-
Notifications
You must be signed in to change notification settings - Fork 0
/
iptab.ips
67 lines (65 loc) · 3.56 KB
/
iptab.ips
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
#!/usr/sbin/iptables-apply
### This -*-conf-*- file is my template /etc/iptab for new hosts.
### Ref. http://jengelh.medozas.de/documents/Perfect_Ruleset.pdf
### From init, use iptables-restore /etc/iptab (NOT iptables-apply).
### Ruleset can and should be loaded BEFORE network ifaces exist.
###
### Named hosts and services names are resolved ONCE, at load time.
### See getent(1). For meaningful ethernet iface names, edit
### /etc/udev/rules.d/*persistent-net.rules and reboot.
######################################################################
## Rulesets (*foo ... COMMIT) load atomically. First load a deny-all
## ruleset so that if the "real" ruleset fails to load, the system
## WILL NOT be left in an allow-all state.
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
-A INPUT -s 192.168/16 -j ACCEPT -m comment --comment "Allow recovery from LAN."
-A OUTPUT -p udp --dport domain -j REJECT -m comment --comment "On error, avoid DNS timeout delays"
COMMIT
######################################################################
*filter
:OUTPUT ACCEPT # Local users/processes are trusted.
:INPUT DROP # Ingress policy is "default deny".
:FORWARD DROP # Routing policy is "default deny".
:PRELUDE - # Best practices for filtered chains.
:SHITLIST -
## Quickly handle the essentials of a "default deny" environment.
## Anything left after this chain implicitly has --ctstate NEW.
-A INPUT -j PRELUDE
-A FORWARD -j PRELUDE
-A PRELUDE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PRELUDE -m conntrack ! --ctstate NEW -j DROP -m comment --comment "Same as --ctstate INVALID."
-A PRELUDE -p icmp -j ACCEPT
-A PRELUDE -i lo -j ACCEPT
## An automated SSH brute-force shitlist. Requires xtables. Unlike
## fail2ban or DenyHosts, there are NO userspace requirements -- not
## even sshd is needed! echo +1.2.3.4 >/proc/net/xt_recent/goodlist
## to goodlist 1.2.3.4 for an hour. Protects both this host AND all
## hosts "behind" this one.
##
# New connections from IPs shitlisted within the last ten minutes are
# chaotically rejected, AND reset the countdown back to ten minutes.
# This is in PRELUDE such that shitlisted attackers are refused ALL
# services, not just rate-limited ones.
-A PRELUDE -m recent --name shitlist --update --seconds 600 --rttl -j SHITLIST
# This NON-TERMINAL chain counts connections passing through it. When
# a connection rate exceeds 3/min/srcip/dstip/dstport, the source IP
# is shitlisted. Acting on the shitlist is done elsewhere, as is
# accepting or rejecting this connection.
-A PRELUDE -i ppp+ -p tcp --dport ssh -m hashlimit --hashlimit-name maybe-shitlist --hashlimit-mode srcip,dstip,dstport --hashlimit-above 1/min --hashlimit-burst 3 -m recent --name shitlist --set -j LOG --log-prefix "Shitlisted SRC: "
-A SHITLIST -m recent --name goodlist --rcheck --seconds 3600 -j RETURN -m comment --comment "goodlist overrides shitlist"
-A SHITLIST -j CHAOS --tarpit
## YOUR RULES GO HERE. Below is a simple example: a firewalling
## router and SSH gateway that also serves DHCP/DNS/NTP to the LAN,
## with a web server "www" and a mail server "mail" behind it.
-A INPUT -p tcp --dport ssh -j ACCEPT
-A INPUT -i lan -p udp -m multiport --dports bootps,domain,ntp -j ACCEPT
-A FORWARD -d mail -p tcp -m multiport --dports smtp,submission,imaps -j ACCEPT
-A FORWARD -d www -p tcp -m multiport --dports http,https -j ACCEPT
## Finally, politely reject all other attempts. Omit these to use the
## chains' default policies (DROP, above) instead.
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT