# Firewall configuration written by system-config-firewall# Manual customizati

1. # Firewall configuration written by system-config-firewall
2. # Manual customization of this file is not recommended.
3. #
4. # This sample taken from : https://gist.github.com/hwdsl2/7e295eaa6c7919508b03
5. *filter
6. :INPUT ACCEPT [0:0]
7. :FORWARD DROP [0:0]
8. :OUTPUT ACCEPT [0:0]
9. :ICMPALL - [0:0]
10. :IPSPF - [0:0]
11. :ASIP - [0:0]
12. :DPTS - [0:0]
13. :RLMSET - [0:0]
14. -A INPUT -p tcp --dport 5060:5061 -m conntrack --ctstate RELATED,ESTABLISHED -m recent ! --rcheck --name MYSIP -j DROP
15. -A INPUT -m conntrack --ctstate INVALID -j DROP
16. -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
17. -A INPUT -i lo -j ACCEPT
18. -A INPUT -m recent --update --name RLM --seconds 600 --hitcount 1 -j DROP
19. -A INPUT -p icmp --icmp-type 255 -j ICMPALL
20. # Allow DHCP traffic
21. # -A INPUT -p udp --sport 67:68 --dport 67:68 -j ACCEPT
22. # -A INPUT -i eth+ -j IPSPF
23.  
24. -A INPUT -p tcp --dport 22 -j ACCEPT
25. -A INPUT -j ASIP
26. -A INPUT -j DPTS
27. -A INPUT -m limit --limit 10/min -j LOG
28. -A INPUT -j DROP
29. -A ICMPALL -p icmp --fragment -j DROP
30. -A ICMPALL -p icmp --icmp-type 0 -j ACCEPT
31. -A ICMPALL -p icmp --icmp-type 3 -j ACCEPT
32. -A ICMPALL -p icmp --icmp-type 4 -j ACCEPT
33. -A ICMPALL -p icmp --icmp-type 8 -j ACCEPT
34. -A ICMPALL -p icmp --icmp-type 11 -j ACCEPT
35. -A ICMPALL -p icmp -j DROP
36. # Drop packets FROM bogon IPv4 addresses
37. # Delete the line below if your server uses this range:
38. # -A IPSPF -s 10.0.0.0/8 -j DROP
39. # # Same as above
40. # -A IPSPF -s 172.16.0.0/12 -j DROP
41. # # Save as above
42. # -A IPSPF -s 192.168.0.0/16 -j DROP
43. # -A IPSPF -s 0.0.0.0/8 -j DROP
44. # -A IPSPF -s 100.64.0.0/10 -j DROP
45. # -A IPSPF -s 127.0.0.0/8 -j DROP
46. # -A IPSPF -s 169.254.0.0/16 -j DROP
47. # -A IPSPF -s 192.0.0.0/24 -j DROP
48. # -A IPSPF -s 192.0.2.0/24 -j DROP
49. # -A IPSPF -s 198.18.0.0/15 -j DROP
50. # -A IPSPF -s 198.51.100.0/24 -j DROP
51. # -A IPSPF -s 203.0.113.0/24 -j DROP
52. # -A IPSPF -s 224.0.0.0/4 -j DROP
53. # -A IPSPF -s 240.0.0.0/4 -j DROP
54. # -A IPSPF -s 255.255.255.255 -j DROP
55. # # Drop packets TO broadcast/multicast/loopback IPs
56. # -A IPSPF -d 0.0.0.0/8 -j DROP
57. # -A IPSPF -d 127.0.0.0/8 -j DROP
58. # -A IPSPF -d 224.0.0.0/4 -j DROP
59. # -A IPSPF -d 255.255.255.255 -j DROP
60. # # These are some bad TCP flags used in attacks:
61. -A IPSPF -p tcp --tcp-flags ALL NONE -j DROP
62. -A IPSPF -p tcp --tcp-flags ALL ALL -j DROP
63. -A IPSPF -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
64. -A IPSPF -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
65. -A IPSPF -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
66. -A IPSPF -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
67. -A IPSPF -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
68. # Reject NEW TCP packets w/ ACK flag. Someone could be sending packets with your server's IP as his fake IP
69. -A IPSPF -p tcp --tcp-flags SYN,ACK SYN,ACK -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
70. # Drop NEW TCP packets w/o SYN flag
71. -A IPSPF -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
72. # Drop empty UDP packets (lengths 0 to 28)
73. -A IPSPF -p udp -m length --length 0:28 -j DROP
74. # Limit incoming NEW TCP connections to 10/sec for each IP (configurable)
75. -A IPSPF -p tcp --syn -m recent --update --name INSYN --seconds 1 --hitcount 11 -j DROP
76. -A IPSPF -p tcp --syn -m recent --set --name INSYN -j RETURN
77. -A IPSPF -j RETURN
78. # Change to ACCEPT if FTP server:
79. # -A DPTS -p tcp --dport 21 -j DROP
80. # Remember to change your SSH port first!
81. # If you use port 22, change this to ACCEPT!
