Improve iptables and add port knocking for SSH

2020-05-25 00:53:28 +02:00
6 changed files with 33 additions and 19 deletions
--- a/iptables/README.md
+++ b/iptables/README.md
@ -1,9 +1,10 @@
 # Iptables
 ```sh
-sudo cp *.rules /etc
+sudo cp default.rules empty.rules /etc
 sudo cp *.service /etc/systemd/system
 sudo systemctl enable iptables
 sudo systemctl start iptables
 ```
 ## Apply and Report Rate Limits
@ -12,5 +13,7 @@ The `ratelimit.rules` file adds new chains to
 limit the rate of new connections based on /16 subnets.
 ```sh
-sudo iptables-restore -n < ratelimit.rules
+sudo iptables-restore -n blackwhite.rules
 sudo iptables-restore -n knock.rules
 sudo iptables-restore -n ratelimit.rules
 ```
--- a/iptables/blackwhite.rules
+++ b/iptables/blackwhite.rules
@ -0,0 +1,16 @@
 *raw
 :BLACKLIST -
 :WHITELIST -
 -A PREROUTING -j BLACKLIST
 -A PREROUTING -j WHITELIST
 -A BLACKLIST -s 46.229.160.0/20 -m comment --comment SEMrushBot -j DROP
 -A BLACKLIST -s 114.119.160.0/21 -m comment --comment AspiegelBot -j DROP
 -A WHITELIST -s 127.0.0.0/8 -m comment --comment localhost -j ACCEPT
 -A WHITELIST -s 10.0.0.0/8 -m comment --comment "RFC 1918" -j ACCEPT
 -A WHITELIST -s 172.16.0.0/12 -m comment --comment "RFC 1918" -j ACCEPT
 -A WHITELIST -s 192.168.0.0/16 -m comment --comment "RFC 1918" -j ACCEPT
 COMMIT
--- a/iptables/iptables.service
+++ b/iptables/iptables.service
@ -5,8 +5,8 @@ Wants=network-pre.target
 [Service]
 Type=oneshot
-ExecStart=iptables-restore /etc/default.rules
+ExecStart=iptables-restore -c /etc/default.rules
-ExecStop=iptables-restore /etc/empty.rules
+ExecStop=iptables-save -c -f /etc/default.rules ; iptables-restore /etc/empty.rules
 RemainAfterExit=yes
 [Install]
--- a/iptables/knock.rules
+++ b/iptables/knock.rules
@ -0,0 +1,10 @@
 *raw
 :KNOCK -
 -A PREROUTING -p tcp -m tcp --tcp-flags SYN,ACK SYN -j KNOCK
 -A KNOCK -p tcp -m tcp --dport 22 -m recent --rcheck --seconds 30 --reap --name SSHOK -j RETURN
 -A KNOCK -p tcp -m tcp --dport 22222 -m recent --set --name SSHOK -j DROP
 -A KNOCK -p tcp -m tcp --dport 22 -j DROP
 COMMIT
--- a/iptables/ratelimit.rules
+++ b/iptables/ratelimit.rules
@ -1,23 +1,10 @@
 *raw
 :BLOCK -
 :RATELIMIT -
 :WHITELIST -
 -A PREROUTING -j WHITELIST
 -A PREROUTING -j BLOCK
 -A PREROUTING -p tcp -m tcp --tcp-flags SYN,ACK SYN -j RATELIMIT
 -A BLOCK -s 46.229.160.0/20 -m comment --comment SEMrushBot -j DROP
 -A BLOCK -s 114.119.160.0/21 -m comment --comment AspiegelBot -j DROP
 -A RATELIMIT -p tcp -m tcp --dport 22222 -m hashlimit --hashlimit-above 4/hour --hashlimit-burst 2 --hashlimit-mode srcip --hashlimit-name ratelimit-ssh --hashlimit-srcmask 16 -j DROP
 -A RATELIMIT -p tcp -m tcp --dport 25 -m hashlimit --hashlimit-above 4/hour --hashlimit-burst 4 --hashlimit-mode srcip --hashlimit-name ratelimit-smtp --hashlimit-srcmask 16 -j DROP
 -A RATELIMIT -p tcp -m tcp --dport 143 -m hashlimit --hashlimit-above 4/hour --hashlimit-burst 4 --hashlimit-mode srcip --hashlimit-name ratelimit-imap --hashlimit-srcmask 16 -j DROP
 -A RATELIMIT -m hashlimit --hashlimit-above 4/hour --hashlimit-burst 16 --hashlimit-mode srcip,dstport --hashlimit-name ratelimit-other --hashlimit-srcmask 16 -j DROP
 -A WHITELIST -s 127.0.0.0/8 -m comment --comment localhost -j ACCEPT
 -A WHITELIST -s 10.0.0.0/8 -m comment --comment "RFC 1918" -j ACCEPT
 -A WHITELIST -s 172.16.0.0/12 -m comment --comment "RFC 1918" -j ACCEPT
 -A WHITELIST -s 192.168.0.0/16 -m comment --comment "RFC 1918" -j ACCEPT
 COMMIT
--- a/ssh/sshd_config
+++ b/ssh/sshd_config
@ -1,9 +1,7 @@
 UseDNS no
 Port 22222
 AllowUsers sshlogin git backup-*
 ClientAliveInterval 10
 LoginGraceTime 10
 MaxAuthTries 2
 Match User backup-*