From 1de855304e54b339b087c6a8665b28a97de12459 Mon Sep 17 00:00:00 2001 From: Adrian Date: Fri, 9 Apr 2021 01:28:01 +0200 Subject: [PATCH] Update Firewall rules --- iptables/blackwhite.rules | 2 -- iptables/ipset.rules | 13 ++++++------- iptables/knock.rules | 10 +++++----- iptables/ratelimit.rules | 3 +-- 4 files changed, 12 insertions(+), 16 deletions(-) diff --git a/iptables/blackwhite.rules b/iptables/blackwhite.rules index 1b4f276..4d4a515 100644 --- a/iptables/blackwhite.rules +++ b/iptables/blackwhite.rules @@ -6,8 +6,6 @@ -A PREROUTING -j BLACKLIST -A BLACKLIST -m set --match-set blacklist src -j DROP - --A WHITELIST -m set --match-set local src -j ACCEPT -A WHITELIST -m set --match-set whitelist src -j ACCEPT COMMIT diff --git a/iptables/ipset.rules b/iptables/ipset.rules index 91b5d4f..ad6b617 100644 --- a/iptables/ipset.rules +++ b/iptables/ipset.rules @@ -1,8 +1,7 @@ -create local hash:net -create whitelist hash:net -create blacklist hash:net +create whitelist hash:net comment +create blacklist hash:net comment -add local 127.0.0.0/8 -add local 10.0.0.0/8 -add local 172.16.0.0/12 -add local 192.168.0.0/16 +add whitelist 127.0.0.0/8 comment local +add whitelist 10.0.0.0/8 comment local +add whitelist 172.16.0.0/12 comment local +add whitelist 192.168.0.0/16 comment local diff --git a/iptables/knock.rules b/iptables/knock.rules index 12baa08..bc31e57 100644 --- a/iptables/knock.rules +++ b/iptables/knock.rules @@ -1,10 +1,10 @@ *raw -:KNOCK - +:PORTKNOCK - --A PREROUTING -p tcp -m tcp --tcp-flags SYN,ACK SYN -j KNOCK +-A PREROUTING -p tcp -m tcp --tcp-flags SYN,ACK SYN -j PORTKNOCK --A KNOCK -p tcp -m tcp --dport 22 -m recent --rcheck --seconds 30 --reap --name SSHOK -j RETURN --A KNOCK -p tcp -m tcp --dport 22222 -m recent --set --name SSHOK -j DROP --A KNOCK -p tcp -m tcp --dport 22 -j DROP +-A PORTKNOCK -p tcp -m tcp --dport 22 -m recent --rcheck --seconds 300 --reap --name SSHOK -j RETURN +-A PORTKNOCK -p tcp -m tcp --dport 22222 -m recent --set --name SSHOK -j DROP +-A PORTKNOCK -p tcp -m tcp --dport 22 -j DROP COMMIT diff --git a/iptables/ratelimit.rules b/iptables/ratelimit.rules index 39af6c6..dede828 100644 --- a/iptables/ratelimit.rules +++ b/iptables/ratelimit.rules @@ -3,8 +3,7 @@ -A PREROUTING -p tcp -m tcp --tcp-flags SYN,ACK SYN -j RATELIMIT --A RATELIMIT -p tcp -m tcp --dport 25 -m hashlimit --hashlimit-above 4/hour --hashlimit-burst 4 --hashlimit-mode srcip --hashlimit-name ratelimit-smtp --hashlimit-srcmask 16 -j DROP --A RATELIMIT -p tcp -m tcp --dport 143 -m hashlimit --hashlimit-above 4/hour --hashlimit-burst 4 --hashlimit-mode srcip --hashlimit-name ratelimit-imap --hashlimit-srcmask 16 -j DROP +-A RATELIMIT -p tcp -m multiport --dports 25,143 -m hashlimit --hashlimit-above 4/hour --hashlimit-burst 4 --hashlimit-mode srcip --hashlimit-name ratelimit-mail --hashlimit-srcmask 16 -j DROP -A RATELIMIT -m hashlimit --hashlimit-above 4/hour --hashlimit-burst 16 --hashlimit-mode srcip,dstport --hashlimit-name ratelimit-other --hashlimit-srcmask 16 -j DROP COMMIT