Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Firewall configuration written by system-config-firewall
- # Manual customization of this file is not recommended.
- #
- # This sample taken from : https://gist.github.com/hwdsl2/7e295eaa6c7919508b03
- *filter
- :INPUT ACCEPT [0:0]
- :FORWARD DROP [0:0]
- :OUTPUT ACCEPT [0:0]
- :ICMPALL - [0:0]
- :IPSPF - [0:0]
- :ASIP - [0:0]
- :DPTS - [0:0]
- :RLMSET - [0:0]
- -A INPUT -p tcp --dport 5060:5061 -m conntrack --ctstate RELATED,ESTABLISHED -m recent ! --rcheck --name MYSIP -j DROP
- -A INPUT -m conntrack --ctstate INVALID -j DROP
- -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A INPUT -i lo -j ACCEPT
- -A INPUT -m recent --update --name RLM --seconds 600 --hitcount 1 -j DROP
- -A INPUT -p icmp --icmp-type 255 -j ICMPALL
- # Allow DHCP traffic
- # -A INPUT -p udp --sport 67:68 --dport 67:68 -j ACCEPT
- # -A INPUT -i eth+ -j IPSPF
- -A INPUT -p tcp --dport 22 -j ACCEPT
- -A INPUT -j ASIP
- -A INPUT -j DPTS
- -A INPUT -m limit --limit 10/min -j LOG
- -A INPUT -j DROP
- -A ICMPALL -p icmp --fragment -j DROP
- -A ICMPALL -p icmp --icmp-type 0 -j ACCEPT
- -A ICMPALL -p icmp --icmp-type 3 -j ACCEPT
- -A ICMPALL -p icmp --icmp-type 4 -j ACCEPT
- -A ICMPALL -p icmp --icmp-type 8 -j ACCEPT
- -A ICMPALL -p icmp --icmp-type 11 -j ACCEPT
- -A ICMPALL -p icmp -j DROP
- # Drop packets FROM bogon IPv4 addresses
- # Delete the line below if your server uses this range:
- # -A IPSPF -s 10.0.0.0/8 -j DROP
- # # Same as above
- # -A IPSPF -s 172.16.0.0/12 -j DROP
- # # Save as above
- # -A IPSPF -s 192.168.0.0/16 -j DROP
- # -A IPSPF -s 0.0.0.0/8 -j DROP
- # -A IPSPF -s 100.64.0.0/10 -j DROP
- # -A IPSPF -s 127.0.0.0/8 -j DROP
- # -A IPSPF -s 169.254.0.0/16 -j DROP
- # -A IPSPF -s 192.0.0.0/24 -j DROP
- # -A IPSPF -s 192.0.2.0/24 -j DROP
- # -A IPSPF -s 198.18.0.0/15 -j DROP
- # -A IPSPF -s 198.51.100.0/24 -j DROP
- # -A IPSPF -s 203.0.113.0/24 -j DROP
- # -A IPSPF -s 224.0.0.0/4 -j DROP
- # -A IPSPF -s 240.0.0.0/4 -j DROP
- # -A IPSPF -s 255.255.255.255 -j DROP
- # # Drop packets TO broadcast/multicast/loopback IPs
- # -A IPSPF -d 0.0.0.0/8 -j DROP
- # -A IPSPF -d 127.0.0.0/8 -j DROP
- # -A IPSPF -d 224.0.0.0/4 -j DROP
- # -A IPSPF -d 255.255.255.255 -j DROP
- # # These are some bad TCP flags used in attacks:
- -A IPSPF -p tcp --tcp-flags ALL NONE -j DROP
- -A IPSPF -p tcp --tcp-flags ALL ALL -j DROP
- -A IPSPF -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
- -A IPSPF -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
- -A IPSPF -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
- -A IPSPF -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
- -A IPSPF -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
- # Reject NEW TCP packets w/ ACK flag. Someone could be sending packets with your server's IP as his fake IP
- -A IPSPF -p tcp --tcp-flags SYN,ACK SYN,ACK -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
- # Drop NEW TCP packets w/o SYN flag
- -A IPSPF -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
- # Drop empty UDP packets (lengths 0 to 28)
- -A IPSPF -p udp -m length --length 0:28 -j DROP
- # Limit incoming NEW TCP connections to 10/sec for each IP (configurable)
- -A IPSPF -p tcp --syn -m recent --update --name INSYN --seconds 1 --hitcount 11 -j DROP
- -A IPSPF -p tcp --syn -m recent --set --name INSYN -j RETURN
- -A IPSPF -j RETURN
- # Change to ACCEPT if FTP server:
- # -A DPTS -p tcp --dport 21 -j DROP
- # Remember to change your SSH port first!
- # If you use port 22, change this to ACCEPT!
