SHARE
TWEET

Firewall rules

a guest Oct 22nd, 2019 103 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/bin/sh
  2.  
  3. # firewall.rull
  4.  
  5. #Flush table :
  6. iptables -F
  7. iptables -X
  8.  
  9. #change policy
  10. iptables -P INPUT DROP
  11. iptables -P OUTPUT DROP
  12. iptables -P FORWARD DROP
  13.  
  14. #Autorise established connexions
  15. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  16. iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  17.  
  18. #Manage SSH
  19. iptables -A INPUT -p tcp --dport 2222 -i enp0s3 -j ACCEPT
  20. iptables -A INPUT -p tcp --dport 2222 -m state --state NEW -m recent --name BLACKLIST --set
  21. iptables -A INPUT -p tcp --dport 2222 -m state --state NEW -m recent --name BLACKLIST --update --seconds 60 --hitcount 5 --rttl -j DROP
  22.  
  23. #Manage DNS
  24. iptables -A OUTPUT --protocol udp --destination-port 53 -j ACCEPT
  25. iptables -A INPUT --protocol udp --dport 53 -j ACCEPT
  26. iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --name BLACKLIST --set
  27. iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --name BLACKLIST --update --seconds 10 --hitcount 10 --rttl -j DROP
  28.  
  29. #Manage HTTP
  30. iptables -A INPUT -p tcp --dport http -i enp0s3 -j ACCEPT
  31. iptables -A OUTPUT -p tcp -m multiport --dports http -j ACCEPT
  32. iptables -A INPUT -p tcp --dport http -m state --state NEW -m recent --name BLACKLIST --set
  33. iptables -A INPUT -p tcp --dport http -m state --state NEW -m recent --name BLACKLIST --update --seconds 10 --hitcount 10 --rttl -j DROP
  34.  
  35. #Manage HTTPS
  36. iptables -A INPUT -p tcp --dport https -i enp0s3 -j ACCEPT
  37. iptables -A OUTPUT -p tcp -m multiport --dports https -j ACCEPT
  38. iptables -A INPUT -p tcp --dport https -m state --state NEW -m recent --name BLACKLIST --set
  39. iptables -A INPUT -p tcp --dport https -m state --state NEW -m recent --name BLACKLIST --update --seconds 10 --hitcount 10 --rttl -j DROP
  40.  
  41. # Mail SMTP:25
  42. #iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
  43. #iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
  44. #iptables -A INPUT -p tcp --dport 25 -m state --state NEW -m recent --name BLACKLIST --set
  45. #iptables -A INPUT -p tcp --dport 25 -m state --state NEW -m recent --name BLACKLIST --update --seconds 10 --hitcount 10 --rttl -j DROP
  46.  
  47. #manage Mail SMTP:MailHub
  48. iptables -t filter -A INPUT -p tcp --dport 587 -j ACCEPT
  49. iptables -t filter -A OUTPUT -p tcp --dport 587 -j ACCEPT
  50. iptables -A INPUT -p tcp --dport 587 -m state --state NEW -m recent --name BLACKLIST --set
  51. iptables -A INPUT -p tcp --dport 587 -m state --state NEW -m recent --name BLACKLIST --update --seconds 10 --hitcount 10 --rttl -j DROP
  52.  
  53. #manage Port Scan
  54. iptables -A INPUT -i enp0s3 -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
  55. iptables -A INPUT -i enp0s3 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
  56. iptables -A INPUT -i enp0s3 -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j DROP
  57.  
  58. #Incoming malformed XMAS packets
  59. iptables -A INPUT -i enp0s3 -p tcp --tcp-flags ALL ALL -j DROP
  60. #Incoming malformed NULL packets
  61. iptables -A INPUT -i enp0s3 -p tcp --tcp-flags ALL NONE -j DROP
  62.  
  63. #Adding Security ruls
  64. iptables -A INPUT -p all -j DROP
  65. iptables -A OUTPUT -p all -j DROP
  66. iptables -A FORWARD -p all -j DROP
  67.  
  68. #Log to the file
  69. iptables -N LOGGING
  70. iptables -A INPUT -j LOGGING
  71. iptables -A OUTPUT -j LOGGING
  72. iptables -A FORWARD -j LOGGING
  73. iptables -A LOGGING -m limit --limit 4/sec -j LOG --log-level 4 --log-prefix "IPTables-Dropped: "
  74. iptables -A LOGGING -j DROP
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top