adrian
/
config
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Compare commits

base: adrian:1de855304e54b339b087c6a8665b28a97de12459
Branches Tags
adrian:master
...
compare: adrian:f74b8e66c002f5b69a1b81b6f60429818a4ab293
Branches Tags
adrian:master

1 Commits
1de855304e ... f74b8e66c0

Author SHA1 Message Date
Adrian f74b8e66c0 Update Firewall rules 2021-04-09 01:28:01 +02:00
4 changed files with 12 additions and 16 deletions
Show Stats Expand all files Collapse all files

2
iptables/blackwhite.rules
View File

@ -6,8 +6,6 @@
-A PREROUTING -j BLACKLIST -A PREROUTING -j BLACKLIST
-A BLACKLIST -m set --match-set blacklist src -j DROP -A BLACKLIST -m set --match-set blacklist src -j DROP
-A WHITELIST -m set --match-set local src -j ACCEPT
-A WHITELIST -m set --match-set whitelist src -j ACCEPT -A WHITELIST -m set --match-set whitelist src -j ACCEPT
COMMIT COMMIT

13
iptables/ipset.rules
View File

@ -1,8 +1,7 @@
create local hash:net create whitelist hash:net comment
create whitelist hash:net create blacklist hash:net comment
create blacklist hash:net
add local 127.0.0.0/8 add whitelist 127.0.0.0/8 comment local
add local 10.0.0.0/8 add whitelist 10.0.0.0/8 comment local
add local 172.16.0.0/12 add whitelist 172.16.0.0/12 comment local
add local 192.168.0.0/16 add whitelist 192.168.0.0/16 comment local

10
iptables/knock.rules
View File

@ -1,10 +1,10 @@
*raw *raw
:KNOCK - :PORTKNOCK -
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,ACK SYN -j KNOCK -A PREROUTING -p tcp -m tcp --tcp-flags SYN,ACK SYN -j PORTKNOCK
-A KNOCK -p tcp -m tcp --dport 22 -m recent --rcheck --seconds 30 --reap --name SSHOK -j RETURN -A PORTKNOCK -p tcp -m tcp --dport 22 -m recent --rcheck --seconds 30 --reap --name SSHOK -j RETURN
-A KNOCK -p tcp -m tcp --dport 22222 -m recent --set --name SSHOK -j DROP -A PORTKNOCK -p tcp -m tcp --dport 22222 -m recent --set --name SSHOK -j DROP
-A KNOCK -p tcp -m tcp --dport 22 -j DROP -A PORTKNOCK -p tcp -m tcp --dport 22 -j DROP
COMMIT COMMIT

3
iptables/ratelimit.rules
View File

@ -3,8 +3,7 @@
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,ACK SYN -j RATELIMIT -A PREROUTING -p tcp -m tcp --tcp-flags SYN,ACK SYN -j RATELIMIT
-A RATELIMIT -p tcp -m tcp --dport 25 -m hashlimit --hashlimit-above 4/hour --hashlimit-burst 4 --hashlimit-mode srcip --hashlimit-name ratelimit-smtp --hashlimit-srcmask 16 -j DROP -A RATELIMIT -p tcp -m multiport --dports 25,143 -m hashlimit --hashlimit-above 4/hour --hashlimit-burst 4 --hashlimit-mode srcip --hashlimit-name ratelimit-mail --hashlimit-srcmask 16 -j DROP
-A RATELIMIT -p tcp -m tcp --dport 143 -m hashlimit --hashlimit-above 4/hour --hashlimit-burst 4 --hashlimit-mode srcip --hashlimit-name ratelimit-imap --hashlimit-srcmask 16 -j DROP
-A RATELIMIT -m hashlimit --hashlimit-above 4/hour --hashlimit-burst 16 --hashlimit-mode srcip,dstport --hashlimit-name ratelimit-other --hashlimit-srcmask 16 -j DROP -A RATELIMIT -m hashlimit --hashlimit-above 4/hour --hashlimit-burst 16 --hashlimit-mode srcip,dstport --hashlimit-name ratelimit-other --hashlimit-srcmask 16 -j DROP
COMMIT COMMIT