Iptables

From HyperSecurity Wiki
Revision as of 17:25, 26 June 2015 by 142.90.148.3 (talk)
Jump to: navigation, search

OpenVZ IPtables:

  1. Generated by HyperSecure Solutions v1.2 on August 8, 2013
  • filter
FORWARD DROP [0:0]
INPUT DROP [0:0]
OUTPUT ACCEPT [187:19244]
portdrop - [0:0]
  1. Block bad tcp flags

[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j portdrop [0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j portdrop [0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j portdrop [0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j portdrop [0:0] -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j portdrop [0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j portdrop

  1. ICMP Drops

-A INPUT -p icmp -m icmp --icmp-type 18 -j DROP -A INPUT -p icmp -m icmp --icmp-type 17 -j DROP -A INPUT -p icmp -m icmp --icmp-type 10 -j DROP -A INPUT -p icmp -m icmp --icmp-type 9 -j DROP -A INPUT -p icmp -m icmp --icmp-type 5 -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT

  1. Server Ports

-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp -j DROP -A INPUT -p udp -m udp -j DROP -A OUTPUT -o lo -j ACCEPT -A OUTPUT -p icmp -m state --state NEW -j ACCEPT -A portdrop -p tcp -m tcp -j REJECT --reject-with tcp-reset -A portdrop -j DROP COMMIT


KVM IPtables :

  1. Generated by HyperSecure Solutions v1.3 on June 26, 2015
  • filter
FORWARD DROP [0:0]
INPUT DROP [0:0]
OUTPUT ACCEPT [187:19244]
portdrop - [0:0]
  1. Block bad tcp flags

[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j portdrop [0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j portdrop [0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j portdrop [0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j portdrop [0:0] -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j portdrop [0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j portdrop

  1. ICMP Drops

-A INPUT -p icmp -m icmp --icmp-type 18 -j DROP -A INPUT -p icmp -m icmp --icmp-type 17 -j DROP -A INPUT -p icmp -m icmp --icmp-type 10 -j DROP -A INPUT -p icmp -m icmp --icmp-type 9 -j DROP -A INPUT -p icmp -m icmp --icmp-type 5 -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT

  1. Server Ports

-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp -j DROP -A INPUT -i eth0 -p udp -m udp -j DROP -A OUTPUT -o lo -j ACCEPT -A OUTPUT -p icmp -m state --state NEW -j ACCEPT -A portdrop -i eth0 -p tcp -m tcp -j REJECT --reject-with tcp-reset -A portdrop -i eth0 -j DROP COMMIT

Retrieved from "http://www.hypersecuresolutions.com/wiki/index.php?title=Iptables&oldid=1931"