82. -A DPTS -p tcp --dport 22 -j ACCEPT
83. #-A DPTS -p tcp --dport 23 -j RLMSET
84. # # Change to ACCEPT if MAIL server:
85. # -A DPTS -p tcp --dport 25 -j RLMSET
86. # Note: Port 80 and/or 443 are needed to access the FreePBX GUI.
87. # For security, do NOT open them here. Use SSH port forwarding instead.
88. # -A DPTS -p tcp --dport 80 -j DROP
89. # -A DPTS -p tcp --dport 443 -j DROP
90. # -A DPTS -p tcp --dport 1433 -j RLMSET
91. # -A DPTS -p tcp --dport 3128 -j RLMSET
92. # Change to ACCEPT if Internet-facing MySQL server:
93. # -A DPTS -p tcp --dport 3306 -j RLMSET
94. # -A DPTS -p tcp --dport 3389 -j RLMSET
95. # -A DPTS -p tcp --dport 4899 -j RLMSET
96. # -A DPTS -p tcp --dport 5900 -j RLMSET
97. -A DPTS -j RETURN
98. -A RLMSET -m recent --set --name RLM -j DROP
99. -A ASIP -p tcp --dport 5060:5061 -j ACCEPT
100. -A ASIP -p udp --dport 5060:5061 -m recent --update --name MYSIP -j ACCEPT
101. -A ASIP -p udp --dport 5060:5061 -j DROP
102. -A ASIP -p udp --dport 10000:20000 -j ACCEPT
103. -A ASIP -j RETURN
104. COMMIT
105. *raw
106. #:PREROUTING ACCEPT [0:0]
107. :OUTPUT ACCEPT [0:0]
108. :BADSIP - [0:0]
109. :TCPSIP - [0:0]
110. :UDPSIP - [0:0]
111. :NEWSIP - [0:0]
112. # IMPORTANT: Replace "YOUR_HOSTNAME.no-ip.com" with the dynamic IP hostname you have set up!
113. # -A PREROUTING -i eth+ -m recent --update --name MYSIP -j ACCEPT
114. # -A PREROUTING -i eth+ -p tcp --dport 5060:5061 -m string --string "sip:YOUR_HOSTNAME.no-ip.com" --algo bm --icase -j NEWSIP
115. # -A PREROUTING -i eth+ -p udp --dport 5060:5061 -m string --string "sip:YOUR_HOSTNAME.no-ip.com" --algo bm --to 1500 --icase -j NEWSIP
116. # -A PREROUTING -i eth+ -m recent --update --name BADSIP -j DROP
117. # -A PREROUTING -i eth+ -p tcp --dport 5060:5061 -j TCPSIP
118. # -A PREROUTING -i eth+ -p udp --dport 5060:5061 -j UDPSIP
119. -A TCPSIP -m string --string "sundayddr" --algo bm -j BADSIP
120. -A TCPSIP -m string --string "sipsak" --algo bm -j BADSIP
121. -A TCPSIP -m string --string "sipvicious" --algo bm --icase -j BADSIP
122. -A TCPSIP -m string --string "friendly-scanner" --algo bm -j BADSIP
123. -A TCPSIP -m string --string "iWar" --algo bm -j BADSIP
124. -A TCPSIP -m string --string "sip-scan" --algo bm -j BADSIP
125. -A TCPSIP -m string --string "sipcli" --algo bm -j BADSIP
126. -A TCPSIP -m string --string "eyeBeam" --algo bm -j BADSIP
127. -A TCPSIP -m string --string "VaxSIPUserAgent" --algo bm -j BADSIP
128. -A TCPSIP -m string --string "sip:nm@nm" --algo bm -j BADSIP
129. -A TCPSIP -m string --string "sip:carol@chicago.com" --algo bm -j BADSIP
130. -A UDPSIP -m string --string "sundayddr" --algo bm --to 1500 -j BADSIP
131. -A UDPSIP -m string --string "sipsak" --algo bm --to 1500 -j BADSIP
132. -A UDPSIP -m string --string "sipvicious" --algo bm --icase --to 1500 -j BADSIP
133. -A UDPSIP -m string --string "friendly-scanner" --algo bm --to 1500 -j BADSIP
134. -A UDPSIP -m string --string "iWar" --algo bm --to 1500 -j BADSIP
135. -A UDPSIP -m string --string "sip-scan" --algo bm --to 1500 -j BADSIP
136. -A UDPSIP -m string --string "sipcli" --algo bm --to 1500 -j BADSIP
137. -A UDPSIP -m string --string "eyeBeam" --algo bm --to 1500 -j BADSIP
138. -A UDPSIP -m string --string "VaxSIPUserAgent" --algo bm --to 1500 -j BADSIP
139. -A UDPSIP -m string --string "sip:nm@nm" --algo bm --to 1500 -j BADSIP
140. -A UDPSIP -m string --string "sip:carol@chicago.com" --algo bm --to 1500 -j BADSIP
141. -A BADSIP -m recent --set --name BADSIP -j DROP
142. -A NEWSIP -m recent --set --name MYSIP -j ACCEPT
143. COMMIT