Iptables

From HyperSecurity Wiki
Jump to: navigation, search

Start/Restore Script:

#!/bin/bash
#Flush IPtables rules first
echo "Now flushing all rules..."
       /sbin/iptables --flush
echo "Flush complete."
#Load IP tables rate limit rules for Linux Honeypot
echo "Now starting IPtables..."
       /sbin/iptables-restore < /etc/iptables
echo "IPtables competed."

OpenVZ Firewall:

# Generated by HyperSecure Solutions v1.2 on August 8, 2013
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [187:19244]
:portdrop - [0:0]

# Block bad tcp flags
 [0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j portdrop
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j portdrop
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j portdrop
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j portdrop
[0:0] -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j portdrop
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j portdrop

#ICMP Drops
-A INPUT -p icmp -m icmp --icmp-type 18 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 17 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 10 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 9 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 5 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT

#Server Ports
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp -j DROP
-A INPUT -p udp -m udp -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -m state --state NEW -j ACCEPT
-A portdrop -p tcp -m tcp -j REJECT --reject-with tcp-reset
-A portdrop -j DROP
COMMIT

KVM Firewall:

# Generated by HyperSecure Solutions v1.3 on June 26, 2015
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [187:19244]
:portdrop - [0:0]

# Block bad tcp flags
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j portdrop
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j portdrop
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j portdrop
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j portdrop
[0:0] -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j portdrop
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j portdrop

#ICMP Drops
-A INPUT -p icmp -m icmp --icmp-type 18 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 17 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 10 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 9 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 5 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT

#Server Ports
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp -j DROP
-A INPUT -i eth0 -p udp -m udp -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -m state --state NEW -j ACCEPT
-A portdrop -i eth0 -p tcp -m tcp -j REJECT --reject-with tcp-reset
-A portdrop -i eth0 -j DROP
COMMIT

NAT Firewall:

# Generated by HyperSecure Solutions v1.3 on June 26, 2015
*nat
:PREROUTING ACCEPT [1:84]
:INPUT ACCEPT [1:84]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.1.18:22
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.23:80
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.1.23:443
-A PREROUTING -i eth0 -p tcp -m tcp --dport 3000 -j DNAT --to-destination 192.168.1.16:3000
-A PREROUTING -i eth0 -p tcp -m tcp --dport 5222 -j DNAT --to-destination 192.168.1.16:5222
-A PREROUTING -i eth0 -p tcp -m tcp --dport 5223 -j DNAT --to-destination 192.168.1.16:5223
-A PREROUTING -i eth0 -p tcp -m tcp --dport 5269 -j DNAT --to-destination 192.168.1.16:5269
-A PREROUTING -i eth0 -p tcp -m tcp --dport 5298 -j DNAT --to-destination 192.168.1.16:5298
-A PREROUTING -i eth0 -p tcp -m tcp --dport 7070 -j DNAT --to-destination 192.168.1.16:7070
-A PREROUTING -i eth0 -p tcp -m tcp --dport 7443 -j DNAT --to-destination 192.168.1.16:7443
-A PREROUTING -i eth0 -p tcp -m tcp --dport 7777 -j DNAT --to-destination 192.168.1.16:7777
-A PREROUTING -i eth0 -p tcp -m tcp --dport 9090 -j DNAT --to-destination 192.168.1.16:9090
-A PREROUTING -d 96.49.64.135/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.23
-A PREROUTING -d 96.49.64.135/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.1.23
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.23/32 -j SNAT --to-source 192.168.1.1
COMMIT

*mangle
:PREROUTING ACCEPT [1036:112278]
:INPUT ACCEPT [445:39126]
:FORWARD ACCEPT [591:73152]
:OUTPUT ACCEPT [307:38143]
:POSTROUTING ACCEPT [890:110615]
COMMIT

*filter
:INPUT ACCEPT [55:8337]
:FORWARD ACCEPT [24:2456]
:OUTPUT ACCEPT [299:37463]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -d 192.168.1.18/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -d 192.168.1.18/32 -i eth0 -p tcp -m tcp --dport 3000 -j ACCEPT
-A FORWARD -d 192.168.1.18/32 -i eth0 -p tcp -m tcp --dport 5222 -j ACCEPT
-A FORWARD -d 192.168.1.18/32 -i eth0 -p tcp -m tcp --dport 5223 -j ACCEPT
-A FORWARD -d 192.168.1.18/32 -i eth0 -p tcp -m tcp --dport 5269 -j ACCEPT
-A FORWARD -d 192.168.1.18/32 -i eth0 -p tcp -m tcp --dport 5298 -j ACCEPT
-A FORWARD -d 192.168.1.18/32 -i eth0 -p tcp -m tcp --dport 7070 -j ACCEPT
-A FORWARD -d 192.168.1.18/32 -i eth0 -p tcp -m tcp --dport 7443 -j ACCEPT
-A FORWARD -d 192.168.1.18/32 -i eth0 -p tcp -m tcp --dport 7777 -j ACCEPT
-A FORWARD -d 192.168.1.18/32 -i eth0 -p tcp -m tcp --dport 9090 -j ACCEPT
COMMIT
Retrieved from "http://www.hypersecuresolutions.com/wiki/index.php?title=Iptables&oldid=1937"