#!/usr/sbin/iptables-apply ### This -*-conf-*- file is my template /etc/iptab for new hosts. ### Ref. http://jengelh.medozas.de/documents/Perfect_Ruleset.pdf ### From init, use iptables-restore /etc/iptab (NOT iptables-apply). ### Ruleset can and should be loaded BEFORE network ifaces exist. ### ### Named hosts and services names are resolved ONCE, at load time. ### See getent(1). For meaningful ethernet iface names, edit ### /etc/udev/rules.d/*persistent-net.rules and reboot. ### ### Date: Aug 2009 ###################################################################### ## Rulesets (*foo ... COMMIT) load atomically. First load a deny-all ## ruleset so that if the "real" ruleset fails to load, the system ## WILL NOT be left in an allow-all state. *filter :INPUT DROP :FORWARD DROP :OUTPUT ACCEPT -A INPUT -s 192.168/16 -j ACCEPT -m comment --comment "Allow recovery from LAN." -A OUTPUT -p udp --dport domain -j REJECT -m comment --comment "On error, avoid DNS timeout delays" COMMIT ###################################################################### *filter :OUTPUT ACCEPT # Local users/processes are trusted. :INPUT DROP # Ingress policy is "default deny". :FORWARD DROP # Routing policy is "default deny". :PRELUDE - # Best practices for filtered chains. :BLACKLIST - ## Quickly handle the essentials of a "default deny" environment. ## Anything left after this chain implicitly has --ctstate NEW. -A INPUT -j PRELUDE -A FORWARD -j PRELUDE -A PRELUDE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A PRELUDE -m conntrack ! --ctstate NEW -j DROP -m comment --comment "Same as --ctstate INVALID." -A PRELUDE -p icmp -j ACCEPT -A PRELUDE -i lo -j ACCEPT ## An automated SSH brute-force blacklist. Requires xtables. Unlike ## fail2ban or DenyHosts, there are NO userspace requirements -- not ## even sshd is needed! echo +1.2.3.4 >/proc/net/xt_recent/whitelist ## to whitelist 1.2.3.4 for an hour. Protects both this host AND all ## hosts "behind" this one. ## # New connections from IPs blacklisted within the last ten minutes are # chaotically rejected, AND reset the countdown back to ten minutes. # This is in PRELUDE such that blacklisted attackers are refused ALL # services, not just rate-limited ones. -A PRELUDE -m recent --name blacklist --update --seconds 600 --rttl -j BLACKLIST # This NON-TERMINAL chain counts connections passing through it. When # a connection rate exceeds 3/min/srcip/dstip/dstport, the source IP # is blacklisted. Acting on the blacklist is done elsewhere, as is # accepting or rejecting this connection. -A PRELUDE -i ppp+ -p tcp --dport ssh -m hashlimit --hashlimit-name maybe-blacklist --hashlimit-mode srcip,dstip,dstport --hashlimit-above 1/min --hashlimit-burst 3 -m recent --name blacklist --set -j LOG --log-prefix "Blacklisted SRC: " -A BLACKLIST -m recent --name whitelist --rcheck --seconds 3600 -j RETURN -m comment --comment "whitelist overrides blacklist" -A BLACKLIST -j CHAOS --tarpit ## YOUR RULES GO HERE. Below is a simple example: a firewalling ## router and SSH gateway that also serves DHCP/DNS/NTP to the LAN, ## with a web server "www" and a mail server "mail" behind it. -A INPUT -p tcp --dport ssh -j ACCEPT -A INPUT -i lan -p udp -m multiport --dports bootps,domain,ntp -j ACCEPT -A FORWARD -d mail -p tcp -m multiport --dports smtp,submission,imaps -j ACCEPT -A FORWARD -d www -p tcp -m multiport --dports http,https -j ACCEPT ## Finally, politely reject all other attempts. Omit these to use the ## chains' default policies (DROP, above) instead. -A INPUT -j REJECT -A FORWARD -j REJECT COMMIT