-
Notifications
You must be signed in to change notification settings - Fork 1
/
iptable_rules.txt
125 lines (97 loc) · 6.16 KB
/
iptable_rules.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
Content-Type: text/x-zim-wiki
Wiki-Format: zim 0.4
Creation-Date: 2017-01-13T11:22:49+01:00
====== iptable rules ======
Created Friday 13 January 2017
**#** https://gist.github.com/virtualstaticvoid/1024546
**# Change **//wlp2s0//** to your network devices if needed**
**# 1. Delete all existing rules**
$ iptables -F
**# 2. Set default chain policies**
$ iptables -P INPUT DROP
$ iptables -P FORWARD DROP
$ iptables -P OUTPUT DROP
**# 3. Block a specific ip-address**
$ iptables -A INPUT -s //<IP_ADDRESS>// -j DROP
**# 4. Allow ALL incoming SSH**
$ iptables -A INPUT -i wlp2s0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -o wlp2s0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
**# 5. Allow incoming SSH only from a specific network**
$ iptables -A INPUT -i wlp2s0 -p tcp -s //<IP_ADDRESS>///24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -o wlp2s0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
**# 6. Allow incoming HTTP**
$ iptables -A INPUT -i wlp2s0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -o wlp2s0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
**# Allow incoming HTTPS**
$ iptables -A INPUT -i wlp2s0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -o wlp2s0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
**# 7. MultiPorts (Allow incoming SSH, HTTP, and HTTPS)**
$ iptables -A INPUT -i wlp2s0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -o wlp2s0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT
**# 8. Allow outgoing SSH**
$ iptables -A OUTPUT -o wlp2s0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
$ iptables -A INPUT -i wlp2s0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
**# 9. Allow outgoing SSH only to a specific network**
$ iptables -A OUTPUT -o wlp2s0 -p tcp -d //<IP_ADDRESS>///24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
$ iptables -A INPUT -i wlp2s0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
**# 10. Allow outgoing HTTPS**
$ iptables -A OUTPUT -o wlp2s0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
$ iptables -A INPUT -i wlp2s0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
**# 11. Load balance incoming HTTPS traffic**
$ iptables -A PREROUTING -i wlp2s0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination //<IP_ADDRESS>//:443
$ iptables -A PREROUTING -i wlp2s0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination //<IP_ADDRESS>//:443
$ iptables -A PREROUTING -i wlp2s0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination //<IP_ADDRESS>//:443
**# 12. Ping from inside to outside**
$ iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
$ iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
**# 13. Ping from outside to inside**
$ iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$ iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
**# 14. Allow loopback access**
$ iptables -A INPUT -i lo -j ACCEPT
$ iptables -A OUTPUT -o lo -j ACCEPT
**# 15. Allow packets from internal network to reach external network.**
**# if eth1 is connected to external network (internet)**
**# if wlp2s0 is connected to internal network (192.168.1.x)**
$ iptables -A FORWARD -i wlp2s0 -o eth1 -j ACCEPT
**# 16. Allow outbound DNS**
$ iptables -A OUTPUT -p udp -o wlp2s0 --dport 53 -j ACCEPT
$ iptables -A INPUT -p udp -i wlp2s0 --sport 53 -j ACCEPT
**# 17. Allow NIS Connections**
**# **//rpcinfo -p | grep ypbind//** ; This port is 853 and 850**
$ iptables -A INPUT -p tcp --dport 111 -j ACCEPT
$ iptables -A INPUT -p udp --dport 111 -j ACCEPT
$ iptables -A INPUT -p tcp --dport 853 -j ACCEPT
$ iptables -A INPUT -p udp --dport 853 -j ACCEPT
$ iptables -A INPUT -p tcp --dport 850 -j ACCEPT
$ iptables -A INPUT -p udp --dport 850 -j ACCEPT
**# 18. Allow rsync from a specific network**
$ iptables -A INPUT -i wlp2s0 -p tcp -s //<IP_ADDRESS>///24 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -o wlp2s0 -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT
**# 19. Allow MySQL connection only from a specific network**
$ iptables -A INPUT -i wlp2s0 -p tcp -s //<IP_ADDRESS>///24 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -o wlp2s0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT
**# 20. Allow Sendmail or Postfix**
$ iptables -A INPUT -i wlp2s0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -o wlp2s0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
**# 21. Allow IMAP and IMAPS**
$ iptables -A INPUT -i wlp2s0 -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -o wlp2s0 -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT
$ iptables -A INPUT -i wlp2s0 -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -o wlp2s0 -p tcp --sport 993 -m state --state ESTABLISHED -j ACCEPT
**# 22. Allow POP3 and POP3S**
$ iptables -A INPUT -i wlp2s0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -o wlp2s0 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT
$ iptables -A INPUT -i wlp2s0 -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -o wlp2s0 -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT
**# 23. Prevent DoS attack**
$ iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
**# 24. Port forwarding 422 to 22**
$ iptables -t nat -A PREROUTING -p tcp -d //<IP_ADDRESS>// --dport 422 -j DNAT --to //<IP_ADDRESS>//:22
$ iptables -A INPUT -i wlp2s0 -p tcp --dport 422 -m state --state NEW,ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -o wlp2s0 -p tcp --sport 422 -m state --state ESTABLISHED -j ACCEPT
**# 25. Log dropped packets**
$ iptables -N LOGGING
$ iptables -A INPUT -j LOGGING
$ iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
$ iptables -A LOGGING -j DROP