#!/bin/sh
modprobe ip_conntrack
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
modprobe iptable_nat
iptables -F
iptables -X
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Enable SSH.
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH -j LOG --log-level info --log-prefix "Anti SSH-Bruteforce: "
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH -j DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
# Allow Loopback Access
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#Allow Ping
iptables -A INPUT -p icmp --icmp-type 0 -m limit --limit 2/s --limit-burst 5 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 2/s --limit-burst 5 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
# Prevent TCP Sync Attack.
#iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A INPUT -p tcp -m state --state NEW -m recent --update --seconds 60 --hitcount 20 -j DROP
iptables -A INPUT -p tcp -m state --state NEW -m recent --set -j ACCEPT
#Force SYN packets check
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Force Fragments packets check
iptables -A INPUT -f -j DROP
# Incoming malformed XMAS packets drop them
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# Drop all NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Allow DNS
iptables -A INPUT -p tcp -i eth0 -m hashlimit \
--hashlimit-mode srcip --hashlimit-upto 100/m --hashlimit-burst 50 \
--hashlimit-name DNSTHROTTLE --sport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -m hashlimit \
--hashlimit-mode srcip --hashlimit-upto 100/m --hashlimit-burst 50 \
--hashlimit-name DNSTHROTTLE --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -o eth0 --sport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 -m hashlimit \
--hashlimit-mode srcip --hashlimit-upto 100/m --hashlimit-burst 50 \
--hashlimit-name DNSTHROTTLE --sport 53 -j ACCEPT
iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 -m hashlimit \
--hashlimit-mode srcip --hashlimit-upto 100/m --hashlimit-burst 50 \
--hashlimit-name DNSTHROTTLE --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp -o eth0 --sport 53 -j ACCEPT
# Allow HTTP & HTTPS with rate limiting
iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
iptables -I INPUT -p tcp --dport 443 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 443 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 80,443 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --sport 80,443 -j ACCEPT
# Allow FTP with Rate Limiting
iptables -I INPUT -p tcp --dport 20 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 20 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP
iptables -I INPUT -p tcp --dport 21 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP
iptables -A INPUT -p tcp -i eth0 -m multiport --dports 20,21 -j ACCEPT
iptables -A OUTPUT -p tcp -o eth0 -m multiport --sport 20,21 -j ACCEPT
# Allow Dynamic Ports (to update & upgrade or downloading required packages. Uncomment the follwing lines while needed)
iptables -A INPUT -p tcp -i eth0 --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p tcp -o eth0 --sport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p udp -o eth0 --sport 1024:65535 -j ACCEPT
modprobe ip_conntrack
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
modprobe iptable_nat
iptables -F
iptables -X
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Enable SSH.
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH -j LOG --log-level info --log-prefix "Anti SSH-Bruteforce: "
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH -j DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
# Allow Loopback Access
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#Allow Ping
iptables -A INPUT -p icmp --icmp-type 0 -m limit --limit 2/s --limit-burst 5 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 2/s --limit-burst 5 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
# Prevent TCP Sync Attack.
#iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A INPUT -p tcp -m state --state NEW -m recent --update --seconds 60 --hitcount 20 -j DROP
iptables -A INPUT -p tcp -m state --state NEW -m recent --set -j ACCEPT
#Force SYN packets check
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Force Fragments packets check
iptables -A INPUT -f -j DROP
# Incoming malformed XMAS packets drop them
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# Drop all NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Allow DNS
iptables -A INPUT -p tcp -i eth0 -m hashlimit \
--hashlimit-mode srcip --hashlimit-upto 100/m --hashlimit-burst 50 \
--hashlimit-name DNSTHROTTLE --sport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -m hashlimit \
--hashlimit-mode srcip --hashlimit-upto 100/m --hashlimit-burst 50 \
--hashlimit-name DNSTHROTTLE --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -o eth0 --sport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 -m hashlimit \
--hashlimit-mode srcip --hashlimit-upto 100/m --hashlimit-burst 50 \
--hashlimit-name DNSTHROTTLE --sport 53 -j ACCEPT
iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 -m hashlimit \
--hashlimit-mode srcip --hashlimit-upto 100/m --hashlimit-burst 50 \
--hashlimit-name DNSTHROTTLE --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp -o eth0 --sport 53 -j ACCEPT
# Allow HTTP & HTTPS with rate limiting
iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
iptables -I INPUT -p tcp --dport 443 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 443 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 80,443 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --sport 80,443 -j ACCEPT
# Allow FTP with Rate Limiting
iptables -I INPUT -p tcp --dport 20 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 20 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP
iptables -I INPUT -p tcp --dport 21 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP
iptables -A INPUT -p tcp -i eth0 -m multiport --dports 20,21 -j ACCEPT
iptables -A OUTPUT -p tcp -o eth0 -m multiport --sport 20,21 -j ACCEPT
# Allow Dynamic Ports (to update & upgrade or downloading required packages. Uncomment the follwing lines while needed)
iptables -A INPUT -p tcp -i eth0 --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p tcp -o eth0 --sport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p udp -o eth0 --sport 1024:65535 -j ACCEPT
No comments:
Post a Comment