Line 619: |
Line 619: |
| | | |
| Supports IPv4 and IPv6. Comment out the parts that are not need with a # or optionally delete them. | | Supports IPv4 and IPv6. Comment out the parts that are not need with a # or optionally delete them. |
| + | |
| + | Note: While this supports IPv6, some of the rules listed were only done for IPv4. You'll need to make the necessary changes to have IPv6 protected as well. While the parameters listed for IPv4 should work you should refer to the ip6tables man page if you have any issues. |
| | | |
| #!/bin/bash | | #!/bin/bash |
Line 625: |
Line 627: |
| INET_IF=eth0 | | INET_IF=eth0 |
| | | |
| + | #IPv4 |
| #Edit IP address below to match the IP and netmask of the system or subnet you want to allow access to | | #Edit IP address below to match the IP and netmask of the system or subnet you want to allow access to |
| #"Management only" services. Add or remove as needed. Make sure to update the ManagementFilterV4 with | | #"Management only" services. Add or remove as needed. Make sure to update the ManagementFilterV4 with |
Line 632: |
Line 635: |
| | | |
| ManagementFilterV4=$System1,$System2 | | ManagementFilterV4=$System1,$System2 |
| + | |
| + | #IPv6 |
| + | #Edit IP address below to match the IP and netmask of the system or subnet you want to allow access to |
| + | #"Management only" services. Add or remove as needed. Make sure to update the ManagementFilterV6 with |
| + | #the changes |
| + | V6System1="2001:db8:a::123/64" |
| + | V6System2="2001:db8:b::123/64" |
| + | |
| + | ManagementFilterV6=$V6System1,$V6System2 |
| | | |
| #Flush and zero all tables | | #Flush and zero all tables |
Line 667: |
Line 679: |
| ip6tables -N log-and-reject | | ip6tables -N log-and-reject |
| | | |
− | #Now add in rules to affect DOCKER containers - uncomment if using Docker | + | #Remove/comment this out and all references to the FILTERS chain if Docker isn't being used |
| + | #Restart Docker |
| + | echo "Restarting Docker" |
| + | systemctl restart docker |
| + | |
| + | #Now add in rules to affect DOCKER containers |
| #See https://unrouted.io/2017/08/15/docker-firewall/ | | #See https://unrouted.io/2017/08/15/docker-firewall/ |
− | #iptables -F DOCKER-USER | + | iptables -F DOCKER-USER |
− | #iptables -X DOCKER-USER | + | iptables -X DOCKER-USER |
− | #iptables -N DOCKER-USER | + | iptables -N DOCKER-USER |
| | | |
− | #ip6tables -F DOCKER-USER | + | iptables -F FILTERS |
− | #ip6tables -X DOCKER-USER | + | iptables -X FILTERS |
− | #ip6tables -N DOCKER-USER | + | iptables -N FILTERS |
| | | |
− | #iptables -F FILTERS | + | echo "all tables flushed and dropped" |
− | #iptables -X FILTERS
| |
− | #iptables -N FILTERS
| |
| | | |
− | #ip6tables -F FILTERS
| |
− | #ip6tables -X FILTERS
| |
− | #ip6tables -N FILTERS
| |
− |
| |
− | echo "all tables flushed and dropped"
| |
| # Specific chain used for logging packets before blocking them | | # Specific chain used for logging packets before blocking them |
| iptables -A log-and-drop -j LOG --log-prefix "[IPTables] Drop " | | iptables -A log-and-drop -j LOG --log-prefix "[IPTables] Drop " |
Line 701: |
Line 711: |
| | | |
| echo "logging chains setup" | | echo "logging chains setup" |
− |
| + | |
| + | #setup DOCKER-USER related rules- you will place all rules for Docker under the FILTERS chain |
| + | iptables -A DOCKER-USER -i $INET_IF -j FILTERS |
| + | |
| + | # Check if NEW incoming tcp connections are SYN, drop if not |
| + | iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP |
| + | iptables -A FILTERS -p tcp ! --syn -m state --state NEW -j DROP |
| + | |
| + | #Drop fragmented packets |
| + | iptables -A INPUT -f -j DROP |
| + | iptables -A FILTERS -f -j DROP |
| + | iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP |
| + | iptables -A FILTERS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP |
| + | iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP |
| + | iptables -A FILTERS -p tcp --tcp-flags ALL ALL -j DROP |
| + | |
| + | # Drop incoming malformed XMAS packets |
| + | iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "[IPT-XMAX Pkts] " |
| + | iptables -A FILTERS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "[IPT-XMAX Pkts] " |
| + | iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP |
| + | iptables -A FILTERS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP |
| + | |
| + | #Drop all NULL pakcets |
| + | iptables -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "[IPT-NULL Pkts] " |
| + | iptables -A FILTERS -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "[IPT-NULL Pkts] " |
| + | iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP |
| + | iptables -A FILTERS -p tcp --tcp-flags ALL NONE -j DROP |
| + | iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP |
| + | iptables -A FILTERS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP |
| + | |
| + | #Drop FIN packet scans |
| + | iptables -A INPUT -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "[IPT-FIN Scan] " |
| + | iptables -A FILTERS -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "[IPT-FIN Scan] " |
| + | iptables -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP |
| + | iptables -A FILTERS -p tcp --tcp-flags FIN,ACK FIN -j DROP |
| + | iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP |
| + | iptables -A FILTERS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP |
| + | |
| + | #Log and drop broadcast /multicast and invalid |
| + | iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG --log-prefix "[IPT-Broadcast] " |
| + | iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP |
| + | iptables -A INPUT -m pkttype --pkt-type multicast -j LOG --log-prefix "i[IPT-Multicast] " |
| + | iptables -A INPUT -m pkttype --pkt-type multicast -j DROP |
| + | iptables -A INPUT -m state --state INVALID -j LOG --log-prefix "[IPT-Invalid] " |
| + | iptables -A FILTERS -m state --state INVALID -j LOG --log-prefix "[IPT-Invalid] " |
| + | iptables -A INPUT -m state --state INVALID -j DROP |
| + | iptables -A FILTERS -m state --state INVALID -j DROP |
| + | |
| # The packets having the TCP flags activated are dropped | | # The packets having the TCP flags activated are dropped |
| # and so for the ones with no flag at all (often used with Nmap scans) | | # and so for the ones with no flag at all (often used with Nmap scans) |
| iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j log-and-drop | | iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j log-and-drop |
| + | iptables -A FILTERS -p tcp --tcp-flags ALL ALL -j log-and-drop |
| iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j log-and-drop | | iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j log-and-drop |
| + | iptables -A FILTERS -p tcp --tcp-flags ALL NONE -j log-and-drop |
| | | |
| ip6tables -A FORWARD -p tcp --tcp-flags ALL ALL -j log-and-drop | | ip6tables -A FORWARD -p tcp --tcp-flags ALL ALL -j log-and-drop |
| ip6tables -A FORWARD -p tcp --tcp-flags ALL NONE -j log-and-drop | | ip6tables -A FORWARD -p tcp --tcp-flags ALL NONE -j log-and-drop |
| | | |
− | #setup DOCKER-USER related rules - uncomment if using Docker
| + | #limit traffic to 80 an 443 - Change chain from INPUT to FILTERS to Docker and don't forget to open below |
− | #iptables -A DOCKER-USER -i $INET_IF -j FILTERS
| |
− |
| |
− | #Now add any rules you want Docker to abide by for containers to -A FILTERS
| |
− |
| |
− | #limit traffic to 80 an 443 | |
| #DCQ="2" #max requests in 1 second | | #DCQ="2" #max requests in 1 second |
| #DCH="25" #max requests over 7 seconds | | #DCH="25" #max requests over 7 seconds |
| | | |
− | #iptables -A FILTERS -p tcp --dport 80 -m state --state NEW -m recent --set --name P80QF --rsource | + | #iptables -A INPUT-p tcp --dport 80 -m state --state NEW -m recent --set --name P80QF --rsource |
− | #iptables -A FILTERS -p tcp --dport 80 -m state --state NEW -m recent --update --second 1 --hitcount ${DCQ} --name P80QF --rsource -j log-and-drop | + | #iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --second 1 --hitcount ${DCQ} --name P80QF --rsource -j log-and-drop |
− | #iptables -A FILTERS -p tcp --dport 80 -m state --state NEW -m recent --set --name P80HF --rsource | + | #iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --set --name P80HF --rsource |
− | #iptables -A FILTERS -p tcp --dport 80 -m state --state NEW -m recent --update --second 7 --hitcount ${DCH} --name P80HF --rsource -j log-and-drop | + | #iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --second 7 --hitcount ${DCH} --name P80HF --rsource -j log-and-drop |
| | | |
− | #iptables -A FILTERS -p tcp --dport 443 -m state --state NEW -m recent --set --name P443QF --rsource | + | #iptables -A INPUT -p tcp --dport 443 -m state --state NEW -m recent --set --name P443QF --rsource |
− | #iptables -A FILTERS -p tcp --dport 443 -m state --state NEW -m recent --update --second 1 --hitcount ${DCQ} --name P443QF --rsource -j log-and-drop | + | #iptables -A INPUT -p tcp --dport 443 -m state --state NEW -m recent --update --second 1 --hitcount ${DCQ} --name P443QF --rsource -j log-and-drop |
− | #iptables -A FILTERS -p tcp --dport 443 -m state --state NEW -m recent --set --name P443HF --rsource | + | #iptables -A INPUT -p tcp --dport 443 -m state --state NEW -m recent --set --name P443HF --rsource |
− | #iptables -A FILTERS -p tcp --dport 443 -m state --state NEW -m recent --update --second 7 --hitcount ${DCH} --name P443HF --rsource -j log-and-drop | + | #iptables -A INPUT -p tcp --dport 443 -m state --state NEW -m recent --update --second 7 --hitcount ${DCH} --name P443HF --rsource -j log-and-drop |
| | | |
− | #default return chain | + | #default return chain for Docker- skipped. Enable if needed |
| #iptables -A FILTERS -j RETURN | | #iptables -A FILTERS -j RETURN |
| | | |
Line 736: |
Line 790: |
| | | |
| #Limit DNS requests to prevent flood attacks - use if you are running a DNS server on the system this is installed on. | | #Limit DNS requests to prevent flood attacks - use if you are running a DNS server on the system this is installed on. |
| + | #Don't forget to allow in the rules below |
| # Requests per second | | # Requests per second |
| #RQS="15" | | #RQS="15" |
Line 761: |
Line 816: |
| # this is needed to allow all ipsec packets when it's host to host | | # this is needed to allow all ipsec packets when it's host to host |
| #iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT --src "$IPSECsrc" | | #iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT --src "$IPSECsrc" |
− |
| |
− | #allow DNS in
| |
− | #iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 53
| |
− | #iptables -t filter -A INPUT -j ACCEPT --protocol udp --dport 53
| |
− |
| |
− | #ip6tables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 53
| |
− | #ip6tables -t filter -A INPUT -j ACCEPT --protocol udp --dport 53
| |
| | | |
| #allow port 80 in | | #allow port 80 in |
| #iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 80 | | #iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 80 |
| + | #iptables -t filter -A FILTERS -j ACCEPT --protocol tcp --dport 80 |
| #ip6tables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 80 | | #ip6tables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 80 |
| | | |
| #allow port 443 in | | #allow port 443 in |
| #iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 443 | | #iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 443 |
| + | #iptables -t filter -A FILTERS -j ACCEPT --protocol tcp --dport 443 |
| #ip6tables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 443 | | #ip6tables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 443 |
| | | |
− | # allow all ssh in - uncomment ManagemetnFilterV4 and comment out the two lines below to restrict SSH access on port 22 | + | # allow all ssh in - uncomment ManagementFilterV4 and comment out the lines below it to restrict SSH access on port 22 |
| #iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 22 --src $ManagementFilterV4 | | #iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 22 --src $ManagementFilterV4 |
| iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 22 | | iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 22 |
− | ip6tables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 22 | + | |
| + | #uncomment ManagementFilterV6 and commentout the line below it to restruct SSH for IPv6 on port 22 |
| + | #ip6tables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 22 --src ManagementFilterV6 |
| + | ip6tables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 22 |
| | | |
| echo "end of services" | | echo "end of services" |
Line 820: |
Line 873: |
| echo "2" >$i | | echo "2" >$i |
| done | | done |
| + | |
| # setup a default deny rule for outside traffic | | # setup a default deny rule for outside traffic |
| iptables -t filter -A INPUT --in-interface $INET_IF -j log-and-drop | | iptables -t filter -A INPUT --in-interface $INET_IF -j log-and-drop |
| + | iptables -t filter -A FILTERS --in-interface $INET_IF -j log-and-drop |
| ip6tables -t filter -A INPUT --in-interface $INET_IF -j log-and-drop | | ip6tables -t filter -A INPUT --in-interface $INET_IF -j log-and-drop |
− |
| + | |
− | #uncomment if you are using Docker
| |
− | #echo "Restarting Docker"
| |
− | #systemctl restart docker
| |
− |
| |
| #uncomment the next two lines if fail2ban is installed | | #uncomment the next two lines if fail2ban is installed |
| #echo "Restarting fail2ban" | | #echo "Restarting fail2ban" |