44 lines
1.3 KiB
Plaintext
44 lines
1.3 KiB
Plaintext
*filter
|
|
:INPUT DROP [0:0]
|
|
:FORWARD DROP [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
:TCP - [0:0]
|
|
:UDP - [0:0]
|
|
:SSH - [0:0]
|
|
|
|
# Rate limit ping requests
|
|
-A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
|
|
-A INPUT -p icmp --icmp-type echo-request -j DROP
|
|
|
|
# Accept established connections
|
|
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
|
|
# Accept all traffic on loopback interface
|
|
-A INPUT -i lo -j ACCEPT
|
|
|
|
# Drop packets declared invalid
|
|
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
|
|
|
# SSH rate limiting
|
|
-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
|
|
-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
|
|
-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
|
|
-A SSH -m recent --name sshbf --set -j ACCEPT
|
|
|
|
# Send TCP and UDP connections to their respective rules chain
|
|
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
|
|
-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
|
|
|
|
# Reject dropped packets with a RFC compliant responce
|
|
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
|
|
-A INPUT -p tcp -j REJECT --reject-with tcp-rst
|
|
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
|
|
|
|
## TCP PORT RULES
|
|
# -A TCP -p tcp -j LOG
|
|
|
|
## UDP PORT RULES
|
|
# -A UDP -p udp -j LOG
|
|
|
|
COMMIT
|