From 7712236aae0f15255660e8d6fe5fa584db7efd7e Mon Sep 17 00:00:00 2001 From: caskd Date: Thu, 23 Jan 2020 17:30:02 +0100 Subject: [PATCH] Remove firewall ratelimiting and per-ip limiting, use provided interface --- iptables-setup.sh | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/iptables-setup.sh b/iptables-setup.sh index 83b2bf8..13af36a 100755 --- a/iptables-setup.sh +++ b/iptables-setup.sh @@ -7,16 +7,11 @@ iptables -I INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT # N iptables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP # Block null packets iptables -I INPUT -p tcp ! --syn -m state --state NEW -j DROP # Block syn floods -# SSH Bruteforce Mitigations -iptables -N IN_SSH -iptables -A INPUT -i eth0 -p tcp --dport 22 -m conntrack --ctstate NEW -j IN_SSH -iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP -iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcount 4 --seconds 1800 -j DROP -iptables -A IN_SSH -m recent --name sshbf --set -j ACCEPT - # Cross-server free networking -iptables -A INPUT -s 68.183.220.24,68.183.219.248,157.230.31.163,45.77.55.222,104.248.141.204 -j ACCEPT -iptables -A INPUT -i eth1 -j ACCEPT +iptables -A INPUT -i ens10 -j ACCEPT + +# Allow forwarding of existing connections +iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Services iptables -A INPUT -p tcp -m multiport --dports 22,80,443,2200,2422,2442,25565,51413,51820 -j ACCEPT @@ -34,6 +29,6 @@ iptables -I INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Keep e iptables -I INPUT 1 -i lo -j ACCEPT # Loopback connections # DEFAULT RULES # Apply at end, first set whitelisted connections -iptables -P INPUT DROP -# iptables -P FORWARD DROP # Unsure about this, needs testing +iptables -P INPUT DROP +iptables -P FORWARD ACCEPT # TODO: Should be drop but it needs configuration iptables -P OUTPUT ACCEPT # Allow all outbound connections