Initial commit

files/iptables/flush-ip6tables.sh

@@ -0,0 +1,15 @@
+#!/bin/sh
+ip6tables -F
+ip6tables -X
+ip6tables -Z
+
+for table in $(</proc/net/ip6_tables_names)
+do
+  ip6tables -t \$table -F
+  ip6tables -t \$table -X
+  ip6tables -t \$table -Z
+done
+
+ip6tables -P INPUT ACCEPT
+ip6tables -P OUTPUT ACCEPT
+ip6tables -P FORWARD ACCEPT

files/iptables/flush-iptables.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+iptables -F
+iptables -X
+iptables -t nat -F
+iptables -t nat -X
+iptables -t mangle -F
+iptables -t mangle -X
+iptables -P INPUT ACCEPT
+iptables -P FORWARD ACCEPT
+iptables -P OUTPUT ACCEPT

files/iptables/ip6tables.rules

@@ -0,0 +1,48 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+:TCP - [0:0]
+:UDP - [0:0]
+:SSH - [0:0]
+
+# Drop packets with RH0 headers
+-A INPUT -m rt --rt-type 0 -j DROP
+-A OUTPUT -m rt --rt-type 0 -j DROP
+-A FORWARD -m rt --rt-type 0 -j DROP
+
+# Rate limit ping requests
+-A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
+-A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
+
+# Accept established connections
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+# Accept all traffic on loopback interface
+-A INPUT -i lo -j ACCEPT
+
+# Drop packets declared invalid
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+
+# SSH rate limiting
+-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
+-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
+-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
+-A SSH -m recent --name sshbf --set -j ACCEPT
+
+# Send TCP and UDP connections to their respective rules chain
+-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
+-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
+
+# Reject dropped packets with a RFC compliant responce
+-A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
+-A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
+-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
+
+## TCP PORT RULES
+# -A TCP -p tcp -j LOG
+
+## UDP PORT RULES
+# -A UDP -p udp -j LOG
+
+COMMIT

files/iptables/ip6tables.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Packet Filtering Framework
+DefaultDependencies=no
+After=systemd-sysctl.service
+Before=sysinit.target
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/ip6tables-restore -w 5 /etc/iptables/ip6tables.rules
+ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
+ExecStop=/etc/iptables/flush-ip6tables.sh
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target

files/iptables/iptables.rules

@@ -0,0 +1,43 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+:TCP - [0:0]
+:UDP - [0:0]
+:SSH - [0:0]
+
+# Rate limit ping requests
+-A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
+-A INPUT -p icmp --icmp-type echo-request -j DROP
+
+# Accept established connections
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+# Accept all traffic on loopback interface
+-A INPUT -i lo -j ACCEPT
+
+# Drop packets declared invalid
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+
+# SSH rate limiting
+-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
+-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
+-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
+-A SSH -m recent --name sshbf --set -j ACCEPT
+
+# Send TCP and UDP connections to their respective rules chain
+-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
+-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
+
+# Reject dropped packets with a RFC compliant responce
+-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
+-A INPUT -p tcp -j REJECT --reject-with tcp-rst
+-A INPUT -j REJECT --reject-with icmp-proto-unreachable
+
+## TCP PORT RULES
+# -A TCP -p tcp -j LOG
+
+## UDP PORT RULES
+# -A UDP -p udp -j LOG
+
+COMMIT

files/iptables/iptables.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Packet Filtering Framework
+DefaultDependencies=no
+After=systemd-sysctl.service
+Before=sysinit.target
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/iptables-restore -w 5 /etc/iptables/iptables.rules
+ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
+ExecStop=/etc/iptables/flush-iptables.sh
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target

files/iptables/nftables.rules

@@ -0,0 +1,21 @@
+add table ip filter
+add chain ip filter INPUT { type filter hook input priority 0; }
+add chain ip filter FORWARD { type filter hook forward priority 0; }
+add chain ip filter OUTPUT { type filter hook output priority 0; }
+add chain ip filter TCP
+add chain ip filter UDP
+add chain ip filter SSH
+add rule ip filter INPUT icmp type echo-request limit rate 30/minute burst 8 packets counter accept
+add rule ip filter INPUT icmp type echo-request counter drop
+add rule ip filter INPUT ct state related,established counter accept
+add rule ip filter INPUT iifname lo counter accept
+add rule ip filter INPUT ct state invalid counter drop
+add rule ip filter INPUT tcp dport 22 ct state new counter jump SSH
+# -t filter -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP 
+# -t filter -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP 
+# -t filter -A SSH -m recent --name sshbf --set -j ACCEPT 
+add rule ip filter INPUT ip protocol udp ct state new counter jump UDP
+add rule ip filter INPUT tcp flags & fin|syn|rst|ack == syn ct state new counter jump TCP
+add rule ip filter INPUT ip protocol udp counter reject
+add rule ip filter INPUT ip protocol tcp counter reject with tcp reset
+add rule ip filter INPUT counter reject with icmp type prot-unreachable

files/iptables/nftables6.rules

@@ -0,0 +1,24 @@
+add table ip6 filter
+add chain ip6 filter INPUT { type filter hook input priority 0; }
+add chain ip6 filter FORWARD { type filter hook forward priority 0; }
+add chain ip6 filter OUTPUT { type filter hook output priority 0; }
+add chain ip6 filter TCP
+add chain ip6 filter UDP
+add chain ip6 filter SSH
+add rule ip6 filter INPUT rt type 0 counter drop
+add rule ip6 filter OUTPUT rt type 0 counter drop
+add rule ip6 filter FORWARD rt type 0 counter drop
+add rule ip6 filter INPUT meta l4proto ipv6-icmp icmpv6 type echo-request  limit rate 30/minute burst 8 packets counter accept
+add rule ip6 filter INPUT meta l4proto ipv6-icmp icmpv6 type echo-request  counter drop
+add rule ip6 filter INPUT ct state related,established counter accept
+add rule ip6 filter INPUT iifname lo counter accept
+add rule ip6 filter INPUT ct state invalid counter drop
+add rule ip6 filter INPUT tcp dport 22 ct state new counter jump SSH
+# -t filter -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP 
+# -t filter -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP 
+# -t filter -A SSH -m recent --name sshbf --set -j ACCEPT 
+add rule ip6 filter INPUT meta l4proto udp ct state new counter jump UDP
+add rule ip6 filter INPUT tcp flags & fin|syn|rst|ack == syn ct state new counter jump TCP
+add rule ip6 filter INPUT meta l4proto udp counter reject with icmpv6 type admin-prohibited
+add rule ip6 filter INPUT meta l4proto tcp counter reject with icmpv6 type admin-prohibited
+add rule ip6 filter INPUT counter reject with icmpv6 type admin-prohibited