Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
these rules work for web server when someone visiting site and make connection on these ports. But i would like to use these rules when browsing net as you can know any site you visit make ten more connection from same ip, ss-tuna. hove to limit that. i try use sport but then only search engine works and when hit link whont open. is it possible to achive this.
these two scripts are same just would like to know in wich accept rules are better on start of script or end..whose has better positioning.
i try put only NEW,RELATED i can visit sites but same ip multiple connection.
way they need make so much connections.
Thanks
Code:
#!/bin/bash
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -I INPUT -j DROP
iptables -I FORWARD -j DROP
iptables -I OUTPUT -j DROP
###############################################################################
iptables -I INPUT -i lo -j ACCEPT
iptables -I OUTPUT -o lo -j ACCEPT
#internet only from host
iptables -I OUTPUT -t filter -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -I OUTPUT -t filter -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
#iptables -I OUTPUT -p udp -m udp --dport 1194 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -I INPUT -t filter -p tcp -m tcp -m multiport --sports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -I INPUT -p udp -m udp --sport 1194 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
#allow dns
iptables -I OUTPUT -t filter -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -I INPUT -t filter -p udp -m udp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
#iptables -I INPUT -i tun0 -p udp -m udp --sport 1194 -m conntrack --ctstate ESTABLISHED -j ACCEPT
#iptables -I OUTPUT -o tun0 -p udp -m udp --dport 1194 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#iptables -I FORWARD -i wlp2s0 -o tun0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
#iptables -I FORWARD -i tun0 -o wlp2s0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
###############################################################################
iptables -I INPUT -s 127.0.0.0/8 -j DROP
iptables -I INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
iptables -I INPUT -p icmp -j DROP
iptables -I INPUT -p tcp --syn -m conntrack --ctstate NEW -j DROP
iptables -I INPUT -f -j DROP
iptables -I INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP
######################################################################
iptables -A INPUT -d 224.0.0.0/4 -j DROP
iptables -A INPUT -s 240.0.0.0/5 -j DROP
iptables -A INPUT -d 240.0.0.0/5 -j DROP
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -d 0.0.0.0/8 -j DROP
iptables -A INPUT -d 239.255.255.0/24 -j DROP
iptables -A INPUT -d 255.255.255.255 -j DROP
###########################spoof#####################################
######################################################################
##########################smurf######################################
iptables -I INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
iptables -I INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
######################################################################
#########################bogus########################################
iptables -I INPUT -m conntrack --ctstate INVALID -j DROP
iptables -I FORWARD -m conntrack --ctstate INVALID -j DROP
iptables -I OUTPUT -m conntrack --ctstate INVALID -j DROP
######################################################################
#######################tcpreset#######################################
######################################################################
######################synflod########################################
iptables -t filter -I INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -t filter -I INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -t filter -I INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -t filter -I INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -t filter -I INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -t filter -I INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -t filter -I INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -t filter -I INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -t filter -I INPUT -p tcp --tcp-flags ALL SYN,FIN -j DROP
iptables -t filter -I INPUT -p tcp --tcp-flags ALL URG,PSH,FIN -j DROP
iptables -t filter -I INPUT -p tcp --tcp-flags ALL FIN -j DROP
iptables -t filter -I INPUT -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DROP
iptables -I INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -I INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
######################################################################
#####################portscan########################################
iptables -I INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -I FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
######################################################################
######################################################################
iptables -I INPUT -p tcp -m psd -j DROP
iptables -I INPUT -p udp -m psd -j DROP
########################################
########################################
#iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --set
#iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 1 --hitcount 2 -j DROP
#iptables -I INPUT -p tcp --dport 443 -m state --state NEW -m recent --set
#iptables -I INPUT -p tcp --dport 443 -m state --state NEW -m recent --update --seconds 1 --hitcount 2 -j DROP
########################################
#iptables -I INPUT -p tcp -m tcp --sport 80 -m connlimit --connlimit-above 1 --connlimit-mask 24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j DROP
#iptables -I INPUT -p tcp -m tcp --sport 443 -m connlimit --connlimit-above 1 --connlimit-mask 24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j DROP
iptables -I INPUT -p tcp -m tcp --dport 80 -m connlimit --connlimit-above 1 --connlimit-mask 24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j DROP
iptables -I INPUT -p tcp -m tcp --dport 443 -m connlimit --connlimit-above 1 --connlimit-mask 24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j DROP
########################################
