Difference between revisions of "Iptables"

From HyperSecurity Wiki
Jump to: navigation, search
Line 1: Line 1:
 
== OpenVZ IPtables: ==
 
== OpenVZ IPtables: ==
  
# Generated by HyperSecure Solutions v1.2 on August 8, 2013
+
# Generated by HyperSecure Solutions v1.2 on August 8, 2013
*filter
+
*filter
:FORWARD DROP [0:0]
+
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
+
:INPUT DROP [0:0]
:OUTPUT ACCEPT [187:19244]
+
:OUTPUT ACCEPT [187:19244]
:portdrop - [0:0]
+
:portdrop - [0:0]
  
# Block bad tcp flags
+
# Block bad tcp flags
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j portdrop
+
  [0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j portdrop
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j portdrop
+
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j portdrop
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j portdrop
+
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j portdrop
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j portdrop
+
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j portdrop
[0:0] -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j portdrop
+
[0:0] -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j portdrop
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j portdrop
+
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j portdrop
  
#ICMP Drops
+
#ICMP Drops
-A INPUT -p icmp -m icmp --icmp-type 18 -j DROP
+
-A INPUT -p icmp -m icmp --icmp-type 18 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 17 -j DROP
+
-A INPUT -p icmp -m icmp --icmp-type 17 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 10 -j DROP
+
-A INPUT -p icmp -m icmp --icmp-type 10 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 9 -j DROP
+
-A INPUT -p icmp -m icmp --icmp-type 9 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 5 -j DROP
+
-A INPUT -p icmp -m icmp --icmp-type 5 -j DROP
-A INPUT -i lo -j ACCEPT
+
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT
+
-A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
+
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
 
 
#Server Ports
 
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
 
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
 
-A INPUT -p tcp -m tcp -j DROP
 
-A INPUT -p udp -m udp -j DROP
 
-A OUTPUT -o lo -j ACCEPT
 
-A OUTPUT -p icmp -m state --state NEW -j ACCEPT
 
-A portdrop -p tcp -m tcp -j REJECT --reject-with tcp-reset
 
-A portdrop -j DROP
 
COMMIT
 
  
 +
#Server Ports
 +
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
 +
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
 +
-A INPUT -p tcp -m tcp -j DROP
 +
-A INPUT -p udp -m udp -j DROP
 +
-A OUTPUT -o lo -j ACCEPT
 +
-A OUTPUT -p icmp -m state --state NEW -j ACCEPT
 +
-A portdrop -p tcp -m tcp -j REJECT --reject-with tcp-reset
 +
-A portdrop -j DROP
 +
COMMIT
  
 
== KVM IPtables : ==
 
== KVM IPtables : ==
  
# Generated by HyperSecure Solutions v1.3 on June 26, 2015
+
# Generated by HyperSecure Solutions v1.3 on June 26, 2015
*filter
+
*filter
:FORWARD DROP [0:0]
+
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
+
:INPUT DROP [0:0]
:OUTPUT ACCEPT [187:19244]
+
:OUTPUT ACCEPT [187:19244]
:portdrop - [0:0]
+
:portdrop - [0:0]
  
# Block bad tcp flags
+
# Block bad tcp flags
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j portdrop
+
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j portdrop
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j portdrop
+
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j portdrop
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j portdrop
+
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j portdrop
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j portdrop
+
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j portdrop
[0:0] -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j portdrop
+
[0:0] -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j portdrop
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j portdrop
+
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j portdrop
  
#ICMP Drops
+
#ICMP Drops
-A INPUT -p icmp -m icmp --icmp-type 18 -j DROP
+
-A INPUT -p icmp -m icmp --icmp-type 18 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 17 -j DROP
+
-A INPUT -p icmp -m icmp --icmp-type 17 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 10 -j DROP
+
-A INPUT -p icmp -m icmp --icmp-type 10 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 9 -j DROP
+
  -A INPUT -p icmp -m icmp --icmp-type 9 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 5 -j DROP
+
-A INPUT -p icmp -m icmp --icmp-type 5 -j DROP
-A INPUT -i lo -j ACCEPT
+
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT
+
-A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
+
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
  
#Server Ports
+
#Server Ports
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
+
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
+
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp -j DROP
+
-A INPUT -i eth0 -p tcp -m tcp -j DROP
-A INPUT -i eth0 -p udp -m udp -j DROP
+
-A INPUT -i eth0 -p udp -m udp -j DROP
-A OUTPUT -o lo -j ACCEPT
+
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -m state --state NEW -j ACCEPT
+
-A OUTPUT -p icmp -m state --state NEW -j ACCEPT
-A portdrop -i eth0 -p tcp -m tcp -j REJECT --reject-with tcp-reset
+
-A portdrop -i eth0 -p tcp -m tcp -j REJECT --reject-with tcp-reset
-A portdrop -i eth0 -j DROP
+
-A portdrop -i eth0 -j DROP
COMMIT
+
COMMIT

Revision as of 17:26, 26 June 2015

OpenVZ IPtables:

# Generated by HyperSecure Solutions v1.2 on August 8, 2013
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [187:19244]
:portdrop - [0:0]

# Block bad tcp flags
 [0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j portdrop
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j portdrop
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j portdrop
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j portdrop
[0:0] -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j portdrop
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j portdrop

#ICMP Drops
-A INPUT -p icmp -m icmp --icmp-type 18 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 17 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 10 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 9 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 5 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT

#Server Ports
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp -j DROP
-A INPUT -p udp -m udp -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -m state --state NEW -j ACCEPT
-A portdrop -p tcp -m tcp -j REJECT --reject-with tcp-reset
-A portdrop -j DROP
COMMIT

KVM IPtables :

# Generated by HyperSecure Solutions v1.3 on June 26, 2015
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [187:19244]
:portdrop - [0:0]

# Block bad tcp flags
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j portdrop
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j portdrop
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j portdrop
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j portdrop
[0:0] -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j portdrop
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j portdrop

#ICMP Drops
-A INPUT -p icmp -m icmp --icmp-type 18 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 17 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 10 -j DROP
 -A INPUT -p icmp -m icmp --icmp-type 9 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 5 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT

#Server Ports
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp -j DROP
-A INPUT -i eth0 -p udp -m udp -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -m state --state NEW -j ACCEPT
-A portdrop -i eth0 -p tcp -m tcp -j REJECT --reject-with tcp-reset
-A portdrop -i eth0 -j DROP
COMMIT
Retrieved from "http://www.hypersecuresolutions.com/wiki/index.php?title=Iptables&oldid=1932"