API tools faq
paste
Advertisement
TNFModding

iptables updated

TNFModding
Jun 5th, 2022 (edited)
154
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.30 KB | None | 0 0
raw download clone embed print report
  1. apt install busybox -y
  2.  
  3. apt install iptables-persistent netfilter-persistent conntrack nftables -y
  4.  
  5. systemctl enable netfilter-persistent
  6. systemctl start netfilter-persistent
  7.  
  8. ### 1: Drop invalid packets ###
  9. /sbin/iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
  10.  
  11. ### 2: Drop TCP packets that are new and are not SYN ###
  12. /sbin/iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
  13.  
  14. ### 3: Drop SYN packets with suspicious MSS value ###
  15. /sbin/iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
  16.  
  17.  
  18. ### 4: Block packets with bogus TCP flags ###
  19. /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
  20. /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
  21. /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
  22. /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
  23. /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
  24. /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
  25. /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
  26.  
  27. ### 5: Block spoofed packets ###
  28. /sbin/iptables -t mangle -A PREROUTING -s 10.7.0.0/24 -j ACCEPT
  29. /sbin/iptables -t mangle -A PREROUTING -s 103.147.87.0/24 -j ACCEPT
  30. /sbin/iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
  31. /sbin/iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
  32. /sbin/iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
  33. /sbin/iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
  34. /sbin/iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
  35. /sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
  36. /sbin/iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP
  37. /sbin/iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
  38. /sbin/iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
  39.  
  40. ### 6: Drop ICMP (you usually don't need this protocol) ###
  41. /sbin/iptables -t mangle -A PREROUTING -p icmp -j DROP
  42.  
  43. ### 7: Drop fragments in all chains ###
  44. /sbin/iptables -t mangle -A PREROUTING -f -j DROP
  45.  
  46. ### 9: Limit RST packets ###
  47. /sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
  48. /sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP
  49.  
  50. ### 11: Use SYNPROXY on all ports (disables connection limiting rule) ###
  51. /sbin/iptables -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack
  52. /sbin/iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
  53. /sbin/iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
  54.  
  55.  
  56. ### SSH brute-force protection ###
  57. /sbin/iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set
  58. /sbin/iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
  59.  
  60. ### Protection against port scanning ###
  61. /sbin/iptables -N port-scanning
  62. /sbin/iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
  63. /sbin/iptables -A port-scanning -j DROP
  64.  
  65. ## Drop udp traffic on ssh ##
  66. iptables -A INPUT -p udp --dport 22 -j DROP
  67. iptables -A INPUT -p udp --sport 22 -j DROP
  68.  
  69. ## Drop Udp for Http and Https ##
  70. iptables -A INPUT -p udp --dport 80 -j DROP
  71. iptables -A INPUT -p udp --sport 80 -j DROP
  72. iptables -A INPUT -p udp --dport 443 -j DROP
  73. iptables -A INPUT -p udp --sport 443 -j DROP
  74.  
  75. # Wireguard
  76. iptables -A INPUT -i wg0 -j ACCEPT
  77. iptables -A INPUT -p tcp --dport 51820 -j DROP
  78. iptables -A INPUT -p tcp --sport 51820 -j DROP
  79.  
  80. echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper
  81.  
  82. iptables -A PREROUTING -t raw -m rpfilter --invert -j DROP
  83. ip6tables -A PREROUTING -t raw -m rpfilter --invert -j DROP
  84.  
  85. #Whitelist SSH
  86. iptables -A INPUT -p tcp --dport 22 -s 10.7.0.0/24 -j ACCEPT
  87. iptables -A INPUT -p tcp --sport 22 -s 10.7.0.0/24 -j ACCEPT
  88. iptables -A INPUT -p tcp --dport 22 -j DROP
  89. iptables -A INPUT -p tcp --sport 22 -j DROP
  90.  
  91. iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT
  92.  
  93. iptables -A INPUT -f -j ACCEPT
  94. iptables -A INPUT -p tcp -f -j ACCEPT
  95. iptables -A INPUT -p udp -f -j ACCEPT
  96. iptables -A INPUT -p icmp -f -j ACCEPT
  97.  
  98. iptables-save > /etc/iptables/rules.v4
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!