iptables -I INPUT -m geoip --src-cc AF,A1,A2 -j DROP
iptables -t mangle -I OUTPUT -j TOS --set-tos 15
iptables -I INPUT -f -j DROP
iptables -I INPUT -p tcp -m string --string "/bin/sh" --algo bm -j DROP
iptables -I INPUT -p tcp -m string --string "/bin/bash" --algo bm -j DROP
################################################################################
##############################################################################
###############################################################################
###############################################################################
#allow ssh
#iptables -A OUTPUT -p tcp --dport 444 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -p tcp --sport 444 -m state --state ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -p tcp --dport 23 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -p tcp --sport 23 -m state --state ESTABLISHED -j ACCEPT
#sshbrute
#iptables -A INPUT -p tcp -m multiport --dports 5900,5901,6000 -j ACCEPT
#iptables -A OUTPUT -p tcp -m multiport --sports 5900,5901,6000 -j ACCEPT
###############################################################################
#iptables -I OUTPUT -p udp -m udp --sport 7463 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
#iptables -I INPUT -p udp -m udp --dport 7463 -m conntrack --ctstate ESTABLISHED -j ACCEPT
##########################################################################
###################################
iptables -I INPUT -p udp -m pkttype --pkt-type MULTICAST -j DROP
iptables -I INPUT -p udp -m pkttype --pkt-type BROADCAST -j DROP
######################################################
###################################
#iptables -A INPUT -j DROP
#iptables -A FORWARD -j DROP
#iptables -A OUTPUT -j DROP
##############################################################################
# download Tor exit nodes
wget -O /blocktor/torexitnodes https://check.torproject.org/exit-addresses
# add iptables rules to reject Tor exit nodes
for torexit in `cat /blocktor/torexitnodes | grep ExitAddress | cut -d ' ' -f 2`
do /sbin/iptables -I INPUT -p tcp -s $torexit -j DROP
done
for torexit in `cat /blocktor/torexitnodes | grep ExitAddress | cut -d ' ' -f 2`
do /sbin/iptables -I INPUT -p udp -s $torexit -j DROP
done
for torexit in `cat /blocktor/torexitnodes | grep ExitAddress | cut -d ' ' -f 2`
do /sbin/iptables -I OUTPUT -p udp -d $torexit -j DROP
done
for torexit in `cat /blocktor/torexitnodes | grep ExitAddress | cut -d ' ' -f 2`
do /sbin/iptables -I OUTPUT -p tcp -d $torexit -j DROP
done
#for i in `cat /home/ja/bip`; do iptables -I INPUT -s $i -j DROP; done
#for i in `cat /home/ja/bip`; do iptables -I OUTPUT -d $i -j DROP; done
Code:
#!/bin/bash
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -I INPUT -j DROP
iptables -I FORWARD -j DROP
iptables -I OUTPUT -j DROP
###############################################################################
###############################################################################
iptables -I INPUT -s 127.0.0.0/8 -j DROP
iptables -I INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
iptables -I INPUT -p icmp -j DROP
iptables -I INPUT -p tcp --syn -m conntrack --ctstate NEW -j DROP
iptables -I INPUT -f -j DROP
iptables -I INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP
######################################################################
iptables -A INPUT -d 224.0.0.0/4 -j DROP
iptables -A INPUT -s 240.0.0.0/5 -j DROP
iptables -A INPUT -d 240.0.0.0/5 -j DROP
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -d 0.0.0.0/8 -j DROP
iptables -A INPUT -d 239.255.255.0/24 -j DROP
iptables -A INPUT -d 255.255.255.255 -j DROP
###########################spoof#####################################
######################################################################
##########################smurf######################################
iptables -I INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
iptables -I INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
######################################################################
#########################bogus########################################
iptables -I INPUT -m conntrack --ctstate INVALID -j DROP
iptables -I FORWARD -m conntrack --ctstate INVALID -j DROP
iptables -I OUTPUT -m conntrack --ctstate INVALID -j DROP
######################################################################
#######################tcpreset#######################################
######################################################################
######################synflod########################################
iptables -t filter -I INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -t filter -I INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -t filter -I INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -t filter -I INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -t filter -I INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -t filter -I INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -t filter -I INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -t filter -I INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -t filter -I INPUT -p tcp --tcp-flags ALL SYN,FIN -j DROP
iptables -t filter -I INPUT -p tcp --tcp-flags ALL URG,PSH,FIN -j DROP
iptables -t filter -I INPUT -p tcp --tcp-flags ALL FIN -j DROP
iptables -t filter -I INPUT -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DROP
iptables -I INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -I INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
######################################################################
#####################portscan########################################
iptables -I INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -I FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
######################################################################
#iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --set
#iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 1 --hitcount 2 -j DROP
#iptables -I INPUT -p tcp --dport 443 -m state --state NEW -m recent --set
#iptables -I INPUT -p tcp --dport 443 -m state --state NEW -m recent --update --seconds 1 --hitcount 2 -j DROP
########################################
#iptables -I INPUT -p tcp -m tcp --sport 80 -m connlimit --connlimit-above 1 --connlimit-mask 24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j DROP
#iptables -I INPUT -p tcp -m tcp --sport 443 -m connlimit --connlimit-above 1 --connlimit-mask 24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j DROP
iptables -I INPUT -p tcp -m tcp --dport 80 -m connlimit --connlimit-above 1 --connlimit-mask 24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j DROP
iptables -I INPUT -p tcp -m tcp --dport 443 -m connlimit --connlimit-above 1 --connlimit-mask 24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j DROP
######################################################################
iptables -I INPUT -i lo -j ACCEPT
iptables -I OUTPUT -o lo -j ACCEPT
#internet only from host
iptables -I OUTPUT -t filter -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -I OUTPUT -t filter -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
#iptables -I OUTPUT -p udp -m udp --dport 1194 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -I INPUT -t filter -p tcp -m tcp -m multiport --sports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -I INPUT -p udp -m udp --sport 1194 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
#allow dns
iptables -I OUTPUT -t filter -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -I INPUT -t filter -p udp -m udp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
#iptables -I INPUT -i tun0 -p udp -m udp --sport 1194 -m conntrack --ctstate ESTABLISHED -j ACCEPT
#iptables -I OUTPUT -o tun0 -p udp -m udp --dport 1194 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#iptables -I FORWARD -i wlp2s0 -o tun0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
#iptables -I FORWARD -i tun0 -o wlp2s0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
######################################################################
iptables -I INPUT -p tcp -m psd -j DROP
iptables -I INPUT -p udp -m psd -j DROP
########################################
########################################
########################################
iptables -I INPUT -m geoip --src-cc AF,A1,A2 -j DROP
iptables -t mangle -I OUTPUT -j TOS --set-tos 15
iptables -I INPUT -f -j DROP
iptables -I INPUT -p tcp -m string --string "/bin/sh" --algo bm -j DROP
iptables -I INPUT -p tcp -m string --string "/bin/bash" --algo bm -j DROP
################################################################################
##############################################################################
###############################################################################
###############################################################################
#allow ssh
#iptables -A OUTPUT -p tcp --dport 444 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -p tcp --sport 444 -m state --state ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -p tcp --dport 23 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -p tcp --sport 23 -m state --state ESTABLISHED -j ACCEPT
#sshbrute
#iptables -A INPUT -p tcp -m multiport --dports 5900,5901,6000 -j ACCEPT
#iptables -A OUTPUT -p tcp -m multiport --sports 5900,5901,6000 -j ACCEPT
###############################################################################
#iptables -I OUTPUT -p udp -m udp --sport 7463 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
#iptables -I INPUT -p udp -m udp --dport 7463 -m conntrack --ctstate ESTABLISHED -j ACCEPT
##########################################################################
###################################
iptables -I INPUT -p udp -m pkttype --pkt-type MULTICAST -j DROP
iptables -I INPUT -p udp -m pkttype --pkt-type BROADCAST -j DROP
######################################################
###################################
#iptables -A INPUT -j DROP
#iptables -A FORWARD -j DROP
#iptables -A OUTPUT -j DROP
##############################################################################
# download Tor exit nodes
wget -O /blocktor/torexitnodes https://check.torproject.org/exit-addresses
# add iptables rules to reject Tor exit nodes
for torexit in `cat /blocktor/torexitnodes | grep ExitAddress | cut -d ' ' -f 2`
do /sbin/iptables -I INPUT -p tcp -s $torexit -j DROP
done
for torexit in `cat /blocktor/torexitnodes | grep ExitAddress | cut -d ' ' -f 2`
do /sbin/iptables -I INPUT -p udp -s $torexit -j DROP
done
for torexit in `cat /blocktor/torexitnodes | grep ExitAddress | cut -d ' ' -f 2`
do /sbin/iptables -I OUTPUT -p udp -d $torexit -j DROP
done
for torexit in `cat /blocktor/torexitnodes | grep ExitAddress | cut -d ' ' -f 2`
do /sbin/iptables -I OUTPUT -p tcp -d $torexit -j DROP
done
#for i in `cat /home/ja/bip`; do iptables -I INPUT -s $i -j DROP; done
#for i in `cat /home/ja/bip`; do iptables -I OUTPUT -d $i -j DROP; done
Are these rules going to be a for a server, a desktop, or a router?
In general, the filter starts at the top and works its way down so you will have to have the most frequently needed rules at the top and the less frequently used rules further down the chain, for speed.
There is also a lot of weirdness in the rules you have listed and each line should be re-examined for what it actually does not what you wish it could do. A case in point is where the script is blocking 127.0.0.0/8 on all interfaces including loopback, that will create problems if it even kind of works at all. Also include the interfaces in that assessment.
it will be for desktop. yes you are right about wierdnes thats way i post. this rule 127.0.0.0/8 not working, but at the moment im putting ruls and see howe it acts but some rules i canot get working like connlimit, hitcount. and these fin ack rules i dont get if i need thre way handshake to acces web server howe i can acces with these drop rules --tcp-flags ACK,FIN FIN all in that section.
Ok. If for a desktop, and it will not be serving anything, then I would focus on building the OUTPUT chain and use the following fairly generic setup for the INPUT chain:
Code:
iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT;
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT;
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT;
iptables -A INPUT -j REJECT;
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.