Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- *filter
- #policies
- -P OUTPUT ACCEPT
- -P INPUT DROP
- -P FORWARD DROP
- -N SERVICES
- #logging
- #-A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
- -I INPUT 1 -p tcp -m state --state INVALID -j LOG --log-prefix "FIREWALL:INVALID "
- #allowed inputs
- -A INPUT --in-interface lo -j ACCEPT
- -A INPUT -j SERVICES
- #VoIP alternative, implement slowly
- #-A PRELUDE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- #-A PRELUDE -m conntrack ! --ctstate NEW -j DROP -m comment --comment "Same as --ctstate INVALID."
- #allowed responses
- -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- #mtu fix
- -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
- #attack prevention
- -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
- -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
- -A INPUT -m state --state INVALID -j DROP
- -A FORWARD -m state --state INVALID -j DROP
- -A OUTPUT -m state --state INVALID -j DROP
- -A INPUT -s 10.0.0.0/8 -j DROP
- -A INPUT -s 169.254.0.0/16 -j DROP
- -A INPUT -s 172.16.0.0/12 -j DROP
- -A INPUT -s 127.0.0.0/8 -j DROP
- -A INPUT -s 224.0.0.0/4 -j DROP
- -A INPUT -d 224.0.0.0/4 -j DROP
- -A INPUT -s 240.0.0.0/5 -j DROP
- -A INPUT -d 240.0.0.0/5 -j DROP
- -A INPUT -s 0.0.0.0/8 -j DROP
- -A INPUT -d 0.0.0.0/8 -j DROP
- -A INPUT -d 239.255.255.0/24 -j DROP
- -A INPUT -d 255.255.255.255 -j DROP
- -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
- -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j LOG --log-prefix "LOGDROP "
- -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
- -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT
- -A INPUT -m state --state INVALID -j DROP
- -A FORWARD -m state --state INVALID -j DROP
- -A OUTPUT -m state --state INVALID -j DROP
- -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
- -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j --log-prefix "LOGDROP "
- -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
- -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
- #-A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
- #-A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
- #-A INPUT -m recent --name portscan --remove
- #-A FORWARD -m recent --name portscan --remove
- #-A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
- #-A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
- #block by ip
- -A INPUT -s 41.191.226.74 -j DROP
- -A INPUT -s 41.191.226.74 -j DROP
- -A INPUT -s 88.57.23.138 -j DROP
- -A INPUT -s 222.186.8.1 -j DROP
- -A INPUT -s 211.151.97.90 -j DROP
- -A INPUT -s 211.151.97.90 -j DROP
- -A INPUT -s 109.73.70.194 -j DROP
- -A INPUT -s 81.209.165.73 -j DROP
- -A INPUT -s 67.137.238.164 -j DROP
- -A INPUT -s 207.237.5.113 -j DROP
- -A INPUT -s 122.224.52.164 -j DROP
- -A INPUT -s 109.73.70.194 -j DROP
- -A INPUT -s 88.57.23.138 -j DROP
- #allow services
- -A SERVICES -p tcp --dport 80 -j ACCEPT
- -A SERVICES -p tcp --dport 22 -j ACCEPT
- -A SERVICES -p tcp --dport 21 -j ACCEPT
- -A SERVICES -p tcp --dport 3306 -j ACCEPT
- -A SERVICES -p udp --dport 3306 -j ACCEPT
- -A SERVICES -p tcp --dport 10000 -j ACCEPT
- -A SERVICES -p tcp --dport 5060 -s 63.211.239.14 -j ACCEPT
- -A SERVICES -p udp --dport 5060 -s 63.211.239.14 -j ACCEPT
- -A SERVICES -p udp --dport 10000:20000 -s 63.211.239.14 -j ACCEPT
- COMMIT
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
