Skip to content

Instantly share code, notes, and snippets.

@raikel

raikel/iptables-hardening.md

Last active October 11, 2024 03:33
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save raikel/8d88112db441f6d22776886b6154ec1e to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save raikel/8d88112db441f6d22776886b6154ec1e to your computer and use it in GitHub Desktop.
Download ZIP
Raw
iptables-hardening.md 
*filter

# Drop NULL packets
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP

# Block syn flood attack
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# Block XMAS packets
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP

# SSH Rate limit new connections (drop if more than 3 attempts in 60 seconds) and allow only established SSH connections
-A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
-A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 4 --rttl --name SSH -j DROP
-A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# Allow DNS Queries
-A INPUT -i eth0 -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

# Allow NTP
-A OUTPUT -o eth0 -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT

# Web Server (HTTP/HTTPS)
-A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

# Web Browsing
-A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Allow Inbound/Outbound to Localhost
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# Allow SMTP outbound (Important: set port 25 or 465 depending if you use SMPT or SMPTS !!)
-A INPUT -i eth0 -p tcp --sport 465 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT

# Log all dropped packets (this can affect performance)
-N LOGINPUT
-N LOGOUTPUT
-A INPUT -j LOGINPUT
-A OUTPUT -j LOGOUTPUT
-A LOGINPUT -m limit --limit 4/min -j LOG --log-prefix "DROP INPUT: " --log-level 4
-A LOGOUTPUT -m limit --limit 4/min -j LOG --log-prefix "DROP OUTPUT: " --log-level 4

# Set policies to drop everything else
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP

COMMIT
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment