From c9f6bdbfcf597578e562c92ea1e256a9ebcf3a2c Mon Sep 17 00:00:00 2001 From: Jakub Jirutka Date: Tue, 28 Jan 2014 00:59:55 +0100 Subject: [PATCH] Add unified ip(6)tables file --- rules-both.iptables | 205 +++++++++++++++++++++++++++++++++++++++++++ rules-ipv4.iptables | 37 ++++---- rules-ipv6.ip6tables | 63 ++++++------- 3 files changed, 256 insertions(+), 49 deletions(-) create mode 100644 rules-both.iptables diff --git a/rules-both.iptables b/rules-both.iptables new file mode 100644 index 0000000..c025b0b --- /dev/null +++ b/rules-both.iptables @@ -0,0 +1,205 @@ +############################################################################### +# The MIT License +# +# Copyright 2012-2014 Jakub Jirutka . +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. +# + +############################################################################### +# +# Basic ip(6)tables (both IPv4 and IPv6) template for an ordinary servers +# +# This file is in iptables-restore (ip6tables-restore) format. See the man +# pages for iptables-restore (ip6tables-restore). Rules that should be loaded +# only by iptables (ip6tables) uses the -4 (-6) option. +# +# The following is a set of firewall rules that should be applicable to Linux +# servers running within departments. It is intended to provide a useful +# starting point from which to devise a comprehensive firewall policy for +# a host. +# +# Parts 1 and 3 of these rules are the same for each host, whilst part 2 can be +# populated with rules specific to particular hosts. The optional part 4 is +# prepared for a NAT rules, e.g. for port forwarding, redirect, masquerade... +# +# This template is based on http://jdem.cz/v64a3 from University of Leicester +# +# For the newest version go to https://gist.github.com/jirutka/3742890. +# +# @author Jakub Jirutka +# @version 1.3.1 +# @date 2014-01-28 +# + +############################################################################### +# 1. COMMON HEADER # +# # +# This section is a generic header that should be suitable for most hosts. # +############################################################################### + +*filter + +# Base policy +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] + +# Don't attempt to firewall internal traffic on the loopback device. +-A INPUT -i lo -j ACCEPT + +# Continue connections that are already established or related to an established +# connection. +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + +# Drop non-conforming packets, such as malformed headers, etc. +-A INPUT -m conntrack --ctstate INVALID -j DROP + +# Block remote packets claiming to be from a loopback address. +-4 -A INPUT -s 127.0.0.0/8 ! -i lo -j DROP +-6 -A INPUT -s ::1/128 ! -i lo -j DROP + +# Drop all packets that are going to broadcast, multicast or anycast address. +-4 -A INPUT -m addrtype --dst-type BROADCAST -j DROP +-4 -A INPUT -m addrtype --dst-type MULTICAST -j DROP +-4 -A INPUT -m addrtype --dst-type ANYCAST -j DROP +-4 -A INPUT -d 224.0.0.0/4 -j DROP + +# Chain for preventing SSH brute-force attacks. +# Permits 10 new connections within 5 minutes from a single host then drops +# incomming connections from that host. Beyond a burst of 100 connections we +# log at up 1 attempt per second to prevent filling of logs. +-N SSHBRUTE +-A SSHBRUTE -m recent --name SSH --set +-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[SSH-brute]: " +-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -j DROP +-A SSHBRUTE -j ACCEPT + +# Chain for preventing ping flooding - up to 6 pings per second from a single +# source, again with log limiting. Also prevents us from ICMP REPLY flooding +# some victim when replying to ICMP ECHO from a spoofed source. +-N ICMPFLOOD +-A ICMPFLOOD -m recent --set --name ICMP --rsource +-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "iptables[ICMP-flood]: " +-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP +-A ICMPFLOOD -j ACCEPT + + +############################################################################### +# 2. HOST SPECIFIC RULES # +# # +# This section is a good place to enable your host-specific services. # +############################################################################### + +# Accept HTTP and HTTPS +#-A INPUT -p tcp -m multiport --dports 80,443 --syn -m conntrack --ctstate NEW -j ACCEPT + +# Accept FTP only for IPv4 +#-4 -A INPUT -p tcp --dport 21 --syn -m conntrack --ctstate NEW -j ACCEPT + + +############################################################################### +# 3. GENERAL RULES # +# # +# This section contains general rules that should be suitable for most hosts. # +############################################################################### + +# Accept worldwide access to SSH and use SSHBRUTE chain for preventing +# brute-force attacks. +-A INPUT -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE + +# Permit useful IMCP packet types for IPv4 +# Note: RFC 792 states that all hosts MUST respond to ICMP ECHO requests. +# Blocking these can make diagnosing of even simple faults much more tricky. +# Real security lies in locking down and hardening all services, not by hiding. +-4 -A INPUT -p icmp --icmp-type 0 -m conntrack --ctstate NEW -j ACCEPT +-4 -A INPUT -p icmp --icmp-type 3 -m conntrack --ctstate NEW -j ACCEPT +-4 -A INPUT -p icmp --icmp-type 11 -m conntrack --ctstate NEW -j ACCEPT + +# Permit needed ICMP packet types for IPv6 per RFC 4890. +-6 -A INPUT -p ipv6-icmp --icmpv6-type 1 -j ACCEPT +-6 -A INPUT -p ipv6-icmp --icmpv6-type 2 -j ACCEPT +-6 -A INPUT -p ipv6-icmp --icmpv6-type 3 -j ACCEPT +-6 -A INPUT -p ipv6-icmp --icmpv6-type 4 -j ACCEPT +-6 -A INPUT -p ipv6-icmp --icmpv6-type 133 -j ACCEPT +-6 -A INPUT -p ipv6-icmp --icmpv6-type 134 -j ACCEPT +-6 -A INPUT -p ipv6-icmp --icmpv6-type 135 -j ACCEPT +-6 -A INPUT -p ipv6-icmp --icmpv6-type 136 -j ACCEPT +-6 -A INPUT -p ipv6-icmp --icmpv6-type 137 -j ACCEPT +-6 -A INPUT -p ipv6-icmp --icmpv6-type 141 -j ACCEPT +-6 -A INPUT -p ipv6-icmp --icmpv6-type 142 -j ACCEPT +-6 -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 130 -j ACCEPT +-6 -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 131 -j ACCEPT +-6 -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 132 -j ACCEPT +-6 -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 143 -j ACCEPT +-6 -A INPUT -p ipv6-icmp --icmpv6-type 148 -j ACCEPT +-6 -A INPUT -p ipv6-icmp --icmpv6-type 149 -j ACCEPT +-6 -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 151 -j ACCEPT +-6 -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 152 -j ACCEPT +-6 -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 153 -j ACCEPT + +# Permit IMCP echo requests (ping) and use ICMPFLOOD chain for preventing ping +# flooding. +-4 -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ICMPFLOOD +-6 -A INPUT -p ipv6-icmp --icmpv6-type 128 -j ICMPFLOOD + +# Do not log packets that are going to ports used by SMB +# (Samba / Windows Sharing). +-A INPUT -p udp -m multiport --dports 135,445 -j DROP +-A INPUT -p udp --dport 137:139 -j DROP +-A INPUT -p udp --sport 137 --dport 1024:65535 -j DROP +-A INPUT -p tcp -m multiport --dports 135,139,445 -j DROP + +# Do not log packets that are going to port used by UPnP protocol. +-A INPUT -p udp --dport 1900 -j DROP + +# Do not log late replies from nameservers. +-A INPUT -p udp --sport 53 -j DROP + +# Good practise is to explicately reject AUTH traffic so that it fails fast. +-A INPUT -p tcp --dport 113 --syn -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset + +# Prevent DOS by filling log files. +-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[DOS]: " + +COMMIT + + +############################################################################### +# 4. HOST SPECIFIC NAT RULES # +# # +# Uncomment this section if you want to use NAT table, e.g. for port # +# forwarding, redirect, masquerade... If you want to load this section only # +# for IPv4 and ignore for IPv6, use ip6tables-restore with -T filter. # +############################################################################### + +#*nat + +# Base policy +#:PREROUTING ACCEPT [0:0] +#:POSTROUTING ACCEPT [0:0] +#:OUTPUT ACCEPT [0:0] + +# Redirect port 21 to local port 2121 +#-A PREROUTING -i eth0 -p tcp --dport 21 -j REDIRECT --to-port 2121 + +# Forward port 8080 to port 80 on host 192.168.1.10 +#-4 -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.10:80 + +#COMMIT diff --git a/rules-ipv4.iptables b/rules-ipv4.iptables index 194e048..622104b 100644 --- a/rules-ipv4.iptables +++ b/rules-ipv4.iptables @@ -38,11 +38,13 @@ # populated with rules specific to particular hosts. The optional part 4 is # prepared for a NAT rules, e.g. for port forwarding, redirect, masquerade... # -# This template is based on http://jdem.cz/v64a3 from University of Leicester +# This template is based on http://jdem.cz/v64a3 from University of Leicester. +# +# For the newest version go to https://gist.github.com/jirutka/3742890. # # @author Jakub Jirutka -# @version 1.3 -# @date 2014-01-26 +# @version 1.3.1 +# @date 2014-01-28 # ############################################################################### @@ -58,20 +60,20 @@ :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -# Don't attempt to firewall internal traffic on the loopback device +# Don't attempt to firewall internal traffic on the loopback device. -A INPUT -i lo -j ACCEPT # Continue connections that are already established or related to an established -# connection +# connection. -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Drop non-conforming packets, such as malformed headers, etc. -A INPUT -m conntrack --ctstate INVALID -j DROP -# Block remote packets claiming to be from a loopback address +# Block remote packets claiming to be from a loopback address. -A INPUT -s 127.0.0.0/8 ! -i lo -j DROP -# Drop all packets that are going to broadcast, multicast or anycast address +# Drop all packets that are going to broadcast, multicast or anycast address. -A INPUT -m addrtype --dst-type BROADCAST -j DROP -A INPUT -m addrtype --dst-type MULTICAST -j DROP -A INPUT -m addrtype --dst-type ANYCAST -j DROP @@ -80,7 +82,7 @@ # Chain for preventing SSH brute-force attacks. # Permits 10 new connections within 5 minutes from a single host then drops # incomming connections from that host. Beyond a burst of 100 connections we -# log at up 1 attempt per second to prevent filling of logs +# log at up 1 attempt per second to prevent filling of logs. -N SSHBRUTE -A SSHBRUTE -m recent --name SSH --set -A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[SSH-brute]: " @@ -89,7 +91,7 @@ # Chain for preventing ping flooding - up to 6 pings per second from a single # source, again with log limiting. Also prevents us from ICMP REPLY flooding -# some victim when replying to ICMP ECHO from a spoofed source +# some victim when replying to ICMP ECHO from a spoofed source. -N ICMPFLOOD -A ICMPFLOOD -m recent --set --name ICMP --rsource -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "iptables[ICMP-flood]: " @@ -104,9 +106,8 @@ # ! DO NOT FORGOT TO COPY THESE RULES TO firewall.ip6tables TO ALLOW IPV6 ! # ############################################################################### -# Accept worldwide access to HTTP and HTTPS -# -A INPUT -p tcp --dport 80 --syn -m conntrack --ctstate NEW -j ACCEPT -# -A INPUT -p tcp --dport 443 --syn -m conntrack --ctstate NEW -j ACCEPT +# Accept HTTP and HTTPS +#-A INPUT -p tcp -m multiport --dports 80,443 --syn -m conntrack --ctstate NEW -j ACCEPT ############################################################################### @@ -119,7 +120,7 @@ # brute-force attacks. -A INPUT -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE -# Permit useful IMCP packet types +# Permit useful IMCP packet types. # Note: RFC 792 states that all hosts MUST respond to ICMP ECHO requests. # Blocking these can make diagnosing of even simple faults much more tricky. # Real security lies in locking down and hardening all services, not by hiding. @@ -129,22 +130,22 @@ -A INPUT -p icmp --icmp-type 11 -m conntrack --ctstate NEW -j ACCEPT # Do not log packets that are going to ports used by SMB -# (Samba / Windows Sharing) +# (Samba / Windows Sharing). -A INPUT -p udp -m multiport --dports 135,445 -j DROP -A INPUT -p udp --dport 137:139 -j DROP -A INPUT -p udp --sport 137 --dport 1024:65535 -j DROP -A INPUT -p tcp -m multiport --dports 135,139,445 -j DROP -# Do not log packets that are going to port used by UPnP protocol +# Do not log packets that are going to port used by UPnP protocol. -A INPUT -p udp --dport 1900 -j DROP -# Do not log late replies from nameservers +# Do not log late replies from nameservers. -A INPUT -p udp --sport 53 -j DROP -# Good practise is to explicately reject AUTH traffic so that it fails fast +# Good practise is to explicately reject AUTH traffic so that it fails fast. -A INPUT -p tcp --dport 113 --syn -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset -# Prevent DOS by filling log files +# Prevent DOS by filling log files. -A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[DOS]: " COMMIT diff --git a/rules-ipv6.ip6tables b/rules-ipv6.ip6tables index fb688c4..3b92a87 100644 --- a/rules-ipv6.ip6tables +++ b/rules-ipv6.ip6tables @@ -37,11 +37,13 @@ # Parts 1 and 3 of these rules are the same for each host, whilst part 2 can be # populated with rules specific to particular hosts. # -# This template is based on http://jdem.cz/v64a3 from University of Leicester +# This template is based on http://jdem.cz/v64a3 from University of Leicester. +# +# For the newest version go to https://gist.github.com/jirutka/3742890. # # @author Jakub Jirutka -# @version 1.2.1 -# @date 2014-01-26 +# @version 1.3.1 +# @date 2014-01-28 # ############################################################################### @@ -57,23 +59,23 @@ :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -# Don't attempt to firewall internal traffic on the loopback device +# Don't attempt to firewall internal traffic on the loopback device. -A INPUT -i lo -j ACCEPT # Continue connections that are already established or related to an established -# connection +# connection. -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Drop non-conforming packets, such as malformed headers, etc. -A INPUT -m conntrack --ctstate INVALID -j DROP -# Block remote packets claiming to be from a loopback address +# Block remote packets claiming to be from a loopback address. -A INPUT -s ::1/128 ! -i lo -j DROP # Chain for preventing SSH brute-force attacks. # Permits 10 new connections within 5 minutes from a single host then drops # incomming connections from that host. Beyond a burst of 100 connections we -# log at up 1 attempt per second to prevent filling of logs +# log at up 1 attempt per second to prevent filling of logs. -N SSHBRUTE -A SSHBRUTE -m recent --name SSH --set -A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "ip6tables[SSH-brute]: " @@ -82,7 +84,7 @@ # Chain for preventing ping flooding - up to 6 pings per second from a single # source, again with log limiting. Also prevents us from ICMP REPLY flooding -# some victim when replying to ICMP ECHO from a spoofed source +# some victim when replying to ICMP ECHO from a spoofed source. -N ICMPFLOOD -A ICMPFLOOD -m recent --set --name ICMP --rsource -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "ip6tables[ICMP-flood]: " @@ -96,9 +98,8 @@ # This section is a good place to enable your host-specific services. # ############################################################################### -# Accept worldwide access to HTTP and HTTPS -# -A INPUT -p tcp --dport 80 --syn -m conntrack --ctstate NEW -j ACCEPT -# -A INPUT -p tcp --dport 443 --syn -m conntrack --ctstate NEW -j ACCEPT +# Accept HTTP and HTTPS +#-A INPUT -p tcp -m multiport --dports 80,443 --syn -m conntrack --ctstate NEW -j ACCEPT ############################################################################### @@ -111,24 +112,24 @@ # brute-force attacks. -A INPUT -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE -# Permit needed ICMP packet types for IPv6 per RFC 4890 --A INPUT -p ipv6-icmp --icmpv6-type 1 -j ACCEPT --A INPUT -p ipv6-icmp --icmpv6-type 2 -j ACCEPT --A INPUT -p ipv6-icmp --icmpv6-type 3 -j ACCEPT --A INPUT -p ipv6-icmp --icmpv6-type 4 -j ACCEPT --A INPUT -p ipv6-icmp --icmpv6-type 133 -j ACCEPT --A INPUT -p ipv6-icmp --icmpv6-type 134 -j ACCEPT --A INPUT -p ipv6-icmp --icmpv6-type 135 -j ACCEPT --A INPUT -p ipv6-icmp --icmpv6-type 136 -j ACCEPT --A INPUT -p ipv6-icmp --icmpv6-type 137 -j ACCEPT --A INPUT -p ipv6-icmp --icmpv6-type 141 -j ACCEPT --A INPUT -p ipv6-icmp --icmpv6-type 142 -j ACCEPT +# Permit needed ICMP packet types for IPv6 per RFC 4890. +-A INPUT -p ipv6-icmp --icmpv6-type 1 -j ACCEPT +-A INPUT -p ipv6-icmp --icmpv6-type 2 -j ACCEPT +-A INPUT -p ipv6-icmp --icmpv6-type 3 -j ACCEPT +-A INPUT -p ipv6-icmp --icmpv6-type 4 -j ACCEPT +-A INPUT -p ipv6-icmp --icmpv6-type 133 -j ACCEPT +-A INPUT -p ipv6-icmp --icmpv6-type 134 -j ACCEPT +-A INPUT -p ipv6-icmp --icmpv6-type 135 -j ACCEPT +-A INPUT -p ipv6-icmp --icmpv6-type 136 -j ACCEPT +-A INPUT -p ipv6-icmp --icmpv6-type 137 -j ACCEPT +-A INPUT -p ipv6-icmp --icmpv6-type 141 -j ACCEPT +-A INPUT -p ipv6-icmp --icmpv6-type 142 -j ACCEPT -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 130 -j ACCEPT -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 131 -j ACCEPT -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 132 -j ACCEPT -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 143 -j ACCEPT --A INPUT -p ipv6-icmp --icmpv6-type 148 -j ACCEPT --A INPUT -p ipv6-icmp --icmpv6-type 149 -j ACCEPT +-A INPUT -p ipv6-icmp --icmpv6-type 148 -j ACCEPT +-A INPUT -p ipv6-icmp --icmpv6-type 149 -j ACCEPT -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 151 -j ACCEPT -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 152 -j ACCEPT -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 153 -j ACCEPT @@ -137,23 +138,23 @@ # flooding. -A INPUT -p ipv6-icmp --icmpv6-type 128 -j ICMPFLOOD -# Do not log packets that are going to ports used by SMB -# (Samba / Windows Sharing) +# Do not log packets that are going to ports used by SMB +# (Samba / Windows Sharing). -A INPUT -p udp -m multiport --dports 135,445 -j DROP -A INPUT -p udp --dport 137:139 -j DROP -A INPUT -p udp --sport 137 --dport 1024:65535 -j DROP -A INPUT -p tcp -m multiport --dports 135,139,445 -j DROP -# Do not log packets that are going to port used by UPnP protocol +# Do not log packets that are going to port used by UPnP protocol. -A INPUT -p udp --dport 1900 -j DROP -# Do not log late replies from nameservers +# Do not log late replies from nameservers. -A INPUT -p udp --sport 53 -j DROP -# Good practise is to explicately reject AUTH traffic so that it fails fast +# Good practise is to explicately reject AUTH traffic so that it fails fast. -A INPUT -p tcp --dport 113 --syn -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset -# Prevent DOS by filling log files +# Prevent DOS by filling log files. -A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "ip6tables[DOS]: " COMMIT