-
Notifications
You must be signed in to change notification settings - Fork 0
/
ipt_rules
executable file
·156 lines (120 loc) · 4.8 KB
/
ipt_rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
#!/bin/bash
###################
# iptables rules used by rc.iptables at the start up.
#
# Some chains are created to simplify and get more faster
# analysis by the kernel. If you need to allow input ports, fill
# the tcp_packet, udp_packet or icmp_packet chain.
#
# Contact : ride_online@hotmail.fr
####################
start() {
## Default strategie
####
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
## Default strategie
####
$IP6TABLES -P INPUT DROP
$IP6TABLES -P FORWARD DROP
$IP6TABLES -P OUTPUT DROP
## Create new chain
####
$IPTABLES -N bad_tcp_packet
$IPTABLES -N dos_tcp
$IPTABLES -N dos_udp
$IPTABLES -N dos_icmp
$IPTABLES -N allow
$IPTABLES -N tcp_packet
$IPTABLES -N udp_packet
$IPTABLES -N icmp_packet
## bad_tcp_packet chain
####
$IPTABLES -A bad_tcp_packet -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packet -p tcp ! --syn -m state --state NEW -j LOG --log-level debug --log-prefix "IPT New not SYN "
$IPTABLES -A bad_tcp_packet -p tcp ! --syn -m state --state NEW -j DROP
## Prevent DOS TCP attack
$IPTABLES -A bad_tcp_packet -p tcp --syn -m limit --limit 5/m --limit-burst 7 -j RETURN
$IPTABLES -A bad_tcp_packet -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j RETURN
$IPTABLES -A bad_tcp_packet -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j RETURN
$IPTABLES -A bad_tcp_packet -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-level debug --log-prefix "IPT Warn portscan "
$IPTABLES -A bad_tcp_packet -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
## And LOG it !
$IPTABLES -A dos_tcp -m limit --limit 5/m --limit-burst 3 -j LOG --log-level debug --log-prefix "IPT Warn DOS attack "
$IPTABLES -A dos_tcp -j DROP
## Prevent DOS UDP attack
$IPTABLES -A dos_udp -p udp -m limit --limit 4/s --limit-burst 2 -j RETURN
## And LOG it !
$IPTABLES -A dos_udp -m limit --limit 5/m --limit-burst 3 -j LOG --log-level debug --log-prefix "IPT Warn DOS attack "
$IPTABLES -A dos_udp -j DROP
## Prevent DOS ICMP attack
$IPTABLES -A dos_icmp -p icmp -m limit --limit 2/s --limit-burst 2 -j RETURN
## And LOG it !
$IPTABLES -A dos_icmp -m limit --limit 5/m --limit-burst 3 -j LOG --log-level debug --log-prefix "IPT Warn DOS attack "
$IPTABLES -A dos_icmp -j DROP
## allow chain
####
$IPTABLES -A allow -p tcp --syn -j ACCEPT
$IPTABLES -A allow -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allow -p tcp -j DROP
#################################################
### FILL THOSE RULES ACCORDING YOUR NEEDS #
#################################################
## tcp_packet chain
####
$IPTABLES -A tcp_packet -p tcp -s 0/0 --dport 222 -j allow
$IPTABLES -A tcp_packet -p tcp -s 0/0 --dport 80 -j allow
## upd_packet chain
####
$IPTABLES -A udp_packet -p udp --dport 137:138 -j DROP
## icmp_packet chain
####
$IPTABLES -A icmp_packet -p icmp -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packet -p icmp -s 0/0 --icmp-type 11 -j ACCEPT
#################################################################################
## INPUT chain #
#################################################################################
# Accept everything from localhost
$IPTABLES -A INPUT -p ALL -i lo -j ACCEPT
# Anyone who tried to portscan us is blocked for a day
$IPTABLES -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
# Check the tcp packet
$IPTABLES -A INPUT -p tcp -j bad_tcp_packet
# Rule for incomming packet already accepted
$IPTABLES -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
# Prevent DOS
$IPTABLES -A INPUT -p tcp -i $IFACE -j dos_tcp
$IPTABLES -A INPUT -p udp -i $IFACE -j dos_udp
$IPTABLES -A INPUT -p icmp -i $IFACE -j dos_icmp
## Incomming packet
$IPTABLES -A INPUT -p tcp -j tcp_packet
$IPTABLES -A INPUT -p udp -j udp_packet
$IPTABLES -A INPUT -p icmp -j icmp_packet
# Log weird packets
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level debug --log-prefix "IPT INPUT packet died "
#################################################################
## FORWARD chain #
#################################################################
#################################################################
## OUTPUT chain #
#################################################################
# Ouput rules
$IPTABLES -A OUTPUT -p ALL -j ACCEPT
return 0
}
stop() {
# Default strategie
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
# Default strategie for IPv6
$IP6TABLES -P INPUT ACCEPT
$IP6TABLES -P FORWARD ACCEPT
$IP6TABLES -P OUTPUT ACCEPT
# Flush tables
$IPTABLES -F
# Delete all chain
$IPTABLES -X
return 0
}