Базовая конфигурация
- Создаем файл конфигурации
mkdir /etc/iptables
touch /etc/iptables/rc.firewall
chmod +x /etc/iptables/rc.firewall
nano -w /etc/iptables/rc.firewall
#!/bin/bash
# Setting variables
ipt="/usr/sbin/iptables"
iface="ifname"
# SYN Rate (pps)
syn_interval="1"
syn_count="100"
# Flushing the tables
$ipt -t nat -F
$ipt -t mangle -F
$ipt -t raw -F
$ipt -F
$ipt -X
# Setting explicit deny rules
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT DROP
# SYN Flood
$ipt -N SYNFLOOD
$ipt -A INPUT ! -i lo -p tcp -m tcp --tcp-flags SYN,ACK,FIN,RST SYN -m recent --name SYNFLOOD --update --seconds $syn_interval --hitcount $syn_count -j SYNFLOOD
$ipt -A SYNFLOOD -m limit --limit 30/min -j LOG --log-prefix "Firewall: *SYNFLOOD* "
$ipt -A SYNFLOOD -j DROP
# Allowing Loopback traffic
$ipt -A INPUT -i lo -j ACCEPT
$ipt -A OUTPUT -o lo -j ACCEPT
# Stateful rules
$ipt -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$ipt -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#
# INPUT
#
# SSH
$ipt -A INPUT -i $iface -p tcp -m state --state NEW --dport 22 -j ACCEPT
#
# OUTPUT
#
# HTTPS
$ipt -A OUTPUT -o $iface -p tcp -m state --state NEW --dport 443 -j ACCEPT
# DNS
$ipt -A OUTPUT -o $iface -p udp -m state --state NEW --dport 53 -j ACCEPT
# NTP
$ipt -A OUTPUT -o $iface -p udp -m state --state NEW --dport 123 -j ACCEPT
# Ping
$ipt -A OUTPUT -o $iface -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT
# Traceroute
$ipt -A OUTPUT -o $iface -p udp -m state --state NEW --dport 33434:33523 -j ACCEPT
/etc/iptables/rc.firewall
iptables -nvL
- Добавляем в автозагрузку (см здесь)
nano -w /etc/rc.local
# IPTABLES
/etc/iptables/rc.firewall
