====== Iptables/Netfilter server sample ====== #!/bin/sh # -- INTERFACES -- WAN0=wan0 LAN0=lan0 VIRBR0=virbr0 # -- DEFAULT POLICIES -- iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT # -- CLEAR -- iptables -F iptables -X iptables -t nat -F iptables -t mangle -F iptables -t nat -X iptables -t mangle -X # -- SYN FLOOD -- iptables -N SYN-FLOOD for PORT in 21 22 25 80 139 143 443 445 3128 3130 5222 5223 5269 5280 6080 9418 11194 49164; do iptables -A SYN-FLOOD -p tcp --dport $PORT --syn -m hashlimit --hashlimit 10/min --hashlimit-burst 10 \ --hashlimit-htable-expire 3600 --hashlimit-mode srcip --hashlimit-name synflood -j ACCEPT iptables -A SYN-FLOOD -p tcp --dport $PORT --syn -j LOG --log-prefix "IPTables SYN-FLOOD: " --log-level 4 iptables -A SYN-FLOOD -p tcp --dport $PORT --syn -j DROP iptables -A SYN-FLOOD -p tcp --dport $PORT ! --syn -j RETURN done # -- INPUT -- iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i $WAN0 -s 192.168.1.1 -j ACCEPT # Allow Router iptables -A INPUT -i $WAN0 -s xx.yy.zz.123 -j ACCEPT # Allow someone iptables -A INPUT -i $LAN0 -s 192.168.0.0/16 -j ACCEPT # Allow LAN0 iptables -A INPUT -i $VIRBR0 -s 192.168.0.0/16 -j ACCEPT # Allow VIRBR0 # Allow packets for established connections iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # http://www.mauromascia.com/blog/limiting-concurrent-connections-per-ip/ iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP iptables -A INPUT -f -j DROP #iptables -I INPUT -m conntrack --ctstate INVALID -j DROP # SYN-flood iptables -A INPUT -i $WAN0 -p tcp --syn -j SYN-FLOOD # Open several ports iptables -A INPUT -i $WAN0 -p tcp -m tcp -m multiport --dports \ 21,22,25,80,143,443,3130,5222,5223,5269,6080,9418,11194,49164 \ -d 192.168.1.22 \ -m conntrack --ctstate NEW -j ACCEPT iptables -A INPUT -i $LAN0 -p tcp -m tcp -m multiport --dports \ 22,25,53,139,445,3128,5280 \ -d 192.168.1.2 \ -m conntrack --ctstate NEW -j ACCEPT iptables -A INPUT -i $VIRBR0 -p tcp -m tcp -m multiport --dports \ 53,139,445,3128 \ -m conntrack --ctstate NEW -j ACCEPT # Allow ping for local subnets iptables -A INPUT -i $LAN0 -p icmp --icmp-type echo-request -d 192.168.1.2 -m limit --limit 2/s --limit-burst 3 -j ACCEPT iptables -A INPUT -i $VIRBR0 -p icmp --icmp-type echo-request -d 192.168.122.1 -m limit --limit 2/s --limit-burst 3 -j ACCEPT # Game Servers iptables -A INPUT -i $WAN0 -p udp --dport 27960 -j ACCEPT iptables -A INPUT -i $WAN0 -p udp --dport 30000 -j ACCEPT # DHCP/DNS for LAN0 and VIRBR0 iptables -A INPUT -i $LAN0 -p udp --dport 53 -j ACCEPT iptables -A INPUT -i $VIRBR0 -p udp --dport 53 -j ACCEPT iptables -A INPUT -i $VIRBR0 -p udp -d 255.255.255.255 --dport 67 -j ACCEPT # -- FORWARD -- iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu #iptables -A FORWARD -j SYN-FLOOD iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $VIRBR0 -o $WAN0 -j ACCEPT iptables -A FORWARD -i $LAN0 -o $VIRBR0 -j ACCEPT iptables -A FORWARD -i $VIRBR0 -o $LAN0 -j ACCEPT #iptables -A FORWARD -i $LAN0 -o $WAN0 -s 192.168.0.0/16 ! -d 192.168.0.0/16 \ # -m conntrack --ctstate NEW -j ACCEPT # -- MASQUERADE -- iptables -t nat -A POSTROUTING -o $WAN0 -j MASQUERADE # -- SQUID -- #iptables -t nat -A PREROUTING -i $LAN0 -s 192.168.1.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128 #iptables -t nat -A PREROUTING -i $VIRBR0 -s 192.168.1.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128 # -- SSH GUARD -- iptables -N sshguard iptables -A INPUT -j sshguard # Allow tiny proxy only for Someone #iptables -A INPUT -i $EXTIF -p tcp --dport 3130 ! -s xx.yy.zz.123 -j DROP #--------------------- #--- More examples --- #--------------------- # Deny ICMP echo-requests iptables -t filter -A INPUT -i $EXTIF -p icmp --icmp-type echo-request -j DROP # Forward traffic from local net except the routers ROUTER1_IP=192.168.1.333 ROUTER2_IP=192.168.1.555 iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -s $ROUTER1_IP -m conntrack --ctstate NEW -j REJECT iptables -A FORWARD -s $ROUTER2_IP -m conntrack --ctstate NEW -j REJECT iptables -A FORWARD -s 192.168.0.0/16 ! -d 192.168.0.0/16 -m conntrack --ctstate NEW -j ACCEPT iptables -A FORWARD -j REJECT # Squid iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128 # SSH Guard iptables -N sshguard iptables -A INPUT -j sshguard # Block Samba connections from Routers with old firmwares iptables -A INPUT -i $EXTIF -p udp --dport 137 -s $ROUTER1_IP -j DROP iptables -A INPUT -i $EXTIF -p udp --dport 138 -s $ROUTER1_IP -j DROP iptables -A INPUT -i $EXTIF -p tcp --dport 139 -s $ROUTER1_IP -j REJECT iptables -A INPUT -i $EXTIF -p tcp --dport 445 -s $ROUTER1_IP -j REJECT iptables -A INPUT -i $EXTIF -p udp --dport 137 -s $ROUTER2_IP -j DROP iptables -A INPUT -i $EXTIF -p udp --dport 138 -s $ROUTER2_IP -j DROP iptables -A INPUT -i $EXTIF -p tcp --dport 139 -s $ROUTER2_IP -j REJECT iptables -A INPUT -i $EXTIF -p tcp --dport 445 -s $ROUTER2_IP -j REJECT # Drop all outbound UDP traffic except for the DNS, NTP iptables -A INPUT -p udp --sport 53 -j ACCEPT iptables -A INPUT -p udp --dport 53 -j ACCEPT iptables -A OUTPUT -p udp --sport 53 -j ACCEPT iptables -A OUTPUT -p udp --dport 53 -j ACCEPT iptables -A INPUT -p udp --sport 123 -j ACCEPT iptables -A INPUT -p udp --dport 123 -j ACCEPT iptables -A OUTPUT -p udp --sport 123 -j ACCEPT iptables -A OUTPUT -p udp --dport 123 -j ACCEPT iptables -A INPUT -p udp -j DROP iptables -A OUTPUT -p udp -j DROP # Don't forward UPD traffic except for the DNS, NTP iptables -A FORWARD -p udp --sport 53 -j ACCEPT iptables -A FORWARD -p udp --dport 53 -j ACCEPT iptables -A FORWARD -p udp --sport 123 -j ACCEPT iptables -A FORWARD -p udp --dport 123 -j ACCEPT iptables -A FORWARD -p udp -j DROP