diff --git a/rules-ipv4.iptables b/rules-ipv4.iptables index f19bb3c..11a9a1b 100644 --- a/rules-ipv4.iptables +++ b/rules-ipv4.iptables @@ -24,7 +24,7 @@ ############################################################################### # -# Basic iptables/IPv4 template for ordinary servers +# Basic iptables/IPv4 template for an ordinary servers # # This file is in iptables-restore format. See the man pages for # iptables-restore(8) and iptables-save(8). @@ -40,8 +40,8 @@ # This template is based on http://jdem.cz/v64a3 from University of Leicester # # @author Jakub Jirutka -# @version 1.2 -# @date 2014-01-01 +# @version 1.2.1 +# @date 2014-01-26 # ############################################################################### @@ -104,8 +104,8 @@ ############################################################################### # Accept worldwide access to HTTP and HTTPS -# -A INPUT -p tcp -m tcp --dport 80 --syn -m conntrack --ctstate NEW -j ACCEPT -# -A INPUT -p tcp -m tcp --dport 443 --syn -m conntrack --ctstate NEW -j ACCEPT +# -A INPUT -p tcp --dport 80 --syn -m conntrack --ctstate NEW -j ACCEPT +# -A INPUT -p tcp --dport 443 --syn -m conntrack --ctstate NEW -j ACCEPT ############################################################################### @@ -116,32 +116,32 @@ # Accept worldwide access to SSH and use SSHBRUTE chain for preventing # brute-force attacks. --A INPUT -p tcp -m tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE +-A INPUT -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE # Permit useful IMCP packet types # Note: RFC 792 states that all hosts MUST respond to ICMP ECHO requests. # Blocking these can make diagnosing of even simple faults much more tricky. # Real security lies in locking down and hardening all services, not by hiding. --A INPUT -p icmp -m icmp --icmp-type 0 -m conntrack --ctstate NEW -j ACCEPT --A INPUT -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate NEW -j ACCEPT --A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ICMPFLOOD --A INPUT -p icmp -m icmp --icmp-type 11 -m conntrack --ctstate NEW -j ACCEPT +-A INPUT -p icmp --icmp-type 0 -m conntrack --ctstate NEW -j ACCEPT +-A INPUT -p icmp --icmp-type 3 -m conntrack --ctstate NEW -j ACCEPT +-A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ICMPFLOOD +-A INPUT -p icmp --icmp-type 11 -m conntrack --ctstate NEW -j ACCEPT # Do not log packets that are going to ports used by SMB # (Samba / Windows Sharing) -A INPUT -p udp -m multiport --dports 135,445 -j DROP --A INPUT -p udp -m udp --dport 137:139 -j DROP --A INPUT -p udp -m udp --sport 137 --dport 1024:65535 -j DROP +-A INPUT -p udp --dport 137:139 -j DROP +-A INPUT -p udp --sport 137 --dport 1024:65535 -j DROP -A INPUT -p tcp -m multiport --dports 135,139,445 -j DROP # Do not log packets that are going to port used by UPnP protocol --A INPUT -p udp -m udp --dport 1900 -j DROP +-A INPUT -p udp --dport 1900 -j DROP # Do not log late replies from nameservers --A INPUT -p udp -m udp --sport 53 -j DROP +-A INPUT -p udp --sport 53 -j DROP # Good practise is to explicately reject AUTH traffic so that it fails fast --A INPUT -p tcp -m tcp --dport 113 --syn -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset +-A INPUT -p tcp --dport 113 --syn -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset # Prevent DOS by filling log files -A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[DOS]: " diff --git a/rules-ipv6.ip6tables b/rules-ipv6.ip6tables index b2e4b98..fb688c4 100644 --- a/rules-ipv6.ip6tables +++ b/rules-ipv6.ip6tables @@ -24,7 +24,7 @@ ############################################################################### # -# Basic ip6tables/IPv6 template for ordinary servers +# Basic ip6tables/IPv6 template for an ordinary servers # # This file is in iptables-restore format. See the man pages for # ip6tables-restore(8) and ip6tables-save(8). @@ -40,8 +40,8 @@ # This template is based on http://jdem.cz/v64a3 from University of Leicester # # @author Jakub Jirutka -# @version 1.2 -# @date 2014-01-01 +# @version 1.2.1 +# @date 2014-01-26 # ############################################################################### @@ -97,8 +97,8 @@ ############################################################################### # Accept worldwide access to HTTP and HTTPS -# -A INPUT -p tcp -m tcp --dport 80 --syn -m conntrack --ctstate NEW -j ACCEPT -# -A INPUT -p tcp -m tcp --dport 443 --syn -m conntrack --ctstate NEW -j ACCEPT +# -A INPUT -p tcp --dport 80 --syn -m conntrack --ctstate NEW -j ACCEPT +# -A INPUT -p tcp --dport 443 --syn -m conntrack --ctstate NEW -j ACCEPT ############################################################################### @@ -109,49 +109,49 @@ # Accept worldwide access to SSH and use SSHBRUTE chain for preventing # brute-force attacks. --A INPUT -p tcp -m tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE +-A INPUT -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE # Permit needed ICMP packet types for IPv6 per RFC 4890 --A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT --A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT --A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT --A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT --A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT --A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT --A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT --A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT --A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 137 -j ACCEPT --A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 141 -j ACCEPT --A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 142 -j ACCEPT --A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j ACCEPT --A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j ACCEPT --A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j ACCEPT --A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143 -j ACCEPT --A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 148 -j ACCEPT --A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 149 -j ACCEPT --A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 151 -j ACCEPT --A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 152 -j ACCEPT --A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 153 -j ACCEPT +-A INPUT -p ipv6-icmp --icmpv6-type 1 -j ACCEPT +-A INPUT -p ipv6-icmp --icmpv6-type 2 -j ACCEPT +-A INPUT -p ipv6-icmp --icmpv6-type 3 -j ACCEPT +-A INPUT -p ipv6-icmp --icmpv6-type 4 -j ACCEPT +-A INPUT -p ipv6-icmp --icmpv6-type 133 -j ACCEPT +-A INPUT -p ipv6-icmp --icmpv6-type 134 -j ACCEPT +-A INPUT -p ipv6-icmp --icmpv6-type 135 -j ACCEPT +-A INPUT -p ipv6-icmp --icmpv6-type 136 -j ACCEPT +-A INPUT -p ipv6-icmp --icmpv6-type 137 -j ACCEPT +-A INPUT -p ipv6-icmp --icmpv6-type 141 -j ACCEPT +-A INPUT -p ipv6-icmp --icmpv6-type 142 -j ACCEPT +-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 130 -j ACCEPT +-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 131 -j ACCEPT +-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 132 -j ACCEPT +-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 143 -j ACCEPT +-A INPUT -p ipv6-icmp --icmpv6-type 148 -j ACCEPT +-A INPUT -p ipv6-icmp --icmpv6-type 149 -j ACCEPT +-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 151 -j ACCEPT +-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 152 -j ACCEPT +-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 153 -j ACCEPT # Permit IMCP echo requests (ping) and use ICMPFLOOD chain for preventing ping # flooding. --A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ICMPFLOOD +-A INPUT -p ipv6-icmp --icmpv6-type 128 -j ICMPFLOOD # Do not log packets that are going to ports used by SMB # (Samba / Windows Sharing) -A INPUT -p udp -m multiport --dports 135,445 -j DROP --A INPUT -p udp -m udp --dport 137:139 -j DROP --A INPUT -p udp -m udp --sport 137 --dport 1024:65535 -j DROP +-A INPUT -p udp --dport 137:139 -j DROP +-A INPUT -p udp --sport 137 --dport 1024:65535 -j DROP -A INPUT -p tcp -m multiport --dports 135,139,445 -j DROP # Do not log packets that are going to port used by UPnP protocol --A INPUT -p udp -m udp --dport 1900 -j DROP +-A INPUT -p udp --dport 1900 -j DROP # Do not log late replies from nameservers --A INPUT -p udp -m udp --sport 53 -j DROP +-A INPUT -p udp --sport 53 -j DROP # Good practise is to explicately reject AUTH traffic so that it fails fast --A INPUT -p tcp -m tcp --dport 113 --syn -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset +-A INPUT -p tcp --dport 113 --syn -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset # Prevent DOS by filling log files -A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "ip6tables[DOS]: "