Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Flush rules
- iptables -F
- iptables -X
- iptables -t nat -F
- iptables -t nat -X
- iptables -t mangle -F
- iptables -t mangle -X
- iptables -t raw -F PREROUTING
- iptables -t raw -F OUTPUT
- # List policies first
- iptables -P INPUT DROP; iptables -P FORWARD ACCEPT; iptables -P OUTPUT ACCEPT;
- # Enable connection tracking
- iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- # Disable connection tracking on OpenVPN port - Should be tested, not sure if this is possible. Remarked for now.
- #iptables -A PREROUTING -t raw -p udp --dport 41100 -j NOTRACK
- # Allow TCP SSH inbound - Prevent SSH brute force attacks
- iptables -I INPUT -p tcp -m state --state NEW --dport 22 -m recent --set
- iptables -I INPUT -p tcp -m state --state NEW --dport 22 -m recent --update --seconds 60 --hitcount 4 -j DROP
- iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
- # Drop invalid size UDP
- iptables -A PREROUTING -t raw -p udp --dport 1:65535 -m length --length 0:32 -j DROP
- iptables -A PREROUTING -t raw -p udp --dport 1:65535 -m length --length 2521:65535 -j DROP
- # Allow OpenVPN Forwarding
- iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
- # Allow OpenVPN UDP inbound with connection tracking (enabled now):
- iptables -A INPUT -m state --state NEW --dport 41100 -j ACCEPT
- # Without connection tracking (disabled now):
- #iptables -A INPUT -p udp --dport 41100 -j ACCEPT
- # Allow ICMP
- iptables -A INPUT -p icmp -j ACCEPT
- # Attempt to limit outgoing RST if under TCP SYN attack. (Review if useless)
- # Syn would be something like this but you need to test and tweak the values.
- iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j RETURN
- # Allow all localhost
- iptables -A INPUT -i lo -j ACCEPT
- iptables -A OUTPUT -o lo -j ACCEPT
- service iptables-persistent save
- service iptables-persistent start
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement