1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
|
# Generated by iptables-save v1.8.3 on Thu Jun 20 20:34:21 2019
*security
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Thu Jun 20 20:34:21 2019
# Generated by iptables-save v1.8.3 on Thu Jun 20 20:34:21 2019
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Thu Jun 20 20:34:21 2019
# Generated by iptables-save v1.8.3 on Thu Jun 20 20:34:21 2019
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Thu Jun 20 20:34:21 2019
# Generated by iptables-save v1.8.3 on Thu Jun 20 20:34:21 2019
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Thu Jun 20 20:34:21 2019
# Generated by iptables-save v1.8.3 on Thu Jun 20 20:34:21 2019
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:blocker - [0:0]
:cli_dns_in - [0:0]
:cli_dns_out - [0:0]
:cli_ftp_in - [0:0]
:cli_ftp_out - [0:0]
:cli_git_in - [0:0]
:cli_git_out - [0:0]
:cli_gpg_in - [0:0]
:cli_gpg_out - [0:0]
:cli_http_in - [0:0]
:cli_http_out - [0:0]
:cli_https_in - [0:0]
:cli_https_out - [0:0]
:cli_irc_in - [0:0]
:cli_irc_out - [0:0]
:cli_pops_in - [0:0]
:cli_pops_out - [0:0]
:cli_smtps_in - [0:0]
:cli_smtps_out - [0:0]
:cli_ssh_in - [0:0]
:cli_ssh_out - [0:0]
:srv_db_in - [0:0]
:srv_db_out - [0:0]
:srv_dhcp - [0:0]
:srv_dns_in - [0:0]
:srv_dns_out - [0:0]
:srv_git_in - [0:0]
:srv_git_out - [0:0]
:srv_http_in - [0:0]
:srv_http_out - [0:0]
:srv_https_in - [0:0]
:srv_https_out - [0:0]
:srv_icmp - [0:0]
:srv_rip - [0:0]
:srv_ssh_in - [0:0]
:srv_ssh_out - [0:0]
-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
-A INPUT -j blocker
-A INPUT -i wlp9s0 -j cli_dns_in
-A INPUT -i wlp9s0 -j cli_http_in
-A INPUT -i wlp9s0 -j cli_https_in
-A INPUT -i wlp9s0 -j cli_git_in
-A INPUT -i wlp9s0 -j cli_ssh_in
-A INPUT -i wlp9s0 -j srv_icmp
-A INPUT -i wlp9s0 -j cli_pops_in
-A INPUT -i wlp9s0 -j cli_smtps_in
-A INPUT -i wlp9s0 -j cli_irc_in
-A INPUT -i wlp9s0 -j cli_ftp_in
-A INPUT -i wlp9s0 -j cli_gpg_in
-A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7
-A FORWARD -j LOG --log-prefix "iptables: FORWARD: " --log-level 7
-A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -j ACCEPT
-A OUTPUT -j blocker
-A OUTPUT -o wlp9s0 -j cli_dns_out
-A OUTPUT -o wlp9s0 -j cli_https_out
-A OUTPUT -o wlp9s0 -j cli_ssh_out
-A OUTPUT -o wlp9s0 -j cli_git_out
-A OUTPUT -o wlp9s0 -j cli_git_out
-A OUTPUT -o wlp9s0 -j srv_icmp
-A OUTPUT -o wlp9s0 -j cli_pops_out
-A OUTPUT -o wlp9s0 -j cli_smtps_out
-A OUTPUT -o wlp9s0 -j cli_irc_out
-A OUTPUT -o wlp9s0 -j cli_ftp_out
-A OUTPUT -o wlp9s0 -j cli_gpg_out
-A OUTPUT -o wlp9s0 -p udp -m udp --sport 1024:65511 --dport 1024:65535 -j ACCEPT
-A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7
-A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7
-A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A blocker -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: "
-A blocker -f -j DROP
-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop null: "
-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop syn rst syn rs"
-A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop xmas: "
-A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop fin scan: "
-A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A blocker -j RETURN
-A cli_dns_in -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A cli_dns_in -j RETURN
-A cli_dns_out -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT
-A cli_dns_out -j RETURN
-A cli_ftp_in -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A cli_ftp_in -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A cli_ftp_in -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A cli_ftp_in -j RETURN
-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state ESTABLISHED -j ACCEPT
-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A cli_ftp_out -j RETURN
-A cli_git_in -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A cli_git_in -j RETURN
-A cli_git_out -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT
-A cli_git_out -j RETURN
-A cli_gpg_in -p tcp -m tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A cli_gpg_in -j RETURN
