Strapower

Miro' Bistrot

Esempio di IPTables Firewall

Posted on Giugno 24, 2013 in the linux category

###########
## IPTABLES FIREWALL CONFIGURATION
###########

*filter

##ALLOW loopback interface
-A INPUT -i lo -j ACCEPT

##ALLOW connections that originate from this server
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

##Block
-A INPUT -s 61.225.15.0/24 -j DROP
-A INPUT -s 118.167.0.0/16 -j DROP
-A INPUT -s 114.45.0.0/16 -j DROP
-A INPUT -s 121.96.0.0/18 -j DROP

##Restrictions
#-A INPUT -p icmp -m state --state NEW -m recent --update --seconds 60 --hitcount 10 --name ICMP -j LOG --log-prefix "**IPTABLES**ICMP DENY**"
#-A INPUT -p icmp -m state --state NEW -m recent --update --seconds 60 --hitcount 10 --name ICMP -j DROP
#-A INPUT -p icmp -m state --state NEW -m recent --set --name ICMP -j ACCEPT

#-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --name SSH -j LOG --log-prefix "**IPTABLES**SSH DENY**"
#-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --name SSH -j DROP
#-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT

##ALLOW ONLY 192.168.0.0 network to the following ports
-A INPUT -s 192.168.0.0/255.255.0.0 -p tcp --dport 22 -j ACCEPT

##ALLOW ANY to the following ports
#-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

##ALLOW specific to the following ports
#-A INPUT -s 192.168.5.1 -p tcp --dport 995 -j ACCEPT
-A INPUT -s 192.168.5.1 -p tcp --dport 993 -j ACCEPT
-A INPUT -s 192.168.5.1 -p tcp --dport 3306 -j ACCEPT

##ALLOW icmp
#-A INPUT -p icmp --icmp-type any -j ACCEPT
#-A INPUT -p icmp --icmp-type echo-request -m limit --limit 20/s --limit-burst 5 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT

##LOGGING
#-A INPUT -j LOG --log-tcp-options --log-ip-options

##DEFAULT set DROP as default rule for each chain
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP

 

COMMIT

Comments

Leave a Comment