-
Notifications
You must be signed in to change notification settings - Fork 0
/
iptables
196 lines (163 loc) · 8.13 KB
/
iptables
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
# Generated by xtables-save v1.8.2 on Mon Apr 5 17:39:44 2021
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
##############################
## Chain Policies
##############################
# Change default policy to DROP (no ICMP reject pakets)
#-P INPUT DROP
#-P FORWARD DROP
#-P OUTPUT DROP
## Loopback communication
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
##############################
## Security - Network classes
##############################
# Refuse spoofed packets pretending to be from your IP address.
-A INPUT -i enp0s31f6 -s ip.ip.ip.ip -m comment --comment "FW: Spoof Own-IP" -j LOG --log-prefix "FW: Spoof Own-IP "
-A INPUT -i enp0s31f6 -s ip.ip.ip.ip -j DROP -m comment --comment "FW: Spoof Own-IP"
# Refuse packets claiming to be from a Class A private network.
-A INPUT -i enp0s31f6 -s 10.0.0.0/8 -j LOG --log-prefix "FW: Spoof ClassA-IP "
-A INPUT -i enp0s31f6 -s 10.0.0.0/8 -j DROP
# Refuse packets claiming to be from a Class B private network.
-A INPUT -i enp0s31f6 -s 172.16.0.0/12 -j LOG --log-prefix "FW: Spoof ClassB-IP "
-A INPUT -i enp0s31f6 -s 172.16.0.0/12 -j DROP
# Refuse packets claiming to be from a Class C private network.
-A INPUT -i enp0s31f6 -s 192.168.0.0/16 -j LOG --log-prefix "FW: Spoof ClassC-IP "
-A INPUT -i enp0s31f6 -s 192.168.0.0/16 -j DROP
# Refuse Class D multicast addresses. Multicast is illegal as a source address.
-A INPUT -i enp0s31f6 -s 224.0.0.0/4 -j LOG --log-prefix "FW: Spoof ClassD-IP "
-A INPUT -i enp0s31f6 -s 224.0.0.0/4 -j DROP
# Refuse Class E reserved IP addresses.
-A INPUT -i enp0s31f6 -s 240.0.0.0/5 -j LOG --log-prefix "FW: Spoof ClassE-IP "
-A INPUT -i enp0s31f6 -s 240.0.0.0/5 -j DROP
##############################
## Security - Scan-Types
##############################
# Common portscanner packets
# NMAP-XMAS-Scan
-A INPUT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "FW: NMAP-XMAS Scan "
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# XMAS-Scan
-A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix "FW: XMAS Scan "
-A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
# XMAS PSH-Scan
-A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "FW: XMAS PSH-Scan "
-A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# SYN/RST-Scan
-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "FW: SYN/RST Scan "
-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# SYN/FIN-Scan
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "FW: SYN/FIN Scan "
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# NULL-Scan
-A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "FW: NULL-Scan "
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Invalid State
-A INPUT -p tcp -m state --state INVALID -j LOG --log-prefix "FW: Invalid State "
-A INPUT -p tcp -m state --state INVALID -j DROP
# Non-valid TCP-Options
-A INPUT -p tcp --tcp-option 64 -j LOG --log-prefix "FW: Bad TCP-Option 64 "
-A INPUT -p tcp --tcp-option 128 -j LOG --log-prefix "FW: Bad TCP-Option 128 "
