Created
December 11, 2013 06:31
-
-
Save cwade12c/7905917 to your computer and use it in GitHub Desktop.
iptables server firewall sh script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #opensource, by cwade12c, probably needs improvement | |
| ipt='sudo /sbin/iptables' | |
| ssh=1012 | |
| http=80 | |
| https=443 | |
| external='1.2.3.4' | |
| lan='192.168.1.0/24' | |
| #kernel tweaks | |
| echo 1 > /proc/sys/net/ipv4/tcp_syncookies | |
| echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts | |
| echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses | |
| echo 1 > /proc/sys/net/ipv4/conf/all/log_martians | |
| #Flush rules | |
| $ipt -F INPUT | |
| $ipt -F OUTPUT | |
| $ipt -F FORWARD | |
| #Create custom ENFORCE,LOGDROP chain | |
| $ipt -N ENFORCE | |
| $ipt -N LOGDROP | |
| #Setup LOGDROP | |
| $ipt -A LOGDROP -j LOG | |
| $ipt -A LOGDROP -j DROP | |
| #Allow loopback | |
| $ipt -A INPUT -i lo -j ACCEPT | |
| $ipt -A OUTPUT -o lo -j ACCEPT | |
| #Block any attempt to spoof the loopback | |
| $ipt -A INPUT -s 127.0.0.1/8 -j DROP | |
| $ipt -A INPUT -d 127.0.0.1/8 -j DROP | |
| #Allow safe existing connections | |
| $ipt -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| $ipt -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | |
| #DROP INVALID packets | |
| $ipt -A INPUT -m state --state INVALID -j DROP | |
| $ipt -A OUTPUT -m state --state INVALID -j DROP | |
| $ipt -A FORWARD -m state --state INVALID -j DROP | |
| #Ensure tcp connections use SYNchronize flag | |
| $ipt -A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP | |
| #Service Exceptions | |
| $ipt -A INPUT -p tcp -s $external -m multiport --dports $ssh,$http,$https -j ACCEPT | |
| $ipt -A INPUT -p tcp -s $lan -m multiport --dports $ssh,$http,$https -j ACCEPT | |
| #DROP ICMP echo/echo-request | |
| $ipt -A INPUT -p icmp --icmp-type 0 -j DROP | |
| $ipt -A INPUT -p icmp --icmp-type 8 -j DROP | |
| #Jump incoming to ENFORCE | |
| $ipt -A INPUT -j ENFORCE | |
| #Setup ENFORCE filtering | |
| $ipt -A ENFORCE -p tcp -m tcp --syn -m limit --limit 1/s --limit-burst 4 -j RETURN | |
| $ipt -A ENFORCE -f -j DROP | |
| $ipt -A ENFORCE -p tcp --tcp-flags ALL ALL -j DROP | |
| $ipt -A ENFORCE -p tcp --tcp-flags ALL NONE -j DROP | |
| $ipt -A ENFORCE -p tcp --tcp-flags FIN,ACK FIN -j DROP | |
| $ipt -A ENFORCE -p tcp --tcp-flags ACK,PSH PSH -j DROP | |
| $ipt -A ENFORCE -p tcp --tcp-flags ACK,URG URG -j DROP | |
| $ipt -A ENFORCE -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP | |
| $ipt -A ENFORCE -p tcp --tcp-flags SYN,RST SYN,RST -j DROP | |
| $ipt -A ENFORCE -p tcp --tcp-flags FIN,RST FIN,RST -j DROP | |
| $ipt -A ENFORCE -p tcp --tcp-flags ALL FIN -j DROP | |
| $ipt -A ENFORCE -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP | |
| #Brute/DoS | |
| $ipt -A INPUT -p tcp --dport $ssh -m state --state NEW -m recent --set | |
| $ipt -A INPUT -p tcp --dport $ssh -m state --state NEW -m recent --update --seconds 20 --hitcount 5 -j LOGDROP | |
| $ipt -A INPUT -p tcp -m state --state NEW -m limit --limit 30/minute --limit-burst 5 -j ACCEPT | |
| #Deny everything else | |
| $ipt -A INPUT -p tcp -j DROP | |
| $ipt -A OUTPUT -p tcp -j DROP |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment