adrian/config
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Compare commits

base: adrian:b921c2df143454b943407eb6c7f51576abc20142
Branches Tags
adrian:master
..
compare: adrian:02a7247fa08abbdb8b919983f973f19ee7a66921
Branches Tags
adrian:master

2 commits
b921c2df14 ... 02a7247fa0

Author SHA1 Message Date
Adrian
02a7247fa0 Use ipset for blacklists and whitelists 2020-07-04 12:50:45 +02:00
Adrian
d991e21fc1 Improve iptables and add port knocking for SSH 2020-07-04 12:14:11 +02:00
6 changed files with 45 additions and 20 deletions
Show stats Expand all files Collapse all files

21
iptables/README.md
View file

@ -1,18 +1,23 @@
# Iptables # iptables & ipset
```sh ```sh
sudo cp default.rules empty.rules /etc sudo apt install ipset
sudo cp *.service /etc/systemd/system
sudo systemctl enable iptables
sudo systemctl start iptables
``` ```
## Apply and Report Rate Limits ```sh
sudo cp empty.rules /etc
sudo touch /etc/{default,ipset}.rules
sudo cp *.service /etc/systemd/system
sudo systemctl enable iptables ipset
sudo systemctl start iptables ipset
```
The `ratelimit.rules` file adds new chains to ## Presets
limit the rate of new connections based on /16 subnets.
```sh ```sh
sudo ipset restore -f ipset.rules
sudo iptables-restore -n connection.rules
sudo iptables-restore -n service.rules
sudo iptables-restore -n blackwhite.rules sudo iptables-restore -n blackwhite.rules
sudo iptables-restore -n knock.rules sudo iptables-restore -n knock.rules
sudo iptables-restore -n ratelimit.rules sudo iptables-restore -n ratelimit.rules

11
iptables/blackwhite.rules
View file

@ -2,15 +2,12 @@
:BLACKLIST - :BLACKLIST -
:WHITELIST - :WHITELIST -
-A PREROUTING -j BLACKLIST
-A PREROUTING -j WHITELIST -A PREROUTING -j WHITELIST
-A PREROUTING -j BLACKLIST
-A BLACKLIST -s 46.229.160.0/20 -m comment --comment SEMrushBot -j DROP -A BLACKLIST -m set --match-set blacklist src -j DROP
-A BLACKLIST -s 114.119.160.0/21 -m comment --comment AspiegelBot -j DROP
-A WHITELIST -s 127.0.0.0/8 -m comment --comment localhost -j ACCEPT -A WHITELIST -m set --match-set local src -j ACCEPT
-A WHITELIST -s 10.0.0.0/8 -m comment --comment "RFC 1918" -j ACCEPT -A WHITELIST -m set --match-set whitelist src -j ACCEPT
-A WHITELIST -s 172.16.0.0/12 -m comment --comment "RFC 1918" -j ACCEPT
-A WHITELIST -s 192.168.0.0/16 -m comment --comment "RFC 1918" -j ACCEPT
COMMIT COMMIT

6
iptables/connection.rules Normal file
View file

@ -0,0 +1,6 @@
*filter
:CONNECTION -
-A INPUT -j CONNECTION
-A CONNECTION -i lo -j ACCEPT
-A CONNECTION -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT

8
iptables/ipset.rules Normal file
View file

@ -0,0 +1,8 @@
create local hash:net
create whitelist hash:net
create blacklist hash:net
add local 127.0.0.0/8
add local 10.0.0.0/8
add local 172.16.0.0/12
add local 192.168.0.0/16

13
iptables/ipset.service Normal file
View file

@ -0,0 +1,13 @@
[Unit]
Description=ipset
Before=network-pre.target iptables.service
Wants=network-pre.target
[Service]
Type=oneshot
ExecStart=ipset restore -f /etc/ipset.rules
ExecStop=ipset save -f /etc/ipset.rules ; ipset destroy
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

6
iptables/default.rules → iptables/service.rules
View file

@ -1,15 +1,11 @@
*filter *filter
:INPUT DROP :INPUT DROP
:CONNECTION -
:SERVICE - :SERVICE -
-A INPUT -j CONNECTION
-A INPUT -j SERVICE -A INPUT -j SERVICE
-A CONNECTION -i lo -j ACCEPT -A SERVICE -p tcp --dport 22 -j ACCEPT
-A CONNECTION -m state --state RELATED,ESTABLISHED -j ACCEPT
-A SERVICE -p tcp --dport 25 -j ACCEPT -A SERVICE -p tcp --dport 25 -j ACCEPT
-A SERVICE -p tcp --dport 80 -j ACCEPT -A SERVICE -p tcp --dport 80 -j ACCEPT
-A SERVICE -p tcp --dport 143 -j ACCEPT -A SERVICE -p tcp --dport 143 -j ACCEPT
-A SERVICE -p tcp --dport 443 -j ACCEPT -A SERVICE -p tcp --dport 443 -j ACCEPT
-A SERVICE -p tcp --dport 22222 -j ACCEPT
-A SERVICE -p udp --dport 53 -j ACCEPT -A SERVICE -p udp --dport 53 -j ACCEPT
COMMIT COMMIT