# New packets without SYN-bit set...
-A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "FW: SYN without ACK "
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
############################## ICMP START
## Official ICMP types and code fields:
## - https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml
##
## How to write them that IPTables understands them:
## /sbin/iptables -p icmp -h
##
## Types:
## 0 - echo-reply
## 3 - destination-unreachable
## Code 4 is: Fragmentation needed
## 8 - echo-request
## 11 - time-exceeded
##############################
-A INPUT -i enp0s31f6 -p icmp --icmp-type echo-reply -d ip.ip.ip.ip -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i enp0s31f6 -p icmp --icmp-type destination-unreachable -d ip.ip.ip.ip -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i enp0s31f6 -p icmp --icmp-type echo-request -d ip.ip.ip.ip -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i enp0s31f6 -p icmp --icmp-type time-exceeded -d ip.ip.ip.ip -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i enp0s31f6 -p udp -m udp --sport 32769:65535 -d ip.ip.ip.ip --dport 33434:33523 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -o enp0s31f6 -p icmp --icmp-type echo-reply -s ip.ip.ip.ip -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -o enp0s31f6 -p icmp --icmp-type destination-unreachable -s ip.ip.ip.ip -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -o enp0s31f6 -p icmp --icmp-type echo-request -s ip.ip.ip.ip -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -o enp0s31f6 -p icmp --icmp-type time-exceeded -s ip.ip.ip.ip -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#-A OUTPUT -p icmp -s ip.ip.ip.ip -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -o enp0s31f6 -p udp -m udp -s ip.ip.ip.ip --sport 32769:65535 --dport 33434:33523 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
################################ ICMP END
################################ NTP START
##
## Incoming: Allow only existing connection, we are NOT a NTP server
-A INPUT -i enp0s31f6 -p udp -m udp --sport 123 -m state --state ESTABLISHED -j ACCEPT
##
## Outgoing
-A OUTPUT -o enp0s31f6 -p udp -m udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
##
################################ NTP END
################################ DNS START
##
## Incmoming to highports: Allow only existing connection, we are NOT a DNS server
-A INPUT -i enp0s31f6 -p udp -m udp --sport 53 -d ip.ip.ip.ip --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
##
## Outgoing from highports to DNS port
-A OUTPUT -o enp0s31f6 -p udp -m udp -s ip.ip.ip.ip --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
##
################################ DNS END
################################ SSH
##
## Incoming
-A INPUT -i enp0s31f6 -p tcp -m tcp --dport 222 -m state --state NEW,ESTABLISHED -j ACCEPT
##
## Outgoing
-A OUTPUT -o enp0s31f6 -p tcp -m tcp --sport 222 -m state --state ESTABLISHED -j ACCEPT
##
## New outgoing SSH-Connections from this system
-A OUTPUT -o enp0s31f6 -p tcp -m tcp --dport 222 -m state --state NEW,ESTABLISHED -j ACCEPT
##
################################ SSH END
################################ HTTP START
##
## Incoming
-A INPUT -i enp0s31f6 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
##
## Outgoing
-A OUTPUT -o enp0s31f6 -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
##
## New outgoing HTTPS-Connections from this system
-A OUTPUT -o enp0s31f6 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "Outgoing dport 80"
## Incoming to Port 80 from any high port
-A INPUT -i enp0s31f6 -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "Incoming 80 from any high port"
##
################################ HTTP END
################################ HTTPS START
##
## Incoming
-A INPUT -i enp0s31f6 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
##
## Outgoing
-A OUTPUT -o enp0s31f6 -p tcp -m tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
##
## New outgoing HTTPS-Connections from this system
-A OUTPUT -o enp0s31f6 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "Outgoing dport 80"
## Incoming to Port 80 from any high port
-A INPUT -i enp0s31f6 -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "Incoming 443 from any high port"
##
################################ HTTPS END
##################################
## DEBUG
##################################
# Anything else not already allowed is logged and then dropped.
# It will be dropped by the default policy anyway ........ but let's be paranoid.
-A INPUT -i lo -j LOG --log-prefix "FW´: INPUT END lo-Rule "
-A OUTPUT -o lo -j LOG --log-prefix "FW: OUTPUT END lo-Rule "
-A INPUT -i enp0s31f6 -j LOG --log-prefix "FW: INPUT END-Rule "
-A OUTPUT -o enp0s31f6 -j LOG --log-prefix "FW: OUTPUT END-Rule "
-A INPUT -i enp0s31f6 -p tcp -m tcp -j REJECT --reject-with tcp-reset -m comment --comment "FW: Reject everything TCP"
COMMIT
# Completed on Mon Apr 5 17:39:44 2021