0% found this document useful (0 votes)
134 views3 pages

All - Linux - Iptables at Master K00lith - All GitHub

This document provides instructions for installing and configuring iptables firewall rules on Linux. It describes downloading and enabling the iptables package, creating an iptables rules file, loading and saving the rules file. The included rules block known scanners and attacks, allow established connections and lo interface, and open ports for SSH, HTTP, and other services. It cautions to change the interface name in the rules to match the system.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
134 views3 pages

All - Linux - Iptables at Master K00lith - All GitHub

This document provides instructions for installing and configuring iptables firewall rules on Linux. It describes downloading and enabling the iptables package, creating an iptables rules file, loading and saving the rules file. The included rules block known scanners and attacks, allow established connections and lo interface, and open ports for SSH, HTTP, and other services. It cautions to change the interface name in the rules to match the system.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

k00lith / all Public

Code Issues Pull requests Actions Projects Security Insights


master
all / linux / iptables /

k00lith
Update readme.md … on Dec 12, 2021
History

. .

readme.md 11 months ago

readme.md

DISABLE firewalld:

systemctl stop firewalld

systemctl disable firewalld

INSTALL iptables:

yum -y install iptables-services

systemctl enable iptables.service

systemctl start iptables.service

MAKE iptables FILE IN root DIR (for example)

cd /root/

vi /root/iptables-rules

ACTIVATE:

iptables-restore < iptables-rules

service iptables save

Check:

iptables -n -L -v --line-numbers

RULES:
Attention!

do not forget to change the name of the interface in the rules below to the real interface in the
system. In this line:

-A OUTPUT -o enp0s3 -j ACCEPT

Rules:

# Firewall configuration written by system-config-firewall

# Manual customization of this file is not recommended.

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:undef_fw - [0:0]

:undef_in - [0:0]

:undef_out - [0:0]

# Фильтрация по именам сканеров

-I INPUT -p udp --dport 5060 -m string --string "friendly-scanner" --algo bm -j DROP

-I INPUT -p udp --dport 5060 -m string --string "sip-scan" --algo bm -j DROP

-I INPUT -p udp --dport 5060 -m string --string "sundayddr" --algo bm -j DROP

-I INPUT -p udp --dport 5060 -m string --string "iWar" --algo bm -j DROP

-I INPUT -p udp --dport 5060 -m string --string "sipsak" --algo bm -j DROP

-I INPUT -p udp --dport 5060 -m string --string "sipvicious" --algo bm -j DROP

# заблокировать нулевые пакеты

-A INPUT -p tcp --tcp-flags ALL NONE -j DROP


# отразить атаки syn-flood

-A INPUT -p tcp -m state --state NEW --tcp-flags SYN,ACK SYN,ACK -j REJECT --reject-with tcp-re
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# защита от разведывательных пакетов XMAS

-A INPUT -p tcp --tcp-flags ALL ALL -j DROP

#MORE-RULES

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -m state --state INVALID -j DROP

-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

#SSH

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -s 112.76.32.0/19 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -s 87.0.131.207/32 -j ACCEPT

#HTTPD

-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

#SYSLOG

#-A INPUT -p udp -m udp --dport 514 -s 10.20.0.1/32 -j ACCEPT

#-A INPUT -p udp -m udp --dport 514 -s 10.20.0.2/32 -j ACCEPT

#NTP

#-A INPUT -p udp -m udp --dport 123 -s 10.20.0.1/32 -j ACCEPT

#-A INPUT -p udp -m udp --dport 123 -s 10.20.0.2/32 -j ACCEPT

-A INPUT -j undef_in

#OUTPUT

-A OUTPUT -o lo -j ACCEPT

-A OUTPUT -o enp0s3 -j ACCEPT

-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP

-A OUTPUT -j undef_out

# LAST RULES

-A undef_fw -j LOG --log-prefix "-- FW -- DROP " --log-level 6

-A undef_fw -j DROP

-A undef_in -j LOG --log-prefix "-- IN -- DROP " --log-level 6

-A undef_in -j DROP

-A undef_out -j LOG --log-prefix "-- OUT -- DROP " --log-level 6

-A undef_out -j DROP

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

COMMIT

You might also like