-A cli_gpg_out -p tcp -m tcp --sport 1024:65535 --dport 11371 -m state --state NEW,ESTABLISHED -j ACCEPT
-A cli_gpg_out -j RETURN
-A cli_http_in -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A cli_http_in -p udp -m udp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A cli_http_in -j RETURN
-A cli_http_out -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A cli_http_out -p udp -m udp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A cli_http_out -j RETURN
-A cli_https_in -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A cli_https_in -p udp -m udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A cli_https_in -j RETURN
-A cli_https_out -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A cli_https_out -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A cli_https_out -j RETURN
-A cli_irc_in -p tcp -m tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A cli_irc_in -j RETURN
-A cli_irc_out -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT
-A cli_irc_out -j RETURN
-A cli_pops_in -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A cli_pops_in -j RETURN
-A cli_pops_out -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
-A cli_pops_out -j RETURN
-A cli_smtps_in -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A cli_smtps_in -j RETURN
-A cli_smtps_out -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT
-A cli_smtps_out -j RETURN
-A cli_ssh_in -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A cli_ssh_in -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A cli_ssh_in -j RETURN
-A cli_ssh_out -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT
-A cli_ssh_out -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A cli_ssh_out -j RETURN
-A srv_db_in -p tcp -m tcp --sport 1024:65535 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT
-A srv_db_in -j RETURN
-A srv_db_out -p tcp -m tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A srv_db_out -j RETURN
-A srv_dhcp -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A srv_dhcp -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A srv_dhcp -p udp -m udp --sport 67 --dport 67 -j ACCEPT
-A srv_dhcp -j RETURN
-A srv_dns_in -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A srv_dns_in -p tcp -m tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A srv_dns_in -j RETURN
-A srv_dns_out -p udp -m udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A srv_dns_out -p tcp -m tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A srv_dns_out -j RETURN
-A srv_git_in -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT
-A srv_git_in -j RETURN
-A srv_git_out -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A srv_git_out -j RETURN
-A srv_http_in -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A srv_http_in -j RETURN
-A srv_http_out -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A srv_http_out -j RETURN
-A srv_https_in -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A srv_https_in -j RETURN
-A srv_https_out -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A srv_https_out -j RETURN
-A srv_icmp -p icmp -j ACCEPT
-A srv_icmp -j RETURN
-A srv_rip -p udp -m udp --sport 520 --dport 520 -j ACCEPT
-A srv_rip -j RETURN
-A srv_ssh_in -p tcp -m tcp --dport 2222 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -j ACCEPT
-A srv_ssh_in -p tcp -m tcp --dport 2222 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "BLOCKED IP DROP SSH"
-A srv_ssh_in -p tcp -m tcp --dport 2222 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP
-A srv_ssh_in -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state ESTABLISHED -j ACCEPT
-A srv_ssh_in -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -j ACCEPT
-A srv_ssh_in -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "BLOCKED IP DROP SSH"
-A srv_ssh_in -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP
-A srv_ssh_in -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state ESTABLISHED -j ACCEPT
-A srv_ssh_in -j RETURN
-A srv_ssh_out -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A srv_ssh_out -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A srv_ssh_out -j RETURN
COMMIT
# Completed on Thu Jun 20 20:34:21 2019
|