############################################################################### # Copyright 2012 Jakub Jirutka. All rights reserved. # # "THE KOFOLA-WARE LICENSE" (Revision 1): # Jakub Jirutka originally wrote this file. As long as you retain this notice you # can do whatever you want with this stuff. If we meet some day, and you think # this stuff is worth it, you can buy me a Kofola in return. # ############################################################################### # # Basic ip6tables/IPv6 template for ordinary servers # # This file is in iptables-restore format. See the man pages for # ip6tables-restore(8) and ip6tables-save(8). # # The following is a set of firewall rules that should be applicable to Linux # servers running within departments. It is intended to provide a useful # starting point from which to devise a comprehensive firewall policy for # a host. # # Parts 1 and 3 of these rules are the same for each host, whilst part 2 can be # populated with rules specific to particular hosts. # # This template is based on http://jdem.cz/v64a3 from University of Leicester # # @author Jakub Jirutka # @version 1.0 # @date 2012-09-18 # ############################################################################### # 1. COMMON HEADER # # # # This section is a generic header that should be suitable for most hosts. # ############################################################################### *filter # Base policy :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] # Don't attempt to firewall internal traffic on the loopback device -A INPUT -i lo -j ACCEPT # Continue connections that are already established or related to an established # connection -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Drop non-conforming packets, such as malformed headers, etc. -A INPUT -m state --state INVALID -j DROP # Block remote packets claiming to be from a loopback address -A INPUT -s ::1/128 ! -i lo -j DROP # Chain for preventing SSH brute-force attacks. # Permits 10 new connections within 5 minutes from a single host then drops # incomming connections from that host. Beyond a burst of 100 connections we # log at up 1 attempt per second to prevent filling of logs -N SSHBRUTE -A SSHBRUTE -m recent --name SSH --set -A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "FW/ssh-brute: " -A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -j DROP -A SSHBRUTE -j ACCEPT # Chain for preventing ping flooding - up to 6 pings per second from a single # source, again with log limiting. Also prevents us from ICMP REPLY flooding # some victim when replying to ICMP ECHO from a spoofed source -N ICMPFLOOD -A ICMPFLOOD -m recent --set --name ICMP --rsource -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "FW/icmp-flood: " -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP -A ICMPFLOOD -j ACCEPT ############################################################################### # 2. HOST SPECIFIC RULES # # # # This section is a good place to enable your host-specific services. # ############################################################################### # Accept worldwide access to HTTP and HTTPS # -A INPUT -p tcp -m tcp --dport 80 --syn -m state --state NEW -j ACCEPT # -A INPUT -p tcp -m tcp --dport 443 --syn -m state --state NEW -j ACCEPT # Accept limited access to Munin from hosts on CVUT network # -A INPUT -s 147.32.0.0/15 -p tcp -m tcp --dport 4949 --syn -m state --state NEW -j ACCEPT ############################################################################### # 3. GENERAL RULES # # # # This section contains general rules that should be suitable for most hosts. # ############################################################################### # Accept worldwide access to SSH and use SSHBRUTE chain for preventing # brute-force attacks. -A INPUT -p tcp -m tcp --dport 22 --syn -m state --state NEW -j SSHBRUTE # Permit needed ICMP packet types for IPv6 per RFC 4890 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 137 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 141 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 142 -j ACCEPT -A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j ACCEPT -A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j ACCEPT -A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j ACCEPT -A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 148 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 149 -j ACCEPT -A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 151 -j ACCEPT -A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 152 -j ACCEPT -A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 153 -j ACCEPT # Permit IMCP echo requests (ping) and use ICMPFLOOD chain for preventing ping # flooding. -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ICMPFLOOD # May not want to log late replies from campus nameservers -A INPUT -p udp -m udp --sport 53 -j DROP # Good practise is to explicately reject AUTH traffic so that it fails fast -A INPUT -p tcp -m tcp --dport 113 --syn -m state --state NEW -j REJECT --reject-with tcp-reset # Prevent DOS by filling log files -A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG COMMIT