Last active
September 22, 2024 21:10
-
-
Save Alir3z4/b728a23cea1116ede1663c2ff32210e8 to your computer and use it in GitHub Desktop.
firewall.sh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| iptables -P INPUT ACCEPT | |
| iptables -P FORWARD ACCEPT | |
| iptables -P OUTPUT ACCEPT | |
| iptables -t nat -F | |
| iptables -t mangle -F | |
| iptables -F | |
| iptables -X | |
| ip6tables -P INPUT ACCEPT | |
| ip6tables -P FORWARD ACCEPT | |
| ip6tables -P OUTPUT ACCEPT | |
| ip6tables -t nat -F | |
| ip6tables -t mangle -F | |
| ip6tables -F | |
| ip6tables -X | |
| ######################## | |
| # Configuring SYNPROXY # | |
| ######################## | |
| # Configuring SYNPROXY can often be complicated without a guide. For that reason, I'm going | |
| # to take you through the steps for configuring it one-by-one. | |
| # (You can also use this script to simplify the setup.) | |
| # Script: https://github.com/netoptimizer/network-testing/blob/master/iptables/iptables_synproxy.sh | |
| # 1. In the "raw" table, we need to make sure connections that need protection | |
| # don't create new conntrack entries for SYN packets. | |
| iptables -t raw -I PREROUTING -p tcp -m tcp --syn --dport 443 -j CT --notrack | |
| iptables -t raw -I PREROUTING -p tcp -m tcp --syn --dport 80 -j CT --notrack | |
| # 2. Next, you need to enable more strict conntracking. | |
| # This is necessary to have ACK packets (from 3WHS) marked as INVALID state. | |
| /sbin/sysctl -w net/netfilter/nf_conntrack_tcp_loose=0 | |
| # Step #3: Now we need to catch these packets and direct them to the SYNPROXY target module. | |
| # To do this, use the following rule to catch UNTRACKED SYN and INVALID packets | |
| # that contain the ACK from 3WHS (and also others, but they will fall-through). | |
| iptables -A INPUT -p tcp -m tcp --dport 443 -m state --state INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460 | |
| iptables -A INPUT -p tcp -m tcp --dport 80 -m state --state INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460 | |
| # Step #4: Catch the INVALID state packets that fell-through the | |
| # SYNPROXY module and drop those. Basically, this will drop SYN-ACK based floods. | |
| iptables -A FORWARD -m state --state INVALID -j DROP | |
| iptables -A INPUT -m state --state INVALID -j DROP | |
| # Step #5: Remember to also enable TCP timestamps as SYN cookies utilize this TCP option field. | |
| sbin/sysctl -w net/ipv4/tcp_timestamps=1 | |
| # Step #6: If you have a busy site, it's recommended to do some conntrack entry tuning | |
| # to increase the default 64K conn limit. However, it is crucial for performance | |
| # that you also remember to increase the conntrack hash size. | |
| echo 100000 > /sys/module/nf_conntrack/parameters/hashsize | |
| /sbin/sysctl -w net/netfilter/nf_conntrack_max=200000 | |
| # Block New Packets That Are Not SYN | |
| iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP | |
| # Block Uncommon MSS Values | |
| iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP | |
| # Block Packets With Bogus TCP Flags | |
| iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP | |
| iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP | |
| iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP | |
| iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP | |
| iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP | |
| iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP | |
| iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP | |
| iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP | |
| iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP | |
| iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP | |
| iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP | |
| iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP | |
| iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP | |
| # Block spoofed packets | |
| iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP | |
| iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP | |
| iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP | |
| iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP | |
| iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP | |
| iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP | |
| iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP | |
| iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP | |
| iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP | |
| # Connection limit | |
| iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 15 --connlimit-mask 32 -j REJECT --reject-with tcp-reset | |
| iptables -A INPUT -p tcp --syn --dport 443 -m connlimit --connlimit-above 15 --connlimit-mask 32 -j REJECT --reject-with tcp-reset | |
| # ### SSH brute-force protection ### | |
| iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set | |
| iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 5 -j DROP | |
| # Allow the following ports through from outside | |
| iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT | |
| iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT | |
| iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT | |
| # Close Ping | |
| iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j DROP | |
| iptables -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT | |
| # Flooding of RST packets, smurf attack Rejection | |
| iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT | |
| #### Protection against port scanning ### | |
| # Source: https://unix.stackexchange.com/a/407904 | |
| # Protecting portscans | |
| # Attacking IP will be locked for 24 hours (3600 x 24 = 86400 Seconds) | |
| iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP | |
| iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP | |
| # Remove attacking IP after 24 hours | |
| iptables -A INPUT -m recent --name portscan --remove | |
| iptables -A FORWARD -m recent --name portscan --remove | |
| # These rules add scanners to the portscan list, and log the attempt. | |
| iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:" | |
| iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP | |
| iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:" | |
| iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP | |
| # Block null packets | |
| # We can then add a few simple firewall rules to block the most common attacks, | |
| # to protect our VPS from script-kiddies. We can't really count on iptables alone | |
| # to protect us from a full-scale DDOS or similar, but we can at least put off the | |
| # usual network scanning bots that will eventually find our VPS and start looking for | |
| # security holes to exploit. First, we start with blocking null packets. | |
| iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP | |
| # We told the firewall to take all incoming packets with tcp flags NONE and just DROP them. | |
| # Null packets are, simply said, recon packets. The attack patterns use these to try and see | |
| # how we configured the VPS and find out weaknesses. | |
| # The next pattern to reject is a syn-flood attack. | |
| iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP | |
| # SYN-Flood-Attacks means that the attackers open a new connection, but do not state what | |
| # they want (ie. SYN, ACK, whatever). They just want to take up our servers' resources. | |
| # We won't accept such packages. Now we move on to one more common pattern: XMAS packets, also a recon packet. | |
| iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP | |
| # SMURF attack protection | |
| iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP | |
| iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP | |
| iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT | |
| ### Now we can start adding selected services to our firewall filter. #### | |
| # The first such thing is a localhost interface: | |
| # We tell iptables to add (-A) a rule to the incoming (INPUT) filter table any traffic | |
| # that comes to localhost interface (-i lo) and to accept (-j ACCEPT) it. Localhost is often | |
| # used for, ie. your website or email server communicating with a database locally installed. | |
| # That way our VPS can use the database, but the database is closed to exploits from the internet. | |
| iptables -A INPUT -i lo -p all -j ACCEPT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
At step #3 I guess the same rules are needed for the FORWARD chain, or valid packets destined to other hosts will be dropped at step #4