EditAttachPrintable
r1 - 16 Aug 2009 - 06:36:38 - PorchLightYou are here: TWiki >  Main Web > IpTablesFirewalls
Below is a list of different IpTable? firewall rules I use.

Simple server with SSH. 

#default policy.
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


#Allow pings                                                                                                                                             
iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT                                                               

# This is a rate limit for SSH. It only allows 4 connections to port 22 within a 60 second period. Stops most brute force attacks. 
#Only really practical for SSH. Might be good for low volume POP/SMTP/FTP. 
#http://www.faqs.org/docs/iptables/statemachine.html
iptables -N SSH_CHECK
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
iptables -A SSH_CHECK -m recent --set --name SSH
iptables -A SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP
iptables -A INPUT -p tcp --destination-port 22  -j ACCEPT




#NAT (or really PAT) for running OpenVPN on the tun0 interface. Allows the use of OpenVPN server as a "HotSpot" with all Internet traffic from the clients to run thru this box. 
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward



#SYN Cookie Protection
/bin/echo "1" > /proc/sys/net/ipv4/tcp_syncookies

#Disable response to broadcasts
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Don't accesp source routed packets
/bin/echo "0"> /proc/sys/net/ipv4/conf/all/accept_source_route
/bin/echo "0"> /proc/sys/net/ipv4/conf/all/send_redirects

#Disable ICMP redirect acceptance
/bin/echo "0"> /proc/sys/net/ipv4/conf/all/accept_redirects

#Enable bad error message protection
/bin/echo "1"> /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#Turn on reverse path filtering
for interface in /proc/sys/net/ipv4/conf/*/rp_filter;do
/bin/echo "1" > ${interface}
done

#Log spoofed packets, source routed packets, redirect packets
/bin/echo "1"> /proc/sys/net/ipv4/conf/all/log_martians 

#Use this for PSAD. Use the rate limited logging below for non PSAD. 
/sbin/iptables -A INPUT -j LOG
/sbin/iptables -A FORWARD -j LOG 


iptables -A INPUT -p tcp --dport 0 -j DROP
iptables -A INPUT -p tcp --dport 1 -j DROP


# Log the rest of the incoming messages (all of which are dropped)
# with a maximum of 15 log entries per minute
#/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
#/sbin/iptables -A OUTPUT -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix "Dropped by firewall: "

-- PorchLight - 16 Aug 2009

Edit | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r1 | More topic actions
Main

tip TWiki Tip of the Day
Escaping TWiki rendering
Use the verbatim tag to surround code excerpts and other formatted text with verbatim and /verbatim ... Read on Read more

 
Powered by TWiki
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback