Remove firewall ratelimiting and per-ip limiting, use provided interface
This commit is contained in:
parent
e3a6d410e6
commit
7712236aae
|
@ -7,16 +7,11 @@ iptables -I INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT # N
|
||||||
iptables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP # Block null packets
|
iptables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP # Block null packets
|
||||||
iptables -I INPUT -p tcp ! --syn -m state --state NEW -j DROP # Block syn floods
|
iptables -I INPUT -p tcp ! --syn -m state --state NEW -j DROP # Block syn floods
|
||||||
|
|
||||||
# SSH Bruteforce Mitigations
|
|
||||||
iptables -N IN_SSH
|
|
||||||
iptables -A INPUT -i eth0 -p tcp --dport 22 -m conntrack --ctstate NEW -j IN_SSH
|
|
||||||
iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
|
|
||||||
iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcount 4 --seconds 1800 -j DROP
|
|
||||||
iptables -A IN_SSH -m recent --name sshbf --set -j ACCEPT
|
|
||||||
|
|
||||||
# Cross-server free networking
|
# Cross-server free networking
|
||||||
iptables -A INPUT -s 68.183.220.24,68.183.219.248,157.230.31.163,45.77.55.222,104.248.141.204 -j ACCEPT
|
iptables -A INPUT -i ens10 -j ACCEPT
|
||||||
iptables -A INPUT -i eth1 -j ACCEPT
|
|
||||||
|
# Allow forwarding of existing connections
|
||||||
|
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
|
|
||||||
# Services
|
# Services
|
||||||
iptables -A INPUT -p tcp -m multiport --dports 22,80,443,2200,2422,2442,25565,51413,51820 -j ACCEPT
|
iptables -A INPUT -p tcp -m multiport --dports 22,80,443,2200,2422,2442,25565,51413,51820 -j ACCEPT
|
||||||
|
@ -35,5 +30,5 @@ iptables -I INPUT 1 -i lo -j ACCEPT # Loopback connections
|
||||||
|
|
||||||
# DEFAULT RULES # Apply at end, first set whitelisted connections
|
# DEFAULT RULES # Apply at end, first set whitelisted connections
|
||||||
iptables -P INPUT DROP
|
iptables -P INPUT DROP
|
||||||
# iptables -P FORWARD DROP # Unsure about this, needs testing
|
iptables -P FORWARD ACCEPT # TODO: Should be drop but it needs configuration
|
||||||
iptables -P OUTPUT ACCEPT # Allow all outbound connections
|
iptables -P OUTPUT ACCEPT # Allow all outbound connections
|
||||||
|
|
Reference in New Issue