Anycast DNS PfSense
by Kenneth Holmqvist
Read More →
## Set default policies
iptables -P INPUT DROP
iptables -P FOWARD DROP
iptables -P OUTPUT DROP
## Allow traffic to and from the loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
## Allow outbound connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
## Allow others to ping this machine
iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
## Ratelimit incomming SSH connections
iptables -A INPUT -p tcp --dport ssh -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
iptabes -A INPUT -p tcp --dport ssh -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport ssh -m state --state NEW -j ACCEPT
## Save rules on Debian/Ubuntu
apt install iptables-persistent
netfilter-persistent save
## Save rules on RHEL
chkconfig iptables on
service iptables savecurl -O https://test.example.com/madplan.json
curl -O -L http://test.example.com/madplan.json # Follows links. In this example the http request will be redirected to https
curl -o test.json https://test.example.com/test.json # Saves the file as test.jsonUsefull when the server is hosting multiple domains
curl -H "host: test.example.com" http://172.16.0.150This is just a brief overview of the options I’m using every now and then.
Here’s some configuration examples from a VRRP(Virtual Router Redundancy Protocol) experiment i did. This is used to create a high available DNS resolver with Unbound . I used RHEL 8 as my distribution of choice, but I’m sure this can be used on any RHEL deviate or linux distribution
I have a few CentOS machines that needs to be converted to RHEL and that can be done using the convert2rhel script. However I’m running CentOS 8 Stream, which can’t be converted to RHEL 8, so I have to do a dowgrade to CentOS 8 first.