diff --git a/iptables/README.md b/iptables/README.md index cd17318..fbb22e8 100644 --- a/iptables/README.md +++ b/iptables/README.md @@ -1,23 +1,18 @@ -# iptables & ipset +# Iptables ```sh -sudo apt install ipset -``` - -```sh -sudo cp empty.rules /etc -sudo touch /etc/{default,ipset}.rules +sudo cp default.rules empty.rules /etc sudo cp *.service /etc/systemd/system -sudo systemctl enable iptables ipset -sudo systemctl start iptables ipset +sudo systemctl enable iptables +sudo systemctl start iptables ``` -## Presets +## Apply and Report Rate Limits + +The `ratelimit.rules` file adds new chains to +limit the rate of new connections based on /16 subnets. ```sh -sudo ipset restore -f ipset.rules -sudo iptables-restore -n connection.rules -sudo iptables-restore -n service.rules sudo iptables-restore -n blackwhite.rules sudo iptables-restore -n knock.rules sudo iptables-restore -n ratelimit.rules diff --git a/iptables/blackwhite.rules b/iptables/blackwhite.rules index 1b4f276..c8ddcc8 100644 --- a/iptables/blackwhite.rules +++ b/iptables/blackwhite.rules @@ -2,12 +2,15 @@ :BLACKLIST - :WHITELIST - --A PREROUTING -j WHITELIST -A PREROUTING -j BLACKLIST +-A PREROUTING -j WHITELIST --A BLACKLIST -m set --match-set blacklist src -j DROP +-A BLACKLIST -s 46.229.160.0/20 -m comment --comment SEMrushBot -j DROP +-A BLACKLIST -s 114.119.160.0/21 -m comment --comment AspiegelBot -j DROP --A WHITELIST -m set --match-set local src -j ACCEPT --A WHITELIST -m set --match-set whitelist src -j ACCEPT +-A WHITELIST -s 127.0.0.0/8 -m comment --comment localhost -j ACCEPT +-A WHITELIST -s 10.0.0.0/8 -m comment --comment "RFC 1918" -j ACCEPT +-A WHITELIST -s 172.16.0.0/12 -m comment --comment "RFC 1918" -j ACCEPT +-A WHITELIST -s 192.168.0.0/16 -m comment --comment "RFC 1918" -j ACCEPT COMMIT diff --git a/iptables/connection.rules b/iptables/connection.rules deleted file mode 100644 index 1db8c9d..0000000 --- a/iptables/connection.rules +++ /dev/null @@ -1,6 +0,0 @@ -*filter -:CONNECTION - --A INPUT -j CONNECTION --A CONNECTION -i lo -j ACCEPT --A CONNECTION -m state --state RELATED,ESTABLISHED -j ACCEPT -COMMIT diff --git a/iptables/service.rules b/iptables/default.rules similarity index 60% rename from iptables/service.rules rename to iptables/default.rules index 7fdb8eb..f6c250b 100644 --- a/iptables/service.rules +++ b/iptables/default.rules @@ -1,11 +1,15 @@ *filter :INPUT DROP +:CONNECTION - :SERVICE - +-A INPUT -j CONNECTION -A INPUT -j SERVICE --A SERVICE -p tcp --dport 22 -j ACCEPT +-A CONNECTION -i lo -j ACCEPT +-A CONNECTION -m state --state RELATED,ESTABLISHED -j ACCEPT -A SERVICE -p tcp --dport 25 -j ACCEPT -A SERVICE -p tcp --dport 80 -j ACCEPT -A SERVICE -p tcp --dport 143 -j ACCEPT -A SERVICE -p tcp --dport 443 -j ACCEPT +-A SERVICE -p tcp --dport 22222 -j ACCEPT -A SERVICE -p udp --dport 53 -j ACCEPT COMMIT diff --git a/iptables/ipset.rules b/iptables/ipset.rules deleted file mode 100644 index 91b5d4f..0000000 --- a/iptables/ipset.rules +++ /dev/null @@ -1,8 +0,0 @@ -create local hash:net -create whitelist hash:net -create blacklist hash:net - -add local 127.0.0.0/8 -add local 10.0.0.0/8 -add local 172.16.0.0/12 -add local 192.168.0.0/16 diff --git a/iptables/ipset.service b/iptables/ipset.service deleted file mode 100644 index 5c24b00..0000000 --- a/iptables/ipset.service +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=ipset -Before=network-pre.target iptables.service -Wants=network-pre.target - -[Service] -Type=oneshot -ExecStart=ipset restore -f /etc/ipset.rules -ExecStop=ipset save -f /etc/ipset.rules ; ipset destroy -RemainAfterExit=yes - -[Install] -WantedBy=multi-user.target