Compare commits
1 Commits
b921c2df14
...
46d73724bb
Author | SHA1 | Date |
---|---|---|
Adrian | 46d73724bb |
|
@ -1,9 +1,10 @@
|
||||||
# Iptables
|
# Iptables
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
sudo cp *.rules /etc
|
sudo cp default.rules empty.rules /etc
|
||||||
sudo cp *.service /etc/systemd/system
|
sudo cp *.service /etc/systemd/system
|
||||||
sudo systemctl enable iptables
|
sudo systemctl enable iptables
|
||||||
|
sudo systemctl start iptables
|
||||||
```
|
```
|
||||||
|
|
||||||
## Apply and Report Rate Limits
|
## Apply and Report Rate Limits
|
||||||
|
@ -12,5 +13,7 @@ The `ratelimit.rules` file adds new chains to
|
||||||
limit the rate of new connections based on /16 subnets.
|
limit the rate of new connections based on /16 subnets.
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
sudo iptables-restore -n < ratelimit.rules
|
sudo iptables-restore -n blackwhite.rules
|
||||||
|
sudo iptables-restore -n ratelimit.rules
|
||||||
|
sudo iptables-restore -n knock.rules
|
||||||
```
|
```
|
||||||
|
|
|
@ -0,0 +1,16 @@
|
||||||
|
*raw
|
||||||
|
:BLACKLIST -
|
||||||
|
:WHITELIST -
|
||||||
|
|
||||||
|
-A PREROUTING -j BLACKLIST
|
||||||
|
-A PREROUTING -j WHITELIST
|
||||||
|
|
||||||
|
-A BLACKLIST -s 46.229.160.0/20 -m comment --comment SEMrushBot -j DROP
|
||||||
|
-A BLACKLIST -s 114.119.160.0/21 -m comment --comment AspiegelBot -j DROP
|
||||||
|
|
||||||
|
-A WHITELIST -s 127.0.0.0/8 -m comment --comment localhost -j ACCEPT
|
||||||
|
-A WHITELIST -s 10.0.0.0/8 -m comment --comment "RFC 1918" -j ACCEPT
|
||||||
|
-A WHITELIST -s 172.16.0.0/12 -m comment --comment "RFC 1918" -j ACCEPT
|
||||||
|
-A WHITELIST -s 192.168.0.0/16 -m comment --comment "RFC 1918" -j ACCEPT
|
||||||
|
|
||||||
|
COMMIT
|
|
@ -5,8 +5,8 @@ Wants=network-pre.target
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
ExecStart=iptables-restore /etc/default.rules
|
ExecStart=iptables-restore -c /etc/default.rules
|
||||||
ExecStop=iptables-restore /etc/empty.rules
|
ExecStop=iptables-save -c -f /etc/default.rules ; iptables-restore /etc/empty.rules
|
||||||
RemainAfterExit=yes
|
RemainAfterExit=yes
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
|
|
|
@ -0,0 +1,10 @@
|
||||||
|
*raw
|
||||||
|
:KNOCK -
|
||||||
|
|
||||||
|
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,ACK SYN -j KNOCK
|
||||||
|
|
||||||
|
-A KNOCK -p tcp -m tcp --dport 22 -m recent --rcheck --seconds 30 --reap --name SSHOK -j RETURN
|
||||||
|
-A KNOCK -p tcp -m tcp --dport 22222 -m recent --set --name SSHOK -j DROP
|
||||||
|
-A KNOCK -p tcp -m tcp --dport 22 -j DROP
|
||||||
|
|
||||||
|
COMMIT
|
|
@ -1,23 +1,10 @@
|
||||||
*raw
|
*raw
|
||||||
:BLOCK -
|
|
||||||
:RATELIMIT -
|
:RATELIMIT -
|
||||||
:WHITELIST -
|
|
||||||
|
|
||||||
-A PREROUTING -j WHITELIST
|
|
||||||
-A PREROUTING -j BLOCK
|
|
||||||
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,ACK SYN -j RATELIMIT
|
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,ACK SYN -j RATELIMIT
|
||||||
|
|
||||||
-A BLOCK -s 46.229.160.0/20 -m comment --comment SEMrushBot -j DROP
|
|
||||||
-A BLOCK -s 114.119.160.0/21 -m comment --comment AspiegelBot -j DROP
|
|
||||||
|
|
||||||
-A RATELIMIT -p tcp -m tcp --dport 22222 -m hashlimit --hashlimit-above 4/hour --hashlimit-burst 2 --hashlimit-mode srcip --hashlimit-name ratelimit-ssh --hashlimit-srcmask 16 -j DROP
|
|
||||||
-A RATELIMIT -p tcp -m tcp --dport 25 -m hashlimit --hashlimit-above 4/hour --hashlimit-burst 4 --hashlimit-mode srcip --hashlimit-name ratelimit-smtp --hashlimit-srcmask 16 -j DROP
|
-A RATELIMIT -p tcp -m tcp --dport 25 -m hashlimit --hashlimit-above 4/hour --hashlimit-burst 4 --hashlimit-mode srcip --hashlimit-name ratelimit-smtp --hashlimit-srcmask 16 -j DROP
|
||||||
-A RATELIMIT -p tcp -m tcp --dport 143 -m hashlimit --hashlimit-above 4/hour --hashlimit-burst 4 --hashlimit-mode srcip --hashlimit-name ratelimit-imap --hashlimit-srcmask 16 -j DROP
|
-A RATELIMIT -p tcp -m tcp --dport 143 -m hashlimit --hashlimit-above 4/hour --hashlimit-burst 4 --hashlimit-mode srcip --hashlimit-name ratelimit-imap --hashlimit-srcmask 16 -j DROP
|
||||||
-A RATELIMIT -m hashlimit --hashlimit-above 4/hour --hashlimit-burst 16 --hashlimit-mode srcip,dstport --hashlimit-name ratelimit-other --hashlimit-srcmask 16 -j DROP
|
-A RATELIMIT -m hashlimit --hashlimit-above 4/hour --hashlimit-burst 16 --hashlimit-mode srcip,dstport --hashlimit-name ratelimit-other --hashlimit-srcmask 16 -j DROP
|
||||||
|
|
||||||
-A WHITELIST -s 127.0.0.0/8 -m comment --comment localhost -j ACCEPT
|
|
||||||
-A WHITELIST -s 10.0.0.0/8 -m comment --comment "RFC 1918" -j ACCEPT
|
|
||||||
-A WHITELIST -s 172.16.0.0/12 -m comment --comment "RFC 1918" -j ACCEPT
|
|
||||||
-A WHITELIST -s 192.168.0.0/16 -m comment --comment "RFC 1918" -j ACCEPT
|
|
||||||
|
|
||||||
COMMIT
|
COMMIT
|
||||||
|
|
|
@ -1,9 +1,7 @@
|
||||||
UseDNS no
|
UseDNS no
|
||||||
Port 22222
|
|
||||||
AllowUsers sshlogin git backup-*
|
AllowUsers sshlogin git backup-*
|
||||||
ClientAliveInterval 10
|
ClientAliveInterval 10
|
||||||
|
|
||||||
LoginGraceTime 10
|
|
||||||
MaxAuthTries 2
|
MaxAuthTries 2
|
||||||
|
|
||||||
Match User backup-*
|
Match User backup-*
|
||||||
|
|
Loading…
Reference in New Issue