-
-
Save AdroitAdorKhan/304da6c29d118c07c5df851035ad9659 to your computer and use it in GitHub Desktop.
General iptables rules to permit wireguard, openvpn and prevent ddos
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE | |
iptables -t nat -A POSTROUTING -s 10.0.2.0/24 -o eth0 -j MASQUERADE | |
# allow established sessions to receive traffic | |
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
# allow your application port | |
iptables -I INPUT -p tcp --dport 443 -j ACCEPT | |
iptables -I INPUT -p udp --dport 443 -j ACCEPT | |
# allow SSH | |
iptables -I INPUT -p tcp --dport 22 -j ACCEPT | |
# Allow Ping | |
iptables -A INPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
# allow localhost | |
iptables -A INPUT -i lo -j ACCEPT | |
# block everything else | |
iptables -A INPUT -j DROP | |
Modified from https://gist.github.com/mattia-beta/bd5b1c68e3d51db933181d8a3dc0ba64 | |
### 1: Drop invalid packets ### | |
iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP | |
### 2: Drop TCP packets that are new and are not SYN ### | |
iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP | |
### 3: Drop SYN packets with suspicious MSS value ### | |
iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP | |
### 4: Block packets with bogus TCP flags ### | |
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP | |
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP | |
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP | |
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP | |
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP | |
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP | |
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP | |
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP | |
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP | |
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP | |
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP | |
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP | |
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP | |
### 5: Block spoofed packets ### | |
iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP | |
iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP | |
iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP | |
iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP | |
iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP | |
iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP | |
iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP | |
iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP | |
### 6: Drop ICMP (you usually don't need this protocol) ### | |
iptables -t mangle -A PREROUTING -p icmp -j DROP | |
### 7: Drop fragments in all chains ### | |
iptables -t mangle -A PREROUTING -f -j DROP | |
### 8: Limit connections per source IP ### | |
iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset | |
### 9: Limit RST packets ### | |
iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT | |
iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP | |
### 10: Limit new TCP connections per second per source IP ### | |
iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT | |
iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP | |
iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set | |
iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP | |
### Protection against port scanning ### | |
iptables -N port-scanning | |
iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN | |
iptables -A port-scanning -j DROP |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment