D0cEvil

iptables - Config example V.2

Dec 6th, 2022
105
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 3.37 KB | Cybersecurity | 0 0
  1. #!/bin/bash
  2.  
  3. echo "0" /proc/sys/net/ipv4/ip_forward
  4.  
  5. iptables -F
  6. iptables -F -t nat
  7. iptables -F -t mangle
  8. iptables -X
  9. iptables -X -t nat
  10. iptables -X -t mangle
  11.  
  12. echo "Old rules flushed"
  13.  
  14. modprobe ip_conntrack_ftp
  15.  
  16. # Установка правил на DROP по-умолчанию
  17.  
  18. iptables -P INPUT DROP
  19. iptables -P OUTPUT DROP
  20.  
  21. # Создание новой цепочки
  22.  
  23. iptables -N BAD_PACKETS
  24.  
  25. # Allow localhost
  26.  
  27. iptables -A INPUT -i lo -j ACCEPT
  28. iptables -A OUTPUT -o lo -j ACCEPT
  29.  
  30. # Jump to BAD_PACKETS
  31.  
  32. iptables -A INPUT -j BAD_PACKETS
  33.  
  34. # Allow ESTABLISHED connections
  35.  
  36. iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
  37.  
  38. # Allow PING
  39.  
  40. iptables -A INPUT -p ICMP -i eth0 --icmp-type 8 -j ACCEPT
  41. iptables -A OUTPUT -p ICMP -o eth0 --icmp-type 9 -j ACCEPT
  42.  
  43. # Allow output SSH
  44.  
  45. iptables -A OUTPUT -p TCP -o eth0 --dport 22 -j ACCEPT
  46.  
  47. # Allow DNS
  48.  
  49. iptables -A OUTPUT -p UDP -o eth0 -d IP_ADDR --dport 53 -j ACCEPT
  50. iptables -A OUTPUT -p TCP -o eth0 -d IP_ADDR --dport 53 -j ACCEPT
  51. iptables -A OUTPUT -p UDP -o eth0 -d IP_ADDR --dport 53 -j ACCEPT
  52. iptables -A OUTPUT -p TCP -o eth0 -d IP_ADDR --dport 53 -j ACCEPT
  53. iptables -A OUTPUT -p UDP -o eth0 -d 8.8.8.8 --dport 53 -j ACCEPT
  54. iptables -A OUTPUT -p TCP -o eth0 -d 8.8.8.8 --dport 53 -j ACCEPT
  55.  
  56.  
  57. # Allow HTTP
  58.  
  59. iptables -A OUTPUT -p TCP -o eth0 --dport 443 -j ACCEPT
  60. iptables -A OUTPUT -p TCP -o eth0 --dport 80 -j ACCEPT
  61.  
  62. # Allow Webmin
  63.  
  64. iptables -A OUTPUT -p TCP -o eth0 --dport 10000 -j ACCEPT
  65.  
  66. # Allow Lync
  67.  
  68. iptables -A OUTPUT -p TCP -o eth0 -d IP_ADDR --dport 5061 -j ACCEPT
  69.  
  70. # Allow RDP
  71.  
  72. iptables -A OUTPUT -p TCP -o eth0 --dport 3389 -j ACCEPT
  73.  
  74. # Allow POP3, SMTP, IMAP, IMAPS
  75.  
  76. iptables -A OUTPUT -p TCP -o eth0 --dport 110 -j ACCEPT
  77. iptables -A OUTPUT -p TCP -o eth0 --dport 143 -j ACCEPT
  78. iptables -A OUTPUT -p TCP -o eth0 --dport 25 -j ACCEPT
  79. iptables -A OUTPUT -p TCP -o eth0 --dport 993 -j ACCEPT
  80.  
  81. # Allow FTP
  82.  
  83. iptables -A OUTPUT -p TCP -o eth0 --dport 21 -j ACCEPT
  84. iptables -A OUTPUT -p TCP -o eth0 --dport 22 -j ACCEPT
  85.  
  86. # Allow SAMBA
  87.  
  88. iptables -A INPUT -i eth0 -p UDP -m multiport --ports 135,136,137,138,139,445 -j ACCEPT
  89. iptables -A INPUT -i eth0 -p TCP -m multiport --ports 135,136,137,138,139,445 -j ACCEPT
  90. iptables -A OUTPUT -o eth0 -p UDP -m multiport --ports 135,136,137,138,139,445 -j ACCEPT
  91. iptables -A OUTPUT -o eth0 -p TCP -m multiport --ports 135,136,137,138,139,445 -j ACCEPT
  92.  
  93. #Allow input torrents-client
  94.  
  95. iptables -A INPUT -p TCP -i eth0 --dport 51413 -j ACCEPT
  96. iptables -A INPUT -p UDP -i eth0 --dport 51413 -j ACCEPT
  97. iptables -A INPUT -p TCP -i eth0 --dport 6881 -j ACCEPT
  98. iptables -A INPUT -p UDP -i eth0 --dport 6881 -j ACCEPT
  99.  
  100. ##### ATTACK #####
  101.  
  102. # DoS
  103.  
  104. iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
  105.  
  106. # Защита от спуфинга
  107.  
  108. iptables -I INPUT -m conntrack --ctstate NEW,INVALID -p tcp --tcp-flags SYN,ACK SYN,ACK -j REJECT --reject-with tcp-reset
  109.  
  110. # Защита от попытки открыть входящее соединение TCP не через SYN
  111.  
  112. iptables -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
  113.  
  114. ##### DROP #####
  115.  
  116. #iptables -A INPUT -j LOG --log-prefix "INPUT DROP:"
  117. #iptables -A OUTPUT -j LOG --log-prefix "OUTPUT DROP:"
  118. iptables -A BAD_PACKETS -d 255.255.255.255 -j DROP
  119. iptables -A BAD_PACKETS -j RETURN
  120.  
  121. echo "Rules written."
Add Comment
Please, Sign In to add comment