adrian
/
config
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Compare commits

base: adrian:02a7247fa08abbdb8b919983f973f19ee7a66921
Branches Tags
adrian:master
..
compare: adrian:b921c2df143454b943407eb6c7f51576abc20142
Branches Tags
adrian:master

1 Commits
02a7247fa0 ... b921c2df14

Author SHA1 Message Date
Adrian b921c2df14 Improve iptables and add port knocking for SSH 2020-05-25 00:53:28 +02:00
6 changed files with 20 additions and 45 deletions
Show Stats Expand all files Collapse all files

21
iptables/README.md
View File

@ -1,23 +1,18 @@
# iptables & ipset # Iptables
```sh ```sh
sudo apt install ipset sudo cp default.rules empty.rules /etc
```
```sh
sudo cp empty.rules /etc
sudo touch /etc/{default,ipset}.rules
sudo cp *.service /etc/systemd/system sudo cp *.service /etc/systemd/system
sudo systemctl enable iptables ipset sudo systemctl enable iptables
sudo systemctl start iptables ipset sudo systemctl start iptables
``` ```
## Presets ## Apply and Report Rate Limits
The `ratelimit.rules` file adds new chains to
limit the rate of new connections based on /16 subnets.
```sh ```sh
sudo ipset restore -f ipset.rules
sudo iptables-restore -n connection.rules
sudo iptables-restore -n service.rules
sudo iptables-restore -n blackwhite.rules sudo iptables-restore -n blackwhite.rules
sudo iptables-restore -n knock.rules sudo iptables-restore -n knock.rules
sudo iptables-restore -n ratelimit.rules sudo iptables-restore -n ratelimit.rules

11
iptables/blackwhite.rules
View File

@ -2,12 +2,15 @@
:BLACKLIST - :BLACKLIST -
:WHITELIST - :WHITELIST -
-A PREROUTING -j WHITELIST
-A PREROUTING -j BLACKLIST -A PREROUTING -j BLACKLIST
-A PREROUTING -j WHITELIST
-A BLACKLIST -m set --match-set blacklist src -j DROP -A BLACKLIST -s 46.229.160.0/20 -m comment --comment SEMrushBot -j DROP
-A BLACKLIST -s 114.119.160.0/21 -m comment --comment AspiegelBot -j DROP
-A WHITELIST -m set --match-set local src -j ACCEPT -A WHITELIST -s 127.0.0.0/8 -m comment --comment localhost -j ACCEPT
-A WHITELIST -m set --match-set whitelist src -j ACCEPT -A WHITELIST -s 10.0.0.0/8 -m comment --comment "RFC 1918" -j ACCEPT
-A WHITELIST -s 172.16.0.0/12 -m comment --comment "RFC 1918" -j ACCEPT
-A WHITELIST -s 192.168.0.0/16 -m comment --comment "RFC 1918" -j ACCEPT
COMMIT COMMIT

6
iptables/connection.rules
View File

@ -1,6 +0,0 @@
*filter
:CONNECTION -
-A INPUT -j CONNECTION
-A CONNECTION -i lo -j ACCEPT
-A CONNECTION -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT

6
iptables/service.rules → iptables/default.rules
View File

@ -1,11 +1,15 @@
*filter *filter
:INPUT DROP :INPUT DROP
:CONNECTION -
:SERVICE - :SERVICE -
-A INPUT -j CONNECTION
-A INPUT -j SERVICE -A INPUT -j SERVICE
-A SERVICE -p tcp --dport 22 -j ACCEPT -A CONNECTION -i lo -j ACCEPT
-A CONNECTION -m state --state RELATED,ESTABLISHED -j ACCEPT
-A SERVICE -p tcp --dport 25 -j ACCEPT -A SERVICE -p tcp --dport 25 -j ACCEPT
-A SERVICE -p tcp --dport 80 -j ACCEPT -A SERVICE -p tcp --dport 80 -j ACCEPT
-A SERVICE -p tcp --dport 143 -j ACCEPT -A SERVICE -p tcp --dport 143 -j ACCEPT
-A SERVICE -p tcp --dport 443 -j ACCEPT -A SERVICE -p tcp --dport 443 -j ACCEPT
-A SERVICE -p tcp --dport 22222 -j ACCEPT
-A SERVICE -p udp --dport 53 -j ACCEPT -A SERVICE -p udp --dport 53 -j ACCEPT
COMMIT COMMIT

8
iptables/ipset.rules
View File

@ -1,8 +0,0 @@
create local hash:net
create whitelist hash:net
create blacklist hash:net
add local 127.0.0.0/8
add local 10.0.0.0/8
add local 172.16.0.0/12
add local 192.168.0.0/16

13
iptables/ipset.service
View File

@ -1,13 +0,0 @@
[Unit]
Description=ipset
Before=network-pre.target iptables.service
Wants=network-pre.target
[Service]
Type=oneshot
ExecStart=ipset restore -f /etc/ipset.rules
ExecStop=ipset save -f /etc/ipset.rules ; ipset destroy
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target