Revisioni di 強化的 iptables 防火牆規則設定

timmy ha revisionato questo gist 10 months ago. Vai alla revisione

Nessuna modifica

timmy ha revisionato questo gist 10 months ago. Vai alla revisione

Nessuna modifica

timmy ha revisionato questo gist 1 year ago. Vai alla revisione

1 file changed, 50 insertions, 45 deletions

iptables_rules.sh

			@@ -1,76 +1,81 @@
1	1		#!/bin/bash
2	2
3		-	# Flush all existing rules
	3	+	# === Basic Settings ===
	4	+
	5	+	# Clear all existing rules
4	6		iptables -F
	7	+	iptables -X
	8	+	iptables -Z
5	9
6		-	# Set default policies to drop
	10	+	# Set default policies: drop all incoming and forwarding traffic, allow outgoing
7	11		iptables -P INPUT DROP
8	12		iptables -P FORWARD DROP
9	13		iptables -P OUTPUT ACCEPT
10	14
11		-	# Allow established connections
	15	+	# === Variables ===
	16	+	TAIWAN_IPSET="taiwan_ips" # Name of the IP set for Taiwan
	17	+	ALLOWED_SSH_IP="192.168.1.0/24" # Allowed SSH subnet
	18	+
	19	+	# === Basic Allow Rules ===
	20	+
	21	+	# Allow established and related connections
12	22		iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow established connections"
13	23
14		-	# Allow loopback interface traffic
15		-	iptables -A INPUT -i lo -j ACCEPT -m comment --comment "Allow loopback interface"
	24	+	# Allow loopback (local) traffic
	25	+	iptables -A INPUT -i lo -j ACCEPT -m comment --comment "Allow local traffic"
16	26
17		-	# Allow SSH traffic (port 22)
18		-	# iptables -A INPUT -p tcp --dport 22 -j ACCEPT -m comment --comment "Allow SSH"
	27	+	# === SSH Rules ===
19	28
20		-	# Allow SSH traffic only from IPs in the taiwan_ips ipset collection
21		-	iptables -A INPUT -p tcp --dport 22 -m set --match-set taiwan_ips src -j ACCEPT -m comment --comment "Allow SSH from Taiwan IPs"
	29	+	# Allow SSH from Taiwan IP set
	30	+	iptables -A INPUT -p tcp --dport 22 -m set --match-set $TAIWAN_IPSET src -j ACCEPT -m comment --comment "Allow SSH from Taiwan IPs"
22	31
23		-	# Drop SSH traffic from other IPs
24		-	iptables -A INPUT -p tcp --dport 22 -j DROP -m comment --comment "Drop SSH from other IPs"
	32	+	# Allow SSH from allowed internal network
	33	+	iptables -A INPUT -p tcp --dport 22 -s $ALLOWED_SSH_IP -j ACCEPT -m comment --comment "Allow SSH from internal network"
25	34
	35	+	# Limit SSH attempts to prevent brute force attacks
	36	+	iptables -A INPUT -p tcp --dport 22 -m recent --name ssh_bruteforce --set
	37	+	iptables -A INPUT -p tcp --dport 22 -m recent --name ssh_bruteforce --update --seconds 60 --hitcount 5 -j DROP -m comment --comment "Limit SSH attempts"
26	38
27		-	# Allow HTTP traffic (port 80)
28		-	# iptables -A INPUT -p tcp --dport 80 -j ACCEPT -m comment --comment "Allow HTTP"
	39	+	# Drop SSH from other sources
	40	+	iptables -A INPUT -p tcp --dport 22 -j DROP -m comment --comment "Drop unauthorized SSH traffic"
29	41
30		-	# Allow HTTPS traffic (port 443)
31		-	# iptables -A INPUT -p tcp --dport 443 -j ACCEPT -m comment --comment "Allow HTTPS"
	42	+	# === HTTP/HTTPS Traffic ===
32	43
33		-	# Allow ping traffic
34		-	iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT -m comment --comment "Allow ping"
	44	+	# Allow HTTP (port 80)
	45	+	iptables -A INPUT -p tcp --dport 80 -j ACCEPT -m comment --comment "Allow HTTP traffic"
35	46
36		-	# Block SYN Flood attacks
37		-	iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 4 -j ACCEPT -m comment --comment "Protect against SYN Flood"
	47	+	# Allow HTTPS (port 443)
	48	+	iptables -A INPUT -p tcp --dport 443 -j ACCEPT -m comment --comment "Allow HTTPS traffic"
38	49
39		-	# Block Port Scanning
40		-	iptables -A INPUT -p tcp --syn -m recent --name scan --set -m comment --comment "Detect port scans"
41		-	iptables -A INPUT -p tcp --syn -m recent --name scan --update --seconds 60 --hitcount 10 -j DROP -m comment --comment "Drop port scans"
	50	+	# === Attack Prevention ===
42	51
43		-	# Block DoS attacks
44		-	iptables -A INPUT -p tcp -m limit --limit 10/s --limit-burst 20 -j ACCEPT -m comment --comment "Limit incoming connections to prevent DoS"
45		-	iptables -A INPUT -p udp -m limit --limit 10/s --limit-burst 20 -j ACCEPT -m comment --comment "Limit UDP connections to prevent DoS"
46		-	iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 3 -j ACCEPT -m comment --comment "Limit ICMP requests to prevent DoS"
	52	+	# Protect against SYN Flood
	53	+	iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 4 -j ACCEPT -m comment --comment "Protect from SYN Flood"
47	54
48		-	# Limit UDP traffic to prevent UDP Flood attack
49		-	iptables -A INPUT -p udp -m limit --limit 10/s --limit-burst 20 -j ACCEPT -m comment --comment "Limit UDP traffic to prevent UDP Flood"
	55	+	# Detect and drop port scans
	56	+	iptables -A INPUT -p tcp --syn -m recent --name portscan --set -m comment --comment "Detect port scans"
	57	+	iptables -A INPUT -p tcp --syn -m recent --name portscan --update --seconds 60 --hitcount 10 -j DROP -m comment --comment "Drop port scans"
50	58
51		-	# Drop oversized ICMP packets to prevent Ping of Death attack
52		-	iptables -A INPUT -p icmp --icmp-type echo-request -m length --length 0:1024 -j ACCEPT -m comment --comment "Drop oversized ICMP packets"
	59	+	# Limit TCP, UDP, and ICMP traffic to prevent DoS attacks
	60	+	iptables -A INPUT -p tcp -m limit --limit 10/s --limit-burst 20 -j ACCEPT -m comment --comment "Limit TCP traffic for DoS"
	61	+	iptables -A INPUT -p udp -m limit --limit 10/s --limit-burst 20 -j ACCEPT -m comment --comment "Limit UDP traffic for DoS"
	62	+	iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 3 -j ACCEPT -m comment --comment "Limit ICMP requests for DoS"
53	63
54		-	# Drop packets with a source address equal to the broadcast address
55		-	iptables -A INPUT -p icmp --icmp-type echo-request -s 255.255.255.255 -j DROP -m comment --comment "Drop ICMP packets with broadcast source address"
	64	+	# Drop large ICMP packets to prevent Ping of Death
	65	+	iptables -A INPUT -p icmp --icmp-type echo-request -m length --length 0:1024 -j ACCEPT -m comment --comment "Prevent Ping of Death"
56	66
57		-	# Drop packets with the same source and destination address
58		-	iptables -A INPUT -s 192.168.1.1 -d 192.168.1.1 -j DROP -m comment --comment "Drop packets with same source and destination address"
	67	+	# Drop packets with the same source and destination IP
	68	+	iptables -A INPUT -s 192.168.1.1 -d 192.168.1.1 -j DROP -m comment --comment "Drop same source and destination"
59	69
60	70		# Drop invalid packets
61	71		iptables -A INPUT -m state --state INVALID -j DROP -m comment --comment "Drop invalid packets"
62	72
63		-	# Drop suspicious port scanning attempts
64		-	iptables -A INPUT -p tcp --syn -m recent --name portscan --set -m comment --comment "Track port scanning attempts"
65		-	iptables -A INPUT -p tcp --syn -m recent --name portscan --update --seconds 60 --hitcount 10 -j DROP -m comment --comment "Drop excessive port scan attempts"
66		-
67		-	# Rate limit incoming connections to mitigate DDoS
68		-	iptables -A INPUT -p tcp -m limit --limit 20/s --limit-burst 100 -j ACCEPT -m comment --comment "Rate limit TCP connections to mitigate DDoS"
69		-	iptables -A INPUT -p udp -m limit --limit 20/s --limit-burst 100 -j ACCEPT -m comment --comment "Rate limit UDP connections to mitigate DDoS"
	73	+	# === Logging ===
70	74
	75	+	# Log dropped packets
	76	+	iptables -A INPUT -m limit --limit 2/min -j LOG --log-prefix "Dropped: " --log-level 4 -m comment --comment "Log dropped packets"
71	77
72		-	# Set NAT forwarding rules (if needed)
73		-	# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -m comment --comment "NAT outbound traffic"
	78	+	# === Save Rules ===
74	79
75		-	# Save rules
76		-	# iptables-save > /etc/iptables/rules.v4
	80	+	# Save rules to /etc/iptables/rules.v4
	81	+	iptables-save > /etc/iptables/rules.v4

timmy ha revisionato questo gist 1 year ago. Vai alla revisione

1 file changed, 76 insertions

iptables_rules.sh(file creato)

