Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I finally got the firewall running correctly as a "gateway" between the internet and the Buffalo. My only question now is how do you set up a transparent proxy server?
I finally got the firewall running correctly as a "gateway" between the internet and the Buffalo. My only question now is how do you set up a transparent proxy server?
okay, i'll uninstall my squid so i can start again from scratch and give you a step-by-step on how to get it going... i'll post back ASAP...
this is result of my internet researching to collect IP Tables Script Can save from attacks
if any one can participate to make this script better
share my your comments
Quote:
## 1001. IP Tables Flush Command
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
################################################################################
## 1002. default policy for each of the chains
iptables --policy INPUT DROP
iptables --policy FORWARD DROP
iptables --policy OUTPUT DROP
################################################################################
## 1003. Log INPUT traffic
iptables -I INPUT -j LOG --log-prefix "iptables-in: " --log-level 7
## 1004. Log FORWARD Traffic
iptables -I FORWARD -j LOG --log-prefix "iptables-fw: " --log-level 7
## 1005. Log OUTPUT Traffic
iptables -I OUTPUT -j LOG --log-prefix "iptables-out: " --log-level 7
################################################################################
## 1006. To log network activity in the NAT table execute the following commands for tracking activity in their respective chains
iptables -t nat -I PREROUTING -j LOG --log-prefix "iptables-nat-in: " --log-level 7
iptables -t nat -I POSTROUTING -j LOG --log-prefix "iptables-nat-out: " --log-level 7
################################################################################
## 1007. Open LoopBack Interface
iptables --append INPUT --in-interface lo --jump ACCEPT
iptables --append OUTPUT --out-interface lo --jump ACCEPT
################################################################################
## 1008. Allow Connections Initiated by the Machine
## Allow Connection Initiated by wireless interface
iptables --append OUTPUT --out-interface wlan0 --jump ACCEPT
## Allow Connection Initiated by wire interface
iptables --append OUTPUT --out-interface eth0 --jump ACCEPT
iptables --append INPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT
################################################################################
## 1009. Filter untrusted traffic
iptables -A INPUT --in-interface wlan0
iptables -A INPUT --in-interface eth0
################################################################################
## 1010. Block Invalid Packets
## This rule blocks all packets that are not a SYN packet and don’t belong to an established TCP connection.
iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
################################################################################
## 1011. Block New Packets That Are Not SYN
## This blocks all packets that are new (don’t belong to an established connection) and don’t use the SYN flag.
## This rule is similar to the “Block Invalid Packets” one, but we found that it catches some packets that the other one doesn’t.
iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
################################################################################
## 1012. Block Uncommon MSS Values
## The above iptables rule blocks new packets (only SYN packets can be new packets as per the two previous rules)
## that use a TCP MSS value that is not common. This helps to block dumb SYN floods.
iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
################################################################################
## 1013. Block Packets With Bogus TCP Flags
## The below ruleset blocks packets that use bogus TCP flags, ie.
## TCP flags that legitimate packets wouldn’t use.
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
################################################################################
## Bloack Port Scanning
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -A INPUT -p tcp -i wlan0 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp -i wlan0 -m state --state NEW -m recent --update --seconds 30 --hitcount 10 -j DROP
iptables -A FORWARD -p tcp -i wlan0 -m state --state NEW -m recent --set
iptables -A FORWARD -p tcp -i wlan0 -m state --state NEW -m recent --update --seconds 30 --hitcount 10 -j DROP
################################################################################
## 1014. v (Spoofing)
## These rules block spoofed packets originating from private (local) subnets.
## On your public network interface you usually don’t want to receive packets from private source IPs.
## These rules assume that your loopback interface uses the 127.0.0.0/8 IP space.
## These five sets of rules alone already block many TCP-based DDoS attacks at very high packet rates.
## With the kernel settings and rules mentioned above, you’ll be able to filter ACK and SYN-ACK attacks at line rate.
iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP
iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
################################################################################
## 1015. Additional Rules
## This drops all ICMP packets. ICMP is only used to ping a host to find out if it’s still alive.
## Because it’s usually not needed and only represents another vulnerability that attackers can exploit,
## we block all ICMP packets to mitigate Ping of Death (ping flood), ICMP flood and ICMP fragmentation flood.
iptables -t mangle -A PREROUTING -p icmp -j DROP
################################################################################
## 1016. This iptables rule helps against connection attacks.
## It rejects connections from hosts that have more than 80 established connections.
## If you face any issues you should raise the limit as this could cause troubles with
## legitimate clients that establish a large number of TCP connections.
iptables -A INPUT -p tcp -m connlimit --connlimit-above 80 -j REJECT --reject-with tcp-reset
################################################################################
## 1017. Limits the new TCP connections that a client can establish per second.
## This can be useful against connection attacks,
## but not so much against SYN floods because the usually use an endless amount of different spoofed source IPs.
iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
################################################################################
## 1018. This rule blocks fragmented packets.
## Normally you don’t need those and blocking fragments will mitigate UDP fragmentation flood.
## But most of the time UDP fragmentation floods use a high amount of bandwidth that is likely to exhaust the capacity of your network card,
## which makes this rule optional and probably not the most useful one.
iptables -t mangle -A PREROUTING -f -j DROP
################################################################################
## 1019. This limits incoming TCP RST packets to mitigate TCP RST floods.
## Effectiveness of this rule is questionable.
iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP
################################################################################
## 1020. Mitigating SYN Floods With SYNPROXY
## SYNPROXY is a new target of iptables that has been added in Linux kernel version 3.12 and iptables 1.4.21.
## CentOS 7 backported the feature and it’s available in its 3.10 default kernel.
## The purpose of SYNPROXY is to check whether the host that sent the SYN packet actually establishes a full TCP connection
## or just does nothing after it sent the SYN packet.
## If it does nothing, it discards the packet with minimal performance impact.
## While the iptables rules that we provided above already block most TCP-based attacks,
## the attack type that can still slip through them if sophisticated enough is a SYN flood.
## It’s important to note that the performance of the rules will always be better if we find a certain pattern or signature to block,
## such as packet length (-m length), TOS (-m tos), TTL (-m ttl) or strings and hex values (-m string and -m u32 for the more advanced users).
## But in some rare cases that’s not possible or at least not easy to achieve. So, in these cases, you can make use of SYNPROXY.
## Here are iptables SYNPROXY rules that help mitigate SYN floods that bypass our other rules:
iptables -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack
iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
################################################################################
## 1021. allow 3 way handshake
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
################################################################################
## 1022. DROP Spoofing packets
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 192.168.0.0/24 -j DROP
iptables -A INPUT -s 224.0.0.0/4 -j DROP
iptables -A INPUT -d 224.0.0.0/4 -j DROP
iptables -A INPUT -s 240.0.0.0/5 -j DROP
iptables -A INPUT -d 240.0.0.0/5 -j DROP
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -d 0.0.0.0/8 -j DROP
iptables -A INPUT -d 239.255.255.0/24 -j DROP
iptables -A INPUT -d 255.255.255.255 -j DROP
################################################################################
## 1023. For SMURF Attack Protection
iptables -A INPUT -p icmp --icmp-type echo-request -d 192.168.1.255 -j DROP
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p icmp --icmp-type redirect -j DROP
iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP
iptables -A INPUT -p icmp --icmp-type address-mask-request -j DROP
iptables -A INPUT -p icmp --icmp-type fragmentation-needed -m u32 ! --u32 "0x6&0xFF=0x3C" -j DROP
################################################################################
## 1024. Droping All Invalid Packets
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
################################################################################
## 1025. Flooding Of RST Packets, SMURF Attack Rejection
iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
################################################################################
## 1026. Protecting portscans
# Attacking IP will be locked for 24 hours (3600 x 24 = 86400 Seconds)
iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
################################################################################
## 1027. Remove attacking IP after 24 hours
iptables -A INPUT -m recent --name portscan --remove
iptables -A FORWARD -m recent --name portscan --remove
################################################################################
## 1028. These rules add scanners to the portscan list, and log the attempt.
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:"
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:"
iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
################################################################################
## 1029. Allow the following ports through from outside
iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
################################################################################
## Need To Check
## 1030. Allow ping means ICMP port is open (If you do not want ping replace ACCEPT with REJECT)
## iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
################################################################################
## Lastly reject All INPUT traffic
## iptables -A INPUT -j REJECT
################# Below are for OUTPUT iptables rules #############################################
## Allow loopback OUTPUT
## iptables -A OUTPUT -o lo -j ACCEPT
## iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow the following ports through from outside
# SMTP = 25
# DNS =53
# HTTP = 80
# HTTPS = 443
# SSH = 22
### You can also add or remove port no. as per your requirement
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
