NEW -j ACCEPT
|
||||
# -A INPUT -p tcp --dport 443 --syn -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
|
||||
###############################################################################
|
||||
|
|
@ -116,32 +116,32 @@
|
|||
|
||||
# Accept worldwide access to SSH and use SSHBRUTE chain for preventing
|
||||
# brute-force attacks.
|
||||
-A INPUT -p tcp -m tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE
|
||||
-A INPUT -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE
|
||||
|
||||
# Permit useful IMCP packet types
|
||||
# Note: RFC 792 states that all hosts MUST respond to ICMP ECHO requests.
|
||||
# Blocking these can make diagnosing of even simple faults much more tricky.
|
||||
# Real security lies in locking down and hardening all services, not by hiding.
|
||||
-A INPUT -p icmp -m icmp --icmp-type 0 -m conntrack --ctstate NEW -j ACCEPT
|
||||
-A INPUT -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate NEW -j ACCEPT
|
||||
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ICMPFLOOD
|
||||
-A INPUT -p icmp -m icmp --icmp-type 11 -m conntrack --ctstate NEW -j ACCEPT
|
||||
-A INPUT -p icmp --icmp-type 0 -m conntrack --ctstate NEW -j ACCEPT
|
||||
-A INPUT -p icmp --icmp-type 3 -m conntrack --ctstate NEW -j ACCEPT
|
||||
-A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ICMPFLOOD
|
||||
-A INPUT -p icmp --icmp-type 11 -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
# Do not log packets that are going to ports used by SMB
|
||||
# (Samba / Windows Sharing)
|
||||
-A INPUT -p udp -m multiport --dports 135,445 -j DROP
|
||||
-A INPUT -p udp -m udp --dport 137:139 -j DROP
|
||||
-A INPUT -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
|
||||
-A INPUT -p udp --dport 137:139 -j DROP
|
||||
-A INPUT -p udp --sport 137 --dport 1024:65535 -j DROP
|
||||
-A INPUT -p tcp -m multiport --dports 135,139,445 -j DROP
|
||||
|
||||
# Do not log packets that are going to port used by UPnP protocol
|
||||
-A INPUT -p udp -m udp --dport 1900 -j DROP
|
||||
-A INPUT -p udp --dport 1900 -j DROP
|
||||
|
||||
# Do not log late replies from nameservers
|
||||
-A INPUT -p udp -m udp --sport 53 -j DROP
|
||||
-A INPUT -p udp --sport 53 -j DROP
|
||||
|
||||
# Good practise is to explicately reject AUTH traffic so that it fails fast
|
||||
-A INPUT -p tcp -m tcp --dport 113 --syn -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
|
||||
-A INPUT -p tcp --dport 113 --syn -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
|
||||
|
||||
# Prevent DOS by filling log files
|
||||
-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[DOS]: "
