Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh
- # firewall.rull
- #Flush table :
- iptables -F
- iptables -X
- #change policy
- iptables -P INPUT DROP
- iptables -P OUTPUT DROP
- iptables -P FORWARD DROP
- #Autorise established connexions
- iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- #Manage SSH
- iptables -A INPUT -p tcp --dport 2222 -i enp0s3 -j ACCEPT
- iptables -A INPUT -p tcp --dport 2222 -m state --state NEW -m recent --name BLACKLIST --set
- iptables -A INPUT -p tcp --dport 2222 -m state --state NEW -m recent --name BLACKLIST --update --seconds 60 --hitcount 5 --rttl -j DROP
- #Manage DNS
- iptables -A OUTPUT --protocol udp --destination-port 53 -j ACCEPT
- iptables -A INPUT --protocol udp --dport 53 -j ACCEPT
- iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --name BLACKLIST --set
- iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --name BLACKLIST --update --seconds 10 --hitcount 10 --rttl -j DROP
- #Manage HTTP
- iptables -A INPUT -p tcp --dport http -i enp0s3 -j ACCEPT
- iptables -A OUTPUT -p tcp -m multiport --dports http -j ACCEPT
- iptables -A INPUT -p tcp --dport http -m state --state NEW -m recent --name BLACKLIST --set
- iptables -A INPUT -p tcp --dport http -m state --state NEW -m recent --name BLACKLIST --update --seconds 10 --hitcount 10 --rttl -j DROP
- #Manage HTTPS
- iptables -A INPUT -p tcp --dport https -i enp0s3 -j ACCEPT
- iptables -A OUTPUT -p tcp -m multiport --dports https -j ACCEPT
- iptables -A INPUT -p tcp --dport https -m state --state NEW -m recent --name BLACKLIST --set
- iptables -A INPUT -p tcp --dport https -m state --state NEW -m recent --name BLACKLIST --update --seconds 10 --hitcount 10 --rttl -j DROP
- # Mail SMTP:25
- #iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
- #iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
- #iptables -A INPUT -p tcp --dport 25 -m state --state NEW -m recent --name BLACKLIST --set
- #iptables -A INPUT -p tcp --dport 25 -m state --state NEW -m recent --name BLACKLIST --update --seconds 10 --hitcount 10 --rttl -j DROP
- #manage Mail SMTP:MailHub
- iptables -t filter -A INPUT -p tcp --dport 587 -j ACCEPT
- iptables -t filter -A OUTPUT -p tcp --dport 587 -j ACCEPT
- iptables -A INPUT -p tcp --dport 587 -m state --state NEW -m recent --name BLACKLIST --set
- iptables -A INPUT -p tcp --dport 587 -m state --state NEW -m recent --name BLACKLIST --update --seconds 10 --hitcount 10 --rttl -j DROP
- #manage Port Scan
- iptables -A INPUT -i enp0s3 -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
- iptables -A INPUT -i enp0s3 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
- iptables -A INPUT -i enp0s3 -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j DROP
- #Incoming malformed XMAS packets
- iptables -A INPUT -i enp0s3 -p tcp --tcp-flags ALL ALL -j DROP
- #Incoming malformed NULL packets
- iptables -A INPUT -i enp0s3 -p tcp --tcp-flags ALL NONE -j DROP
- #Adding Security ruls
- iptables -A INPUT -p all -j DROP
- iptables -A OUTPUT -p all -j DROP
- iptables -A FORWARD -p all -j DROP
- #Log to the file
- iptables -N LOGGING
- iptables -A INPUT -j LOGGING
- iptables -A OUTPUT -j LOGGING
- iptables -A FORWARD -j LOGGING
- iptables -A LOGGING -m limit --limit 4/sec -j LOG --log-level 4 --log-prefix "IPTables-Dropped: "
- iptables -A LOGGING -j DROP
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement