tBKwtWS
/
netfilter-config


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155
							# Well known ports      0:1023
# Registered ports      1024:49151
# Goldielocks zone      32768:65535
# Dynamic/Private       49152:65535
#

*filter

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:clutter - [0:0]

# Local loopback
-A INPUT ! -i lo -d 127.0.0.0/8 -m limit --limit 5/min -j LOG --log-prefix "iptables dropped 127.0.0.0/8, from non localhost: " --log-level 7
-A INPUT ! -i lo -d 127.0.0.0/8 -j DROP
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# Local docker
#-A OUTPUT ! -o eth0 -s 172.18.0.0/13 -d 172.18.0.0/13 -j ACCEPT -m comment --comment "Internal docker"
#-A FORWARD ! -o eth0 ! -i eth0 -s 172.18.0.1/13 -d 172.18.0.1/13 -j ACCEPT -m comment --comment "Internal docker"

# ICMP: Ping
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# FTP
#-A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
#-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 49152:65535 -j ACCEPT

# SSH
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource
-A INPUT -p tcp -m tcp --dport 22 -m limit --limit 5/min -m recent --rcheck --seconds 40 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "iptalbes dropped SSH flood: "
-A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 40 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP
-A INPUT -s 86.83.121.29,185.66.250.42 -p tcp -m tcp --sport 1024:65535 --dport 22 -j ACCEPT
#-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
#-A FORWARD -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource
#-A FORWARD -p tcp -m tcp --dport 22 -m limit --limit 5/min -m recent --rcheck --seconds 40 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "iptalbes dropped SSH flood: "
#-A FORWARD -p tcp -m tcp --dport 22 -m recent --update --seconds 40 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP
#-A FORWARD ! -o eth0 -d 172.18.0.0/13 -p tcp -m tcp --dport 22 -j ACCEPT

# SMTP
#-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT

# WHOIS
-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 43 -j ACCEPT

# DNS
-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT

# DHCP
-A INPUT -i eth0 -d 255.255.255.255 -p udp -m udp --sport 67 --dport 68 -m limit --limit 5/min -j LOG --log-prefix "iptables allowed DHCP: " --log-level 7
-A INPUT -i eth0 -d 255.255.255.255 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --sport 68 --dport 67 -m limit --limit 5/min -j LOG --log-prefix "iptables allowed DHCP: " --log-level 7
-A OUTPUT -o eth0 -p udp -m udp --sport 68 --dport 67 -j ACCEPT

# HTTP & HTTPS
#-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent --set --name HTTP --rsource
#-A INPUT -p tcp -m tcp --dport 80 -m recent --rcheck --seconds 10 --hitcount 20 --rttl --name HTTP --rsource -j LOG --log-prefix "iptables dropped HTTP flood: " --log-level 4
#-A INPUT -p tcp -m tcp --dport 80 -m recent --update --seconds 10 --hitcount 20 --rttl --name HTTP --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -m comment --comment "Tor Dir port"
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT

#-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -m recent --set --name HTTPS --rsource
#-A INPUT -p tcp -m tcp --dport 443 -m recent --rcheck --seconds 10 --hitcount 20 --rttl --name HTTPS --rsource -j LOG --log-prefix "iptables dropped HTTPS flood: " --log-level 4
#-A INPUT -p tcp -m tcp --dport 443 -m recent --update --seconds 10 --hitcount 20 --rttl --name HTTPS --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -m comment --comment "Tor relay ORport"
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT

# NTP
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT

# IMAP
-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 143 -j ACCEPT 

# IMAPS
-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 993 -j ACCEPT

# PIP
#-A OUTPUT -d 185.31.17.223 -p tcp -m tcp --sport 32768:65535 --dport 443 -j ACCEPT -m comment --comment "pip"

# SMTPS
-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 465 -j ACCEPT -m comment --comment "SMTP SSL/TLS"
-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 587 -j ACCEPT -m comment --comment "STARTTLS"

# XMPP
-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 5223 -j ACCEPT -m comment --comment "xmpps"
-A OUTPUT -p udp -m udp --sport 32768:65535 --dport 1900 -j ACCEPT -m comment --comment "xmpp?"

# Multicast DNS
-A OUTPUT -p udp -m udp --sport 5353 --dport 5353 -j clutter
-A OUTPUT -d 244.0.0.1 -j clutter -m comment --comment "Multicast DNS"
-A INPUT -d 224.0.0.1 -j clutter -m comment --comment "Multicast DNS"

# IRC
-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 6667 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 6697 -j ACCEPT -m comment --comment "ircs"

# Bitcoin
-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 8333 -j ACCEPT -m comment --comment "Bitcoin"

# Tor
-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 8000 -j ACCEPT -m comment --comment "Tor"
-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 9001:9002 -j ACCEPT -m comment --comment "Tor"
-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 9030:9031 -j ACCEPT -m comment --comment "Tor"

# OpenPGP HTTP Key servers
-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 11371 -j ACCEPT -m comment --comment "OpenPGP hkp HTTP key servers"

# Torrents
#-A OUTPUT -p udp -m udp --sport 51413 -j ACCEPT -m comment --comment "Torrents"
#-A INPUT -p udp -m udp  --dport 51413 -j ACCEPT -m comment --comment "Torrents"

# Traceroute
-A OUTPUT -p udp -m udp --sport 32768:65535 --dport 6881:33534 -j ACCEPT -m comment --comment "Traceroute"

# CloudFlare. Why see http://www.crimeflare.com/cfblock.html
#-A INPUT -s 103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/12,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17,199.27.128.0/21 -m limit --limit 5/min -j LOG --log-prefix "iptables dropped cloudflare: " --log-level 7
#-A INPUT -s 103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/12,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17,199.27.128.0/21 -j DROP -m comment --comment "CloudFlare http://www.crimeflare.com/cfblock.html"
#-A OUTPUT -d 103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/12,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17,199.27.128.0/21 -m limit --limit 5/min -j LOG --log-prefix "iptables dropped cloudflare: " --log-level 7
#-A OUTPUT -d 103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/12,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17,199.27.128.0/21 -j REJECT -m comment --comment "CloudFlare http://www.crimeflare.com/cfblock.html"

# Attacks, crawls, scans, etc
-A INPUT -p icmp -j clutter
-A INPUT -s 0.0.0.0 -d 255.255.255.255 -j clutter -m comment --comment "Broadcast messages"
-A INPUT -p udp -m udp --dport 19 -j clutter -m comment --comment "Character generator, looping to echo = DDoS"
-A INPUT -p tcp -m tcp --dport 23 -j clutter
-A INPUT -p udp -m udp --dport 53 -j clutter
-A INPUT -p udp -m udp --dport 111 -j clutter -m comment --comment "Probe/fingerprint Nix OS"
-A INPUT -p tcp -m tcp --dport 445 -j clutter -m comment --comment "MS-DS active directory"
-A INPUT -p tcp -m tcp --dport 2323 -j clutter -m comment --comment "3d-nfsd"
-A INPUT -p udp -m udp --dport 5060 -j clutter
-A INPUT -p tcp -m tcp --dport 3389 -j clutter -m comment --comment "MS terminal server RDP"

#-A INPUT -d 255.255.255.255 -p tcp -m tcp --sport 67 --dport 68 -j clutter -m comment --comment "DHCP"
#-A INPUT -m iprange --dst-range 185.66.250.254-185.66.250.255 -j clutter
#-A INPUT -m mac --mac-source d4:ca:6d:74:87:0d -j clutter
#-A INPUT -p udp -m udp --dport 3076 -j clutter -m comment --comment "orbix-config"

# Active connections
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Log & drop
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables dropped: " --log-level 7
-A INPUT -j DROP
-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables dropped: " --log-level 7
-A FORWARD -j DROP
-A OUTPUT -m limit --limit 5/min -j LOG --log-prefix "iptables rejected: " --log-level 7
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
-A clutter -m limit --limit 5/min -j LOG --log-prefix "iptables clutter dropped: " --log-level 7
-A clutter -j DROP

COMMIT