Add old ufw configuration and current IPTABLES configuration
This commit is contained in:
commit
e3a6d410e6
|
@ -0,0 +1,39 @@
|
||||||
|
#!/bin/bash
|
||||||
|
# INPUT Chain (incoming ports)
|
||||||
|
|
||||||
|
# All packet verification
|
||||||
|
iptables -I INPUT -m conntrack --ctstate INVALID -j DROP # Drop invalid packets
|
||||||
|
iptables -I INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT # No constant icmp packets
|
||||||
|
iptables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP # Block null packets
|
||||||
|
iptables -I INPUT -p tcp ! --syn -m state --state NEW -j DROP # Block syn floods
|
||||||
|
|
||||||
|
# SSH Bruteforce Mitigations
|
||||||
|
iptables -N IN_SSH
|
||||||
|
iptables -A INPUT -i eth0 -p tcp --dport 22 -m conntrack --ctstate NEW -j IN_SSH
|
||||||
|
iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
|
||||||
|
iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcount 4 --seconds 1800 -j DROP
|
||||||
|
iptables -A IN_SSH -m recent --name sshbf --set -j ACCEPT
|
||||||
|
|
||||||
|
# Cross-server free networking
|
||||||
|
iptables -A INPUT -s 68.183.220.24,68.183.219.248,157.230.31.163,45.77.55.222,104.248.141.204 -j ACCEPT
|
||||||
|
iptables -A INPUT -i eth1 -j ACCEPT
|
||||||
|
|
||||||
|
# Services
|
||||||
|
iptables -A INPUT -p tcp -m multiport --dports 22,80,443,2200,2422,2442,25565,51413,51820 -j ACCEPT
|
||||||
|
iptables -A INPUT -p udp -m multiport --dports 443,2200,25565,51820 -j ACCEPT
|
||||||
|
|
||||||
|
# Docker Rules (not required with rules above)
|
||||||
|
#iptables -A INPUT -p tcp --dport 7946 -j ACCEPT
|
||||||
|
#iptables -A INPUT -p udp --dport 7946 -j ACCEPT
|
||||||
|
#iptables -A INPUT -p tcp --dport 2377 -j ACCEPT
|
||||||
|
#iptables -A INPUT -p udp --dport 4789 -j ACCEPT
|
||||||
|
#iptables -A INPUT -p ESP -j ACCEPT # IPSEC for Docker
|
||||||
|
|
||||||
|
# Special Rules
|
||||||
|
iptables -I INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Keep existing connections open
|
||||||
|
iptables -I INPUT 1 -i lo -j ACCEPT # Loopback connections
|
||||||
|
|
||||||
|
# DEFAULT RULES # Apply at end, first set whitelisted connections
|
||||||
|
iptables -P INPUT DROP
|
||||||
|
# iptables -P FORWARD DROP # Unsure about this, needs testing
|
||||||
|
iptables -P OUTPUT ACCEPT # Allow all outbound connections
|
|
@ -0,0 +1,19 @@
|
||||||
|
#!/bin/bash
|
||||||
|
# Incoming services
|
||||||
|
ufw allow proto tcp from any to any port 22,80,443,2200,2422,2442,25565,51413
|
||||||
|
|
||||||
|
IPS=(
|
||||||
|
"68.183.220.24"
|
||||||
|
"68.183.219.248"
|
||||||
|
"157.230.31.163"
|
||||||
|
"45.77.55.222"
|
||||||
|
"104.248.141.204"
|
||||||
|
)
|
||||||
|
|
||||||
|
for ((i = 0; i<${#IPS[@]}; i++));do
|
||||||
|
ufw allow from ${IPS[${i}]}
|
||||||
|
done
|
||||||
|
|
||||||
|
ufw default deny incoming
|
||||||
|
ufw default reject routed
|
||||||
|
ufw default allow outgoing
|
Reference in New Issue