Amarildo - IPTABLES

1. # Drop everything
2. iptables -P OUTPUT DROP
3. iptables -P INPUT DROP
4. iptables -P FORWARD DROP
5.  
6. # drop TCP sessions opened prior firewall restart
7. iptables -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
8. iptables -A OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
9.  
10. # drop packets that do not match any valid state and log them
11. iptables -N drop_invalid
12. iptables -A OUTPUT -m state --state INVALID -j drop_invalid
13. iptables -A INPUT -m state --state INVALID -j drop_invalid
14. iptables -A INPUT -p tcp -m tcp --sport 1:65535 --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j drop_invalid
15. iptables -A drop_invalid -j LOG --log-level debug --log-prefix "INVALID state -- DENY "
16. iptables -A drop_invalid -j DROP
17.  
18. # anti-spoof
19. iptables -N In_RULE_0
20. iptables -A INPUT -i enp0s7 -s amarildo -j In_RULE_0
21. iptables -A In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY "
22. iptables -A In_RULE_0 -j DROP
23.  
24. # ICMP Block - Log
25. iptables -N In_RULE_1
26. iptables -A INPUT -p icmp -m icmp --icmp-type any -j In_RULE_1
27. iptables -A In_RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY "
28. iptables -A In_RULE_1 -j DROP
29.  
30. # Whois - Block - Log
31. iptables -N In_RULE_2
32. iptables -A INPUT -p tcp -m tcp --dport 43 -j In_RULE_2
33. iptables -A In_RULE_2 -j LOG --log-level info --log-prefix "RULE 2 -- DENY "
34. iptables -A In_RULE_2 -j DROP
35.  
36. # xmas-scan - Block - Log
37. iptables -N In_RULE_3
38. iptables -A INPUT -p tcp -m tcp --tcp-flags ALL URG,PSH,FIN -j In_RULE_3
39. iptables -A In_RULE_3 -j LOG --log-level info --log-prefix "RULE 3 -- DENY "
40. iptables -A In_RULE_3 -j DROP
41.  
42. # xmas-scan-full - Block - Log
43. iptables -N In_RULE_4
44. iptables -A INPUT -p tcp -m tcp --tcp-flags ALL URG,ACK,PSH,RST,SYN,FIN -j In_RULE_4
45. iptables -A In_RULE_4 -j LOG --log-level info --log-prefix "RULE 4 -- DENY "
46. iptables -A In_RULE_4 -j DROP
47.  
48. # IP fragments - BLock - Log
49. iptables -N In_RULE_5
50. iptables -A INPUT -p all -f -j In_RULE_5
51. iptables -A In_RULE_5 -j LOG --log-level info --log-prefix "RULE 5 -- DENY "
52. iptables -A In_RULE_5 -j DROP
53.  
54. # who - Block - Log
55. iptables -N In_RULE_6
56. iptables -A INPUT -p udp -m udp --dport 513 -j In_RULE_6
57. iptables -A In_RULE_6 -j LOG --log-level info --log-prefix "RULE 6 -- DENY "
58. iptables -A In_RULE_6 -j DROP
59.  
60. # traceroute - Block - Log
61. iptables -N In_RULE_7
62. iptables -A INPUT -p udp -m udp --dport 33434:33524 -j In_RULE_7
63. iptables -A In_RULE_7 -j LOG --log-level info --log-prefix "RULE 7 -- DENY "
64. iptables -A In_RULE_7 -j DROP
65.  
66. # ESTABLISHED,RELATED
67. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
68.  
69. # loopback (IN)
70. iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
71.  
72. #(INVALID OUT)
73. iptables -A OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
74.  
75. # loopback (OUT)
76. iptables -A OUTPUT -o lo -m state --state NEW -j ACCEPT
77.  
78. # ESTABLISHED,RELATED (OUT)
79. iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
80.  
81. # DNS
82. iptables -A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
83. iptables -A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
84.  
85. # FTP
86. iptables -A OUTPUT -p tcp -m tcp --dport 21 -m state --state NEW -j ACCEPT
87.  
88. # http
89. iptables -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
90.  
91. # https
92. iptables -A OUTPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
93.  
94. # IMAP
95. iptables -A OUTPUT -p tcp -m tcp --dport 143 -m state --state NEW -j ACCEPT
96.  
97. # POP3
98. iptables -A OUTPUT -p tcp -m tcp --dport 110 -m state --state NEW -j ACCEPT
99.  
100. # Printer
101. iptables -A OUTPUT -p tcp -m tcp --dport 515 -m state --state NEW -j ACCEPT
102.  
103. # SMTP
104. iptables -A OUTPUT -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT
105.  
106. # SMTPS
107. iptables -A OUTPUT -p tcp -m tcp --dport 465 -m state --state NEW -j ACCEPT
108.  
109. # OpenVPN
110. iptables -A OUTPUT -p udp -m udp --dport 1194 -m state --state NEW -j ACCEPT
111.  
112. # Kpasswd
113. iptables -A OUTPUT -p udp -m udp --dport 464 -m state --state NEW -j ACCEPT
114.  
115. # ALL UDP
116. iptables -N RULE_21
117. iptables -A OUTPUT -p udp -m udp -j RULE_21
118. iptables -A INPUT -p udp -m udp -j RULE_21
119. iptables -A RULE_21 -j LOG --log-level info --log-prefix "RULE 21 -- DENY "
120. iptables -A RULE_21 -j DROP
121.  
122. # ALL TCP
123. iptables -N RULE_22
124. iptables -A OUTPUT -p tcp -m tcp -j RULE_22
125. iptables -A INPUT -p tcp -m tcp -j RULE_22
126. iptables -A RULE_22 -j LOG --log-level info --log-prefix "RULE 22 -- DENY "
127. iptables -A RULE_22 -j DROP
128.  
129. # All other attempts are denied and logged
130. iptables -N RULE_23
131. iptables -A OUTPUT -d amarildo -j RULE_23
132. iptables -A INPUT -j RULE_23
133. iptables -A RULE_23 -j LOG --log-level info --log-prefix "RULE 23 -- DENY "
134. iptables -A RULE_23 -j DROP
135.  
136. # Logged again
137. iptables -N RULE_24
138. iptables -A OUTPUT -j RULE_24
139. iptables -A INPUT -j RULE_24
140. iptables -A RULE_24 -j LOG --log-level info --log-prefix "RULE 24 -- DENY "
141. iptables -A RULE_24 -j DROP