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@
|
|||
|
||||
###############################################################################
|
||||
#
|
||||
# Basic ip6tables/IPv6 template for ordinary servers
|
||||
# Basic ip6tables/IPv6 template for an ordinary servers
|
||||
#
|
||||
# This file is in iptables-restore format. See the man pages for
|
||||
# ip6tables-restore(8) and ip6tables-save(8).
|
||||
|
|
@ -40,8 +40,8 @@
|
|||
# This template is based on http://jdem.cz/v64a3 from University of Leicester
|
||||
#
|
||||
# @author Jakub Jirutka <jakub@jirutka.cz>
|
||||
# @version 1.2
|
||||
# @date 2014-01-01
|
||||
# @version 1.2.1
|
||||
# @date 2014-01-26
|
||||
#
|
||||
|
||||
###############################################################################
|
||||
|
|
@ -97,8 +97,8 @@
|
|||
###############################################################################
|
||||
|
||||
# Accept worldwide access to HTTP and HTTPS
|
||||
# -A INPUT -p tcp -m tcp --dport 80 --syn -m conntrack --ctstate NEW -j ACCEPT
|
||||
# -A INPUT -p tcp -m tcp --dport 443 --syn -m conntrack --ctstate NEW -j ACCEPT
|
||||
# -A INPUT -p tcp --dport 80 --syn -m conntrack --ctstate NEW -j ACCEPT
|
||||
# -A INPUT -p tcp --dport 443 --syn -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
|
||||
###############################################################################
|
||||
|
|
@ -109,49 +109,49 @@
|
|||
|
||||
# Accept worldwide access to SSH and use SSHBRUTE chain for preventing
|
||||
# brute-force attacks.
|
||||
-A INPUT -p tcp -m tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE
|
||||
-A INPUT -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE
|
||||
|
||||
# Permit needed ICMP packet types for IPv6 per RFC 4890
|
||||
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
|
||||
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
|
||||
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
|
||||
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
|
||||
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT
|
||||
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
|
||||
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
|
||||
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
|
||||
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 137 -j ACCEPT
|
||||
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 141 -j ACCEPT
|
||||
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 142 -j ACCEPT
|
||||
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j ACCEPT
|
||||
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j ACCEPT
|
||||
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j ACCEPT
|
||||
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143 -j ACCEPT
|
||||
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 148 -j ACCEPT
|
||||
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 149 -j ACCEPT
|
||||
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 151 -j ACCEPT
|
||||
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 152 -j ACCEPT
|
||||
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 153 -j ACCEPT
|
||||
-A INPUT -p ipv6-icmp --icmpv6-type 1 -j ACCEPT
|
||||
-A INPUT -p ipv6-icmp --icmpv6-type 2 -j ACCEPT
|
||||
-A INPUT -p ipv6-icmp --icmpv6-type 3 -j ACCEPT
|
||||
-A INPUT -p ipv6-icmp --icmpv6-type 4 -j ACCEPT
|
||||
-A INPUT -p ipv6-icmp --icmpv6-type 133 -j ACCEPT
|
||||
-A INPUT -p ipv6-icmp --icmpv6-type 134 -j ACCEPT
|
||||
-A INPUT -p ipv6-icmp --icmpv6-type 135 -j ACCEPT
|
||||
-A INPUT -p ipv6-icmp --icmpv6-type 136 -j ACCEPT
|
||||
-A INPUT -p ipv6-icmp --icmpv6-type 137 -j ACCEPT
|
||||
-A INPUT -p ipv6-icmp --icmpv6-type 141 -j ACCEPT
|
||||
-A INPUT -p ipv6-icmp --icmpv6-type 142 -j ACCEPT
|
||||
-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 130 -j ACCEPT
|
||||
-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 131 -j ACCEPT
|
||||
-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 132 -j ACCEPT
|
||||
-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 143 -j ACCEPT
|
||||
-A INPUT -p ipv6-icmp --icmpv6-type 148 -j ACCEPT
|
||||
-A INPUT -p ipv6-icmp --icmpv6-type 149 -j ACCEPT
|
||||
-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 151 -j ACCEPT
|
||||
-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 152 -j ACCEPT
|
||||
-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 153 -j ACCEPT
|
||||
|
||||
# Permit IMCP echo requests (ping) and use ICMPFLOOD chain for preventing ping
|
||||
# flooding.
|
||||
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ICMPFLOOD
|
||||
-A INPUT -p ipv6-icmp --icmpv6-type 128 -j ICMPFLOOD
|
||||
|
||||
# Do not log packets that are going to ports used by SMB
|
||||
# (Samba / Windows Sharing)
|
||||
-A INPUT -p udp -m multiport --dports 135,445 -j DROP
|
||||
-A INPUT -p udp -m udp --dport 137:139 -j DROP
|
||||
-A INPUT -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
|
||||
-A INPUT -p udp --dport 137:139 -j DROP
|
||||
-A INPUT -p udp --sport 137 --dport 1024:65535 -j DROP
|
||||
-A INPUT -p tcp -m multiport --dports 135,139,445 -j DROP
|
||||
|
||||
# Do not log packets that are going to port used by UPnP protocol
|
||||
-A INPUT -p udp -m udp --dport 1900 -j DROP
|
||||
-A INPUT -p udp --dport 1900 -j DROP
|
||||
|
||||
# Do not log late replies from nameservers
|
||||
-A INPUT -p udp -m udp --sport 53 -j DROP
|
||||
-A INPUT -p udp --sport 53 -j DROP
|
||||
|
||||
# Good practise is to explicately reject AUTH traffic so that it fails fast
|
||||
-A INPUT -p tcp -m tcp --dport 113 --syn -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
|
||||
-A INPUT -p tcp --dport 113 --syn -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
|
||||
|
||||
# Prevent DOS by filling log files
|
||||
-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "ip6tables[DOS]: "
|
||||
|
|
|
|||
Loading…
Reference in New Issue