Created
October 31, 2020 13:48
-
-
Save hagb4rd/05ff1b26a0d24b798aa5b9d48678a88a to your computer and use it in GitHub Desktop.
linux firewall ip tables
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Reset der Regeln: | |
sudo /sbin/iptables -X | |
sudo /sbin/iptables -F | |
sudo /sbin/iptables -Z | |
# Erlaubt Loopback-Verbindungen: | |
sudo /sbin/iptables -A INPUT -i lo -j ACCEPT | |
sudo /sbin/iptables -A OUTPUT -o lo -j ACCEPT | |
# Bestehende Verbindung erlauben: | |
sudo /sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
sudo /sbin/iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
# Ping erlauben: | |
sudo /sbin/iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT | |
sudo /sbin/iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT | |
sudo /sbin/iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT | |
sudo /sbin/iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT | |
# Blockiert typische Portscans: | |
sudo /sbin/iptables -N PORTSCAN | |
sudo /sbin/iptables -A PORTSCAN -p tcp --tcp-flags ACK,FIN FIN -j DROP | |
sudo /sbin/iptables -A PORTSCAN -p tcp --tcp-flags ACK,PSH PSH -j DROP | |
sudo /sbin/iptables -A PORTSCAN -p tcp --tcp-flags ACK,URG URG -j DROP | |
sudo /sbin/iptables -A PORTSCAN -p tcp --tcp-flags ALL ALL -j DROP | |
sudo /sbin/iptables -A PORTSCAN -p tcp --tcp-flags ALL NONE -j DROP | |
sudo /sbin/iptables -A PORTSCAN -p tcp --tcp-flags FIN,RST FIN,RST -j DROP | |
sudo /sbin/iptables -A PORTSCAN -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP | |
sudo /sbin/iptables -A PORTSCAN -p tcp --tcp-flags SYN,RST SYN,RST -j DROP | |
sudo /sbin/iptables -A PORTSCAN -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP | |
sudo /sbin/iptables -A PORTSCAN -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP | |
sudo /sbin/iptables -A PORTSCAN -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP | |
# Stoppt SYN-Floods | |
sudo /sbin/iptables-N SYNFLOOD | |
sudo /sbin/iptables-A SYNFLOOD -p tcp --syn -m limit --limit 40/s -j RETURN | |
sudo /sbin/iptables-A SYNFLOOD -p tcp -j REJECT --reject-with tcp-reset | |
sudo /sbin/iptables -A INPUT -p tcp -m state --state NEW -j SYNFLOOD | |
# Blockiert fragmentierte Pakete: | |
sudo /sbin/iptables -A INPUT -f -j DROP | |
# SYN-Pakete erlauben: | |
sudo /sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP | |
# Öffnet ausgehene Ports (DNS): | |
# sudo /sbin/iptables -A INPUT -p udp --sport 53 -j ACCEPT | |
sudo /sbin/iptables -A OUTPUT -p udp --dport 53 -j ACCEPT | |
sudo /sbin/iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT | |
sudo /sbin/iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT | |
# Öffnet eingehenden TCP-Port 22 (SSH): | |
# sudo /sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT | |
sudo /sbin/iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT | |
# Verwirft alle unerlaubten Pakete | |
sudo /sbin/iptables -A INPUT -j DROP | |
sudo /sbin/iptables -A FORWARD -j DROP | |
sudo /sbin/iptables -A OUTPUT -j DROP |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment