Kill INVALID packets with illegal combination flags.
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
No restrictions to connections from localhost
$IPTABLES -A INPUT -i lo -j ACCEPT
Reject connections from Outside world to Internal loop back device.
$IPTABLES -A INPUT -d 127.0.0.0/8 -j REJECT
No restrictions for traffic generating from legit internal addresses
$IPTABLES -A INPUT -i $INTERNALIF -s $INTERNALNET -j ACCEPT
Incase we have to use IPv6 addresses in your environment uncomment the below line:
#$IPTABLES -A INPUT -p ipv6 -j ACCEPT
Kill all packets from Outside world claiming to be packets generated from Internal network.
$IPTABLES -A INPUT -i $EXTERNALIF -s $INTERNALNET -j REJECT
Block ICMP requests.
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -o $INTERNALIF -j REJECT
Prevent Ping flood attacks:
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j DROP
Deny pings to local broadcast address:
$IPTABLES -A INPUT -p icmp -d $INTERNALBCAST -j DROP
Allow all other icmp
$IPTABLES -A INPUT -p icmp -j ACCEPT
No restrictions to established connections:
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Dont forward SMB related traffic. Samba Services are one of the most aimed targets by hackers.
$IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 137 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 138 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 139 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 137 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 138 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 139 -j REJECT
$IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 137 -j REJECT
Disable Samba Share
$IPTABLES -A INPUT -p tcp --dport 137 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 137 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 138 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 138 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 139 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 139 -j ACCEPT
Allow all other connections to be forwarded
$IPTABLES -A FORWARD -o $EXTERNALIF -i $INTERNALIF -j ACCEPT
Allow replies from established connections :
$IPTABLES -A FORWARD -i $EXTERNALIF -m state --state ESTABLISHED,RELATED -j ACCEPT
Allow yourself to be a DHCP server for your inside network
$IPTABLES -A INPUT -i $INTERNALIF -p tcp --sport 68 --dport 67 -j ACCEPT
$IPTABLES -A INPUT -i $INTERNALIF -p udp --sport 68 --dport 67 -j ACCEPT
ftp-data
$IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
ftp
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
ssh
#$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
Telnet
$IPTABLES -A INPUT -p tcp --dport 23 -j ACCEPT
DNS
$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
http
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
POP-3
$IPTABLES -A INPUT -p tcp --dport 110 -j ACCEPT
https
$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
VNC Server
$IPTABLES -A INPUT -p tcp --dport 5801 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 5901 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 6001 -j ACCEPT
EXPLICITLY BLOCKING SERVICE PORTS FOR GATEWAY FROM OUTSIDE WORLD /sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 21 # ftp /sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 22 # ssh /sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 23 # telnet /sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 25 # smtp /sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 53 # domain /sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 79 # finger /sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 80 # httpd /sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 110 # pop3 /sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 111 # sunrpc /sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 137 # netbios-ns
No comments:
Post a Comment