IPtables

by
Tags: iptables firewall netfilter
Categories: linux firewall

## Set default policies
iptables -P INPUT DROP
iptables -P FOWARD DROP
iptables -P OUTPUT DROP

## Allow traffic to and from the loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

## Allow outbound connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

## Allow others to ping this machine
iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

## Ratelimit incomming SSH connections
iptables -A INPUT -p tcp --dport ssh -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
iptabes -A INPUT -p tcp --dport ssh -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport ssh -m state --state NEW -j ACCEPT

## Save rules on Debian/Ubuntu
apt install iptables-persistent
netfilter-persistent save

## Save rules on RHEL
chkconfig iptables on
service iptables save


General network settings

## Drop ICMP echo-request messages. Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1

## Drop source routed packets. Source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network.
sysctl -w net.ipv4.conf.all.accept_source_route=0
sysctl -w net.ipv6.conf.all.accept_source_route=0

## Enable TCP SYN cookie protection from SYN floods. Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake
sysctl -w net.ipv4.tcp_syncookie=1

## Don't accept ICMP redirect messages. Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv6.conf.all.accept_redirects=0
 
## Don't send ICMP redirect messages.
syctl -w net.ipv4.conf.all.send_redirects=0

## Enable Reverse Path Filtering. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)
sysctl -w net.ipv4.conf.all.rp_filter=1
 
## Log packets with wrong source addresses
sysctl -w net.ipv4.conf.interface.log_martians=1