IPTables Part The Second
Slightly more than basic script, with important guards against attacks.
#!/bin/sh
IPT=$(which iptables) # set path to iptables
IPT -F # flush any existing rules
$IPT -P OTPUT ACCEPT # accept anything going out
$IPT -P INPUT DROP # drop everything coming in
$IPT -P FORWARD DROP # no forwarding internally
$IPT -N SERVICES # custom policy
# drop spoofed packets
$IPT -A INPUT --in-interface ! lo --source 127.0.0.0/8 -j DROP
# limit pings
$IPT -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT
# drop what does not make sense
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
# allow in
$IPT -A INPUT --in-interface lo -j ACCEPT # allow local machine
$IPT -A INPUT -j SERVICES # branch to services
# allow response
$IPT -A INPUt -m state --state ESTABLISHED,RELATED -j ACCEPT #established
# allow services
$IPT -A SERVICES -p tcp --dport 22 -j ACCEPT #allow ssh
Chrls is currently a technology transformation leader at one of the oldest American investment banking services holding companies, headquartered in New York City. Previous roles at current employer include project manager, front office support, retail and enterprise global Windows server support. Currently residing in Tennessee on the Cumberland Plateau and enjoying life, family and open source.
Mastodon Diaspora Funkwhale Pixelfed