iptables rules

1. ##Good rules to help you mitigate Layer protection, by ShieldCommunity community
2. #Please remember to ask us for other if you use panels (https://discord.gg/HhFxScZWAT) or xIsm4#9127
3.  
4. #1 > Block invalid packets
5. iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
6.  
7. #2 > Packets that are not SYN (Only new=
8. iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
9.  
10. #3 > Block trash MSS Values (Good)
11. iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
12.  
13. #4 > Block Bogus Packets with TCP flags
14. iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
15. iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
16. iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
17. iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
18. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
19. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
20. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
21.  
22. #5 (NOT GOOD SOMETIMES!!) > Block most of subnets
23. iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
24. iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
25. iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
26. iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
27. iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
28. iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
29. iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP
30. iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
31. iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
32.  
33. 6# > Drop ICMPv4 protocol ping (Not v6) - (Good for ping-spam)
34. iptables -t mangle -A PREROUTING -p icmp -j DROP
35. iptables -A INPUT -p tcp -m connlimit --connlimit-above 80 -j REJECT --reject-with tcp-reset
36.  
37. 7# > Limit connections (If you're large network increase it)
38.  
39. iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
40. iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
41.  
42. 8# > Limit TCP connections per/s
43. iptables -t mangle -A PREROUTING -f -j DROP
44.  
45. 9# > Limit fragmentation UDP flood
46.  
47. iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
48. iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP
49.  
50. 10# > SYNPROXY RULES:
51.  
52. iptables -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack
53. iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
54. iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
55.  
56. 11# > Avoid port scanning (Forwarding exploit)
57.  
58. iptables -N port-scanning
59. iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
60. iptables -A port-scanning -j DROP
61.  
62. 12# > Avoid Linux connections (OPTIONALL!!)
63. iptables -A INPUT -p tcp -m tcp --dport 25565 --tcp-option 8 --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable
64.  
65. ##Just install iptables-persistant for RedHat/CentOS based systems