- -A DPTS -p tcp --dport 22 -j ACCEPT
- #-A DPTS -p tcp --dport 23 -j RLMSET
- # # Change to ACCEPT if MAIL server:
- # -A DPTS -p tcp --dport 25 -j RLMSET
- # Note: Port 80 and/or 443 are needed to access the FreePBX GUI.
- # For security, do NOT open them here. Use SSH port forwarding instead.
- # -A DPTS -p tcp --dport 80 -j DROP
- # -A DPTS -p tcp --dport 443 -j DROP
- # -A DPTS -p tcp --dport 1433 -j RLMSET
- # -A DPTS -p tcp --dport 3128 -j RLMSET
- # Change to ACCEPT if Internet-facing MySQL server:
- # -A DPTS -p tcp --dport 3306 -j RLMSET
- # -A DPTS -p tcp --dport 3389 -j RLMSET
- # -A DPTS -p tcp --dport 4899 -j RLMSET
- # -A DPTS -p tcp --dport 5900 -j RLMSET
- -A DPTS -j RETURN
- -A RLMSET -m recent --set --name RLM -j DROP
- -A ASIP -p tcp --dport 5060:5061 -j ACCEPT
- -A ASIP -p udp --dport 5060:5061 -m recent --update --name MYSIP -j ACCEPT
- -A ASIP -p udp --dport 5060:5061 -j DROP
- -A ASIP -p udp --dport 10000:20000 -j ACCEPT
- -A ASIP -j RETURN
- COMMIT
- *raw
- #:PREROUTING ACCEPT [0:0]
- :OUTPUT ACCEPT [0:0]
- :BADSIP - [0:0]
- :TCPSIP - [0:0]
- :UDPSIP - [0:0]
- :NEWSIP - [0:0]
- # IMPORTANT: Replace "YOUR_HOSTNAME.no-ip.com" with the dynamic IP hostname you have set up!
- # -A PREROUTING -i eth+ -m recent --update --name MYSIP -j ACCEPT
- # -A PREROUTING -i eth+ -p tcp --dport 5060:5061 -m string --string "sip:YOUR_HOSTNAME.no-ip.com" --algo bm --icase -j NEWSIP
- # -A PREROUTING -i eth+ -p udp --dport 5060:5061 -m string --string "sip:YOUR_HOSTNAME.no-ip.com" --algo bm --to 1500 --icase -j NEWSIP
- # -A PREROUTING -i eth+ -m recent --update --name BADSIP -j DROP
- # -A PREROUTING -i eth+ -p tcp --dport 5060:5061 -j TCPSIP
- # -A PREROUTING -i eth+ -p udp --dport 5060:5061 -j UDPSIP
- -A TCPSIP -m string --string "sundayddr" --algo bm -j BADSIP
- -A TCPSIP -m string --string "sipsak" --algo bm -j BADSIP
- -A TCPSIP -m string --string "sipvicious" --algo bm --icase -j BADSIP
- -A TCPSIP -m string --string "friendly-scanner" --algo bm -j BADSIP
- -A TCPSIP -m string --string "iWar" --algo bm -j BADSIP
- -A TCPSIP -m string --string "sip-scan" --algo bm -j BADSIP
- -A TCPSIP -m string --string "sipcli" --algo bm -j BADSIP
- -A TCPSIP -m string --string "eyeBeam" --algo bm -j BADSIP
- -A TCPSIP -m string --string "VaxSIPUserAgent" --algo bm -j BADSIP
- -A TCPSIP -m string --string "sip:nm@nm" --algo bm -j BADSIP
- -A TCPSIP -m string --string "sip:carol@chicago.com" --algo bm -j BADSIP
- -A UDPSIP -m string --string "sundayddr" --algo bm --to 1500 -j BADSIP
- -A UDPSIP -m string --string "sipsak" --algo bm --to 1500 -j BADSIP
- -A UDPSIP -m string --string "sipvicious" --algo bm --icase --to 1500 -j BADSIP
- -A UDPSIP -m string --string "friendly-scanner" --algo bm --to 1500 -j BADSIP
- -A UDPSIP -m string --string "iWar" --algo bm --to 1500 -j BADSIP
- -A UDPSIP -m string --string "sip-scan" --algo bm --to 1500 -j BADSIP
- -A UDPSIP -m string --string "sipcli" --algo bm --to 1500 -j BADSIP
- -A UDPSIP -m string --string "eyeBeam" --algo bm --to 1500 -j BADSIP
- -A UDPSIP -m string --string "VaxSIPUserAgent" --algo bm --to 1500 -j BADSIP
- -A UDPSIP -m string --string "sip:nm@nm" --algo bm --to 1500 -j BADSIP
- -A UDPSIP -m string --string "sip:carol@chicago.com" --algo bm --to 1500 -j BADSIP
- -A BADSIP -m recent --set --name BADSIP -j DROP
- -A NEWSIP -m recent --set --name MYSIP -j ACCEPT
- COMMIT
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement