I use iptables to secure my Linux-based internet-facing hobbyist servers. The current iptables, residing at one of these servers (sanyalnet-cloud-vps2.freeddns.org) at /etc/sysconfig/iptables, is as below.
This particular server runs on CentOS 7. The iptables rules provide basic network exploit protection from syn flood, nul, christmas and fragmented packets and adds rate-limited DDOS flood protection for ssh, telnet, smtp, dns, http, pop3, ntp, IMAP, https, smtps, starttls, imap-ssl/tls, pop-ssl/tls, dovecot, sieve, managesieve, DECnet bridge (HECnet), stunnel, syslog etc. ports that are usual for any internet-facing server providing public services. It has the following open ports for the services it provides:
- ssh
- telnet, forwarded to CLOUDY VAX - the hosted DECVAX-11/780 SIMH simulated Digital VAX server running OpenVMS 7.3
- SMTP (authenticated, not public)
- DNS - this DNS server blocks advertising and tracking websites as well as malware
- http - a basic static web-site is hosted on this server; also reachable over the TOR network at fz2koi5kviaph4bl.onion)
- POP (authenticated, not public)
- NTP - this server is an official stratum-2 public NTP server listed ntp.org and is a member of the NTP Pool Project
- IMAP (authenticated, not public)
- https (currently unused)
- STARTTLS / SMTPS (authenticated, not public)
- IMAP SSL/TLS (authenticated, not public)
- POP SSL/TLS (authenticated, not public)
- Dovecot Sieve / ManageSieve
- DECnet bridge connecting QCOCAL (SIMH MicroVAX 3900/OpenVMS 7.3 at home), JUICHI (SIMH DEC PDP-11/24 RSX-11M PLUS at home) and CLOUDY VAX (SIMH VAX-11/780 OpenVMS 7.3) to HECnet the global hobbyist DECnet network
- TOR Proxy service (authenticated, not public)
- stunnel (secure tunnel) service to syslog daemon for encrypted remote logging
- syslog
- TOR relay node (this server is a TOR relay-only node, not a TOR exit node; no TOR traffic is logged at all on this server)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#------------------------------------------ | |
# /etc/sysconfig/iptables | |
# CentOS 7 | |
# Supratim Sanyal, supratim at riseup dot net, https://supratim-sanyal.blogspot.com | |
# fail2ban and ip blocklist script adds entries after boot, extending this default filter rules | |
#------------------------------------------ | |
*filter | |
:INPUT ACCEPT [0:0] | |
:FORWARD ACCEPT [0:0] | |
:OUTPUT ACCEPT [0:0] | |
#------------------------------------------ | |
# Basic Network Exploit Protection from syn flood, nul, christmas and fragmented packets | |
#------------------------------------------ | |
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP | |
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP | |
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP | |
-A INPUT -f -j DROP | |
#------------------------------------------ | |
# Allow related and established connections and localhost traffic | |
#------------------------------------------ | |
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
-A INPUT -i lo -j ACCEPT | |
-A OUTPUT -o lo -j ACCEPT | |
#------------------------------------------ | |
# Rate Limit ssh connections | |
# For fail2ban to work, the ssh rate limit must be at least maxretry for sshd jail in /etc/fail2ban/jail.local | |
#------------------------------------------ | |
-A INPUT -p tcp --dport 22 -m state --state NEW -m hashlimit --hashlimit 4/min --hashlimit-mode srcip --hashlimit-burst 6 --hashlimit-name test -j ACCEPT | |
-A INPUT -p tcp --dport 22 -m state --state NEW -j REJECT | |
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | |
#------------------------------------------ | |
# Rate Limit telnet connections (MIRAI and CNC worms send telnet floods all the time) | |
#------------------------------------------ | |
-A INPUT -p tcp --dport 23 -m state --state NEW -m hashlimit --hashlimit 2/min --hashlimit-mode srcip --hashlimit-burst 3 --hashlimit-name test -j ACCEPT | |
-A INPUT -p tcp --dport 23 -m state --state NEW -j REJECT | |
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT | |
#------------------------------------------ | |
# Rate Limit SMTP connections | |
#------------------------------------------ | |
-A INPUT -p tcp --dport 25 -m state --state NEW -m hashlimit --hashlimit 2/sec --hashlimit-mode srcip --hashlimit-burst 4 --hashlimit-name test -j ACCEPT | |
-A INPUT -p tcp --dport 25 -m state --state NEW -j REJECT | |
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT | |
#------------------------------------------ | |
# Rate Limit TCP DNS connections | |
#------------------------------------------ | |
-A INPUT -p tcp --dport 53 -m state --state NEW -m hashlimit --hashlimit 10/sec --hashlimit-mode srcip --hashlimit-burst 20 --hashlimit-name test -j ACCEPT | |
-A INPUT -p tcp --dport 53 -m state --state NEW -j REJECT | |
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT | |
#------------------------------------------ | |
# Rate Limit UDP DNS connections | |
# Poor Man's Anti-DNS Amplification Attack | |
# Ref: http://www.iplux.net/2015/01/17/Blocking-DNS-Amplification-attacks | |
#------------------------------------------ | |