		@@ -0,0 +1,76 @@
1	+	#!/bin/bash
2	+
3	+	# Flush all existing rules
4	+	iptables -F
5	+
6	+	# Set default policies to drop
7	+	iptables -P INPUT DROP
8	+	iptables -P FORWARD DROP
9	+	iptables -P OUTPUT ACCEPT
10	+
11	+	# Allow established connections
12	+	iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow established connections"
13	+
14	+	# Allow loopback interface traffic
15	+	iptables -A INPUT -i lo -j ACCEPT -m comment --comment "Allow loopback interface"
16	+
17	+	# Allow SSH traffic (port 22)
18	+	# iptables -A INPUT -p tcp --dport 22 -j ACCEPT -m comment --comment "Allow SSH"
19	+
20	+	# Allow SSH traffic only from IPs in the taiwan_ips ipset collection
21	+	iptables -A INPUT -p tcp --dport 22 -m set --match-set taiwan_ips src -j ACCEPT -m comment --comment "Allow SSH from Taiwan IPs"
22	+
23	+	# Drop SSH traffic from other IPs
24	+	iptables -A INPUT -p tcp --dport 22 -j DROP -m comment --comment "Drop SSH from other IPs"
25	+
26	+
27	+	# Allow HTTP traffic (port 80)
28	+	# iptables -A INPUT -p tcp --dport 80 -j ACCEPT -m comment --comment "Allow HTTP"
29	+
30	+	# Allow HTTPS traffic (port 443)
31	+	# iptables -A INPUT -p tcp --dport 443 -j ACCEPT -m comment --comment "Allow HTTPS"
32	+
33	+	# Allow ping traffic
34	+	iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT -m comment --comment "Allow ping"
35	+
36	+	# Block SYN Flood attacks
37	+	iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 4 -j ACCEPT -m comment --comment "Protect against SYN Flood"
38	+
39	+	# Block Port Scanning
40	+	iptables -A INPUT -p tcp --syn -m recent --name scan --set -m comment --comment "Detect port scans"
41	+	iptables -A INPUT -p tcp --syn -m recent --name scan --update --seconds 60 --hitcount 10 -j DROP -m comment --comment "Drop port scans"
42	+
43	+	# Block DoS attacks
44	+	iptables -A INPUT -p tcp -m limit --limit 10/s --limit-burst 20 -j ACCEPT -m comment --comment "Limit incoming connections to prevent DoS"
45	+	iptables -A INPUT -p udp -m limit --limit 10/s --limit-burst 20 -j ACCEPT -m comment --comment "Limit UDP connections to prevent DoS"
46	+	iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 3 -j ACCEPT -m comment --comment "Limit ICMP requests to prevent DoS"
47	+
48	+	# Limit UDP traffic to prevent UDP Flood attack
49	+	iptables -A INPUT -p udp -m limit --limit 10/s --limit-burst 20 -j ACCEPT -m comment --comment "Limit UDP traffic to prevent UDP Flood"
50	+
51	+	# Drop oversized ICMP packets to prevent Ping of Death attack
52	+	iptables -A INPUT -p icmp --icmp-type echo-request -m length --length 0:1024 -j ACCEPT -m comment --comment "Drop oversized ICMP packets"
53	+
54	+	# Drop packets with a source address equal to the broadcast address
55	+	iptables -A INPUT -p icmp --icmp-type echo-request -s 255.255.255.255 -j DROP -m comment --comment "Drop ICMP packets with broadcast source address"
56	+
57	+	# Drop packets with the same source and destination address
58	+	iptables -A INPUT -s 192.168.1.1 -d 192.168.1.1 -j DROP -m comment --comment "Drop packets with same source and destination address"
59	+
60	+	# Drop invalid packets
61	+	iptables -A INPUT -m state --state INVALID -j DROP -m comment --comment "Drop invalid packets"
62	+
63	+	# Drop suspicious port scanning attempts
64	+	iptables -A INPUT -p tcp --syn -m recent --name portscan --set -m comment --comment "Track port scanning attempts"
65	+	iptables -A INPUT -p tcp --syn -m recent --name portscan --update --seconds 60 --hitcount 10 -j DROP -m comment --comment "Drop excessive port scan attempts"
66	+
67	+	# Rate limit incoming connections to mitigate DDoS
68	+	iptables -A INPUT -p tcp -m limit --limit 20/s --limit-burst 100 -j ACCEPT -m comment --comment "Rate limit TCP connections to mitigate DDoS"
69	+	iptables -A INPUT -p udp -m limit --limit 20/s --limit-burst 100 -j ACCEPT -m comment --comment "Rate limit UDP connections to mitigate DDoS"
70	+
71	+
72	+	# Set NAT forwarding rules (if needed)
73	+	# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -m comment --comment "NAT outbound traffic"
74	+
75	+	# Save rules
76	+	# iptables-save > /etc/iptables/rules.v4

Più nuovi Più vecchi