Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- apt install busybox -y
- apt install iptables-persistent netfilter-persistent conntrack nftables -y
- systemctl enable netfilter-persistent
- systemctl start netfilter-persistent
- ### 1: Drop invalid packets ###
- /sbin/iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
- ### 2: Drop TCP packets that are new and are not SYN ###
- /sbin/iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
- ### 3: Drop SYN packets with suspicious MSS value ###
- /sbin/iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
- ### 4: Block packets with bogus TCP flags ###
- /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
- /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
- /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
- /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
- /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
- /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
- /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
- ### 5: Block spoofed packets ###
- /sbin/iptables -t mangle -A PREROUTING -s 10.7.0.0/24 -j ACCEPT
- /sbin/iptables -t mangle -A PREROUTING -s 103.147.87.0/24 -j ACCEPT
- /sbin/iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
- /sbin/iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
- /sbin/iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
- /sbin/iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
- /sbin/iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
- /sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
- /sbin/iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP
- /sbin/iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
- /sbin/iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
- ### 6: Drop ICMP (you usually don't need this protocol) ###
- /sbin/iptables -t mangle -A PREROUTING -p icmp -j DROP
- ### 7: Drop fragments in all chains ###
- /sbin/iptables -t mangle -A PREROUTING -f -j DROP
- ### 9: Limit RST packets ###
- /sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
- /sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP
- ### 11: Use SYNPROXY on all ports (disables connection limiting rule) ###
- /sbin/iptables -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack
- /sbin/iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
- /sbin/iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
- ### SSH brute-force protection ###
- /sbin/iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set
- /sbin/iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
- ### Protection against port scanning ###
- /sbin/iptables -N port-scanning
- /sbin/iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
- /sbin/iptables -A port-scanning -j DROP
- ## Drop udp traffic on ssh ##
- iptables -A INPUT -p udp --dport 22 -j DROP
- iptables -A INPUT -p udp --sport 22 -j DROP
- ## Drop Udp for Http and Https ##
- iptables -A INPUT -p udp --dport 80 -j DROP
- iptables -A INPUT -p udp --sport 80 -j DROP
- iptables -A INPUT -p udp --dport 443 -j DROP
- iptables -A INPUT -p udp --sport 443 -j DROP
- # Wireguard
- iptables -A INPUT -i wg0 -j ACCEPT
- iptables -A INPUT -p tcp --dport 51820 -j DROP
- iptables -A INPUT -p tcp --sport 51820 -j DROP
- echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper
- iptables -A PREROUTING -t raw -m rpfilter --invert -j DROP
- ip6tables -A PREROUTING -t raw -m rpfilter --invert -j DROP
- #Whitelist SSH
- iptables -A INPUT -p tcp --dport 22 -s 10.7.0.0/24 -j ACCEPT
- iptables -A INPUT -p tcp --sport 22 -s 10.7.0.0/24 -j ACCEPT
- iptables -A INPUT -p tcp --dport 22 -j DROP
- iptables -A INPUT -p tcp --sport 22 -j DROP
- iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT
- iptables -A INPUT -f -j ACCEPT
- iptables -A INPUT -p tcp -f -j ACCEPT
- iptables -A INPUT -p udp -f -j ACCEPT
- iptables -A INPUT -p icmp -f -j ACCEPT
- iptables-save > /etc/iptables/rules.v4
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement