ASL-Corp members, Bureaucrats, Check users, Structured Discussions bots, oversight, Suppressors, Administrators, Upload Wizard campaign editors
1,714
edits
Changes
Jump to navigation
Jump to search
Line 619:
Line 619: + + Line 625:
Line 627: + Line 632:
Line 635: + + + + + + + + + Line 667:
Line 679: − + + + + + + − #iptables -F DOCKER-USER + − #iptables -X DOCKER-USER + − #iptables -N DOCKER-USER + − #ip6tables -F DOCKER-USER + − #ip6tables -X DOCKER-USER + − #ip6tables -N DOCKER-USER + − #iptables -F FILTERS + − #iptables -X FILTERS − #iptables -N FILTERS − #ip6tables -F FILTERS − #ip6tables -X FILTERS − #ip6tables -N FILTERS − − echo "all tables flushed and dropped" Line 701:
Line 711: − + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + − #setup DOCKER-USER related rules - uncomment if using Docker+ − #iptables -A DOCKER-USER -i $INET_IF -j FILTERS − − #Now add any rules you want Docker to abide by for containers to -A FILTERS − − − + − + − + − + − + − + − + − + − + Line 736:
Line 790: + Line 761:
Line 816: − − #allow DNS in − #iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 53 − #iptables -t filter -A INPUT -j ACCEPT --protocol udp --dport 53 − − #ip6tables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 53 − #ip6tables -t filter -A INPUT -j ACCEPT --protocol udp --dport 53 + + − + − + + + + Line 820:
Line 873: + + − + − #uncomment if you are using Docker − #echo "Restarting Docker" − #systemctl restart docker −
Updated firewall with rules to block Docker connections by default and added ManagementFilterV6
Supports IPv4 and IPv6. Comment out the parts that are not need with a # or optionally delete them.
Supports IPv4 and IPv6. Comment out the parts that are not need with a # or optionally delete them.
Note: While this supports IPv6, some of the rules listed were only done for IPv4. You'll need to make the necessary changes to have IPv6 protected as well. While the parameters listed for IPv4 should work you should refer to the ip6tables man page if you have any issues.
#!/bin/bash
#!/bin/bash
INET_IF=eth0
INET_IF=eth0
#IPv4
#Edit IP address below to match the IP and netmask of the system or subnet you want to allow access to
#Edit IP address below to match the IP and netmask of the system or subnet you want to allow access to
#"Management only" services. Add or remove as needed. Make sure to update the ManagementFilterV4 with
#"Management only" services. Add or remove as needed. Make sure to update the ManagementFilterV4 with
ManagementFilterV4=$System1,$System2
ManagementFilterV4=$System1,$System2
#IPv6
#Edit IP address below to match the IP and netmask of the system or subnet you want to allow access to
#"Management only" services. Add or remove as needed. Make sure to update the ManagementFilterV6 with
#the changes
V6System1="2001:db8:a::123/64"
V6System2="2001:db8:b::123/64"
ManagementFilterV6=$V6System1,$V6System2
#Flush and zero all tables
#Flush and zero all tables
ip6tables -N log-and-reject
ip6tables -N log-and-reject
#Now add in rules to affect DOCKER containers - uncomment if using Docker
#Remove/comment this out and all references to the FILTERS chain if Docker isn't being used
#Restart Docker
echo "Restarting Docker"
systemctl restart docker
#Now add in rules to affect DOCKER containers
#See https://unrouted.io/2017/08/15/docker-firewall/
#See https://unrouted.io/2017/08/15/docker-firewall/
iptables -F DOCKER-USER
iptables -X DOCKER-USER
iptables -N DOCKER-USER
iptables -F FILTERS
iptables -X FILTERS
iptables -N FILTERS
echo "all tables flushed and dropped"
# Specific chain used for logging packets before blocking them
# Specific chain used for logging packets before blocking them
iptables -A log-and-drop -j LOG --log-prefix "[IPTables] Drop "
iptables -A log-and-drop -j LOG --log-prefix "[IPTables] Drop "
echo "logging chains setup"
echo "logging chains setup"
#setup DOCKER-USER related rules- you will place all rules for Docker under the FILTERS chain
iptables -A DOCKER-USER -i $INET_IF -j FILTERS
# Check if NEW incoming tcp connections are SYN, drop if not
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A FILTERS -p tcp ! --syn -m state --state NEW -j DROP
#Drop fragmented packets
iptables -A INPUT -f -j DROP
iptables -A FILTERS -f -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A FILTERS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A FILTERS -p tcp --tcp-flags ALL ALL -j DROP
# Drop incoming malformed XMAS packets
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "[IPT-XMAX Pkts] "
iptables -A FILTERS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "[IPT-XMAX Pkts] "
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A FILTERS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
#Drop all NULL pakcets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "[IPT-NULL Pkts] "
iptables -A FILTERS -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "[IPT-NULL Pkts] "
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FILTERS -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A FILTERS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
#Drop FIN packet scans
iptables -A INPUT -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "[IPT-FIN Scan] "
iptables -A FILTERS -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "[IPT-FIN Scan] "
iptables -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP
iptables -A FILTERS -p tcp --tcp-flags FIN,ACK FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A FILTERS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
#Log and drop broadcast /multicast and invalid
iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG --log-prefix "[IPT-Broadcast] "
iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP
iptables -A INPUT -m pkttype --pkt-type multicast -j LOG --log-prefix "i[IPT-Multicast] "
iptables -A INPUT -m pkttype --pkt-type multicast -j DROP
iptables -A INPUT -m state --state INVALID -j LOG --log-prefix "[IPT-Invalid] "
iptables -A FILTERS -m state --state INVALID -j LOG --log-prefix "[IPT-Invalid] "
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FILTERS -m state --state INVALID -j DROP
# The packets having the TCP flags activated are dropped
# The packets having the TCP flags activated are dropped
# and so for the ones with no flag at all (often used with Nmap scans)
# and so for the ones with no flag at all (often used with Nmap scans)
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j log-and-drop
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j log-and-drop
iptables -A FILTERS -p tcp --tcp-flags ALL ALL -j log-and-drop
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j log-and-drop
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j log-and-drop
iptables -A FILTERS -p tcp --tcp-flags ALL NONE -j log-and-drop
ip6tables -A FORWARD -p tcp --tcp-flags ALL ALL -j log-and-drop
ip6tables -A FORWARD -p tcp --tcp-flags ALL ALL -j log-and-drop
ip6tables -A FORWARD -p tcp --tcp-flags ALL NONE -j log-and-drop
ip6tables -A FORWARD -p tcp --tcp-flags ALL NONE -j log-and-drop
#limit traffic to 80 an 443 - Change chain from INPUT to FILTERS to Docker and don't forget to open below
#limit traffic to 80 an 443
#DCQ="2" #max requests in 1 second
#DCQ="2" #max requests in 1 second
#DCH="25" #max requests over 7 seconds
#DCH="25" #max requests over 7 seconds
#iptables -A FILTERS -p tcp --dport 80 -m state --state NEW -m recent --set --name P80QF --rsource
#iptables -A INPUT-p tcp --dport 80 -m state --state NEW -m recent --set --name P80QF --rsource
#iptables -A FILTERS -p tcp --dport 80 -m state --state NEW -m recent --update --second 1 --hitcount ${DCQ} --name P80QF --rsource -j log-and-drop
#iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --second 1 --hitcount ${DCQ} --name P80QF --rsource -j log-and-drop
#iptables -A FILTERS -p tcp --dport 80 -m state --state NEW -m recent --set --name P80HF --rsource
#iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --set --name P80HF --rsource
#iptables -A FILTERS -p tcp --dport 80 -m state --state NEW -m recent --update --second 7 --hitcount ${DCH} --name P80HF --rsource -j log-and-drop
#iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --second 7 --hitcount ${DCH} --name P80HF --rsource -j log-and-drop
#iptables -A FILTERS -p tcp --dport 443 -m state --state NEW -m recent --set --name P443QF --rsource
#iptables -A INPUT -p tcp --dport 443 -m state --state NEW -m recent --set --name P443QF --rsource
#iptables -A FILTERS -p tcp --dport 443 -m state --state NEW -m recent --update --second 1 --hitcount ${DCQ} --name P443QF --rsource -j log-and-drop
#iptables -A INPUT -p tcp --dport 443 -m state --state NEW -m recent --update --second 1 --hitcount ${DCQ} --name P443QF --rsource -j log-and-drop
#iptables -A FILTERS -p tcp --dport 443 -m state --state NEW -m recent --set --name P443HF --rsource
#iptables -A INPUT -p tcp --dport 443 -m state --state NEW -m recent --set --name P443HF --rsource
#iptables -A FILTERS -p tcp --dport 443 -m state --state NEW -m recent --update --second 7 --hitcount ${DCH} --name P443HF --rsource -j log-and-drop
#iptables -A INPUT -p tcp --dport 443 -m state --state NEW -m recent --update --second 7 --hitcount ${DCH} --name P443HF --rsource -j log-and-drop
#default return chain
#default return chain for Docker- skipped. Enable if needed
#iptables -A FILTERS -j RETURN
#iptables -A FILTERS -j RETURN
#Limit DNS requests to prevent flood attacks - use if you are running a DNS server on the system this is installed on.
#Limit DNS requests to prevent flood attacks - use if you are running a DNS server on the system this is installed on.
#Don't forget to allow in the rules below
# Requests per second
# Requests per second
#RQS="15"
#RQS="15"
# this is needed to allow all ipsec packets when it's host to host
# this is needed to allow all ipsec packets when it's host to host
#iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT --src "$IPSECsrc"
#iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT --src "$IPSECsrc"
#allow port 80 in
#allow port 80 in
#iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 80
#iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 80
#iptables -t filter -A FILTERS -j ACCEPT --protocol tcp --dport 80
#ip6tables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 80
#ip6tables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 80
#allow port 443 in
#allow port 443 in
#iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 443
#iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 443
#iptables -t filter -A FILTERS -j ACCEPT --protocol tcp --dport 443
#ip6tables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 443
#ip6tables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 443
# allow all ssh in - uncomment ManagemetnFilterV4 and comment out the two lines below to restrict SSH access on port 22
# allow all ssh in - uncomment ManagementFilterV4 and comment out the lines below it to restrict SSH access on port 22
#iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 22 --src $ManagementFilterV4
#iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 22 --src $ManagementFilterV4
iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 22
iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 22
ip6tables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 22
#uncomment ManagementFilterV6 and commentout the line below it to restruct SSH for IPv6 on port 22
#ip6tables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 22 --src ManagementFilterV6
ip6tables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 22
echo "end of services"
echo "end of services"
echo "2" >$i
echo "2" >$i
done
done
# setup a default deny rule for outside traffic
# setup a default deny rule for outside traffic
iptables -t filter -A INPUT --in-interface $INET_IF -j log-and-drop
iptables -t filter -A INPUT --in-interface $INET_IF -j log-and-drop
iptables -t filter -A FILTERS --in-interface $INET_IF -j log-and-drop
ip6tables -t filter -A INPUT --in-interface $INET_IF -j log-and-drop
ip6tables -t filter -A INPUT --in-interface $INET_IF -j log-and-drop
#uncomment the next two lines if fail2ban is installed
#uncomment the next two lines if fail2ban is installed
#echo "Restarting fail2ban"
#echo "Restarting fail2ban"