-A INPUT -p udp -m udp --dport 53 -m limit --limit 10/sec -j LOG --log-prefix "fw-dns " --log-level 7 | |
#-A INPUT -p udp -m udp --dport 53 -j ACCEPT | |
#------------------------------------------ | |
# Rate Limit HTTP connections | |
#------------------------------------------ | |
-A INPUT -p tcp --dport 80 -m state --state NEW -m hashlimit --hashlimit 4/sec --hashlimit-mode srcip --hashlimit-burst 8 --hashlimit-name test -j ACCEPT | |
-A INPUT -p tcp --dport 80 -m state --state NEW -j REJECT | |
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT | |
#------------------------------------------ | |
# Rate Limit POP3 connections | |
#------------------------------------------ | |
-A INPUT -p tcp --dport 110 -m state --state NEW -m hashlimit --hashlimit 1/sec --hashlimit-mode srcip --hashlimit-burst 2 --hashlimit-name test -j ACCEPT | |
-A INPUT -p tcp --dport 110 -m state --state NEW -j REJECT | |
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT | |
#------------------------------------------ | |
# NTP Server | |
#------------------------------------------ | |
-A INPUT -p udp -m udp --dport 123 -j ACCEPT | |
#------------------------------------------ | |
# Rate Limit IMAP connections | |
#------------------------------------------ | |
-A INPUT -p tcp --dport 143 -m state --state NEW -m hashlimit --hashlimit 1/sec --hashlimit-mode srcip --hashlimit-burst 2 --hashlimit-name test -j ACCEPT | |
-A INPUT -p tcp --dport 143 -m state --state NEW -j REJECT | |
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT | |
#------------------------------------------ | |
# Rate Limit HTTPS connections | |
#------------------------------------------ | |
-A INPUT -p tcp --dport 443 -m state --state NEW -m hashlimit --hashlimit 4/sec --hashlimit-mode srcip --hashlimit-burst 8 --hashlimit-name test -j ACCEPT | |
-A INPUT -p tcp --dport 443 -m state --state NEW -j REJECT | |
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT | |
#------------------------------------------ | |
# Rate Limit STARTTLS/SMTPS connections | |
#------------------------------------------ | |
-A INPUT -p tcp --dport 465 -m state --state NEW -m hashlimit --hashlimit 1/sec --hashlimit-mode srcip --hashlimit-burst 2 --hashlimit-name test -j ACCEPT | |
-A INPUT -p tcp --dport 465 -m state --state NEW -j REJECT | |
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT | |
#------------------------------------------ | |
# Rate Limit SMTP connections | |
#------------------------------------------ | |
-A INPUT -p tcp --dport 587 -m state --state NEW -m hashlimit --hashlimit 1/sec --hashlimit-mode srcip --hashlimit-burst 2 --hashlimit-name test -j ACCEPT | |
-A INPUT -p tcp --dport 587 -m state --state NEW -j REJECT | |
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT | |
#------------------------------------------ | |
# Rate Limit IMAP-SSL/TLS connections | |
#------------------------------------------ | |
-A INPUT -p tcp --dport 993 -m state --state NEW -m hashlimit --hashlimit 1/sec --hashlimit-mode srcip --hashlimit-burst 2 --hashlimit-name test -j ACCEPT | |
-A INPUT -p tcp --dport 993 -m state --state NEW -j REJECT | |
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT | |
#------------------------------------------ | |
# Rate Limit POP-SSL/TLS connections | |
#------------------------------------------ | |
-A INPUT -p tcp --dport 995 -m state --state NEW -m hashlimit --hashlimit 1/sec --hashlimit-mode srcip --hashlimit-burst 2 --hashlimit-name test -j ACCEPT | |
-A INPUT -p tcp --dport 995 -m state --state NEW -j REJECT | |
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT | |
#------------------------------------------ | |
# Rate Limit Dovecot ManageSieve connections | |
#------------------------------------------ | |
-A INPUT -p tcp --dport 4190 -m state --state NEW -m hashlimit --hashlimit 4/sec --hashlimit-mode srcip --hashlimit-burst 8 --hashlimit-name test -j ACCEPT | |
-A INPUT -p tcp --dport 4190 -m state --state NEW -j REJECT | |
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 4190 -j ACCEPT | |
#------------------------------------------ | |
# DECnet bridge | |
# Bridges QCOCAL MicroVAX 3900 and JUICHI PDP-11/24 on remote host with CLOUDY VAX-11/780 on this host | |
# Bridge software by Johnny Bilquist - http://www.update.uu.se/~bqt/hecnet.html | |
#------------------------------------------ | |
-A INPUT -p udp -m udp --dport 4712 -j ACCEPT | |
#------------------------------------------ | |
# Rate Limit TOR Proxy Port (Authentication Required to access proxy) | |
#------------------------------------------ | |
-A INPUT -p tcp --dport 8080 -m state --state NEW -m hashlimit --hashlimit 2/sec --hashlimit-mode srcip --hashlimit-burst 4 --hashlimit-name test -j ACCEPT | |
-A INPUT -p tcp --dport 8080 -m state --state NEW -j REJECT | |
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT | |
#------------------------------------------ | |
# Rate Limit stunnel Port | |
#------------------------------------------ | |
-A INPUT -p tcp --dport 65514 -m state --state NEW -m hashlimit --hashlimit 2/sec --hashlimit-mode srcip --hashlimit-burst 4 --hashlimit-name test -j ACCEPT | |
-A INPUT -p tcp --dport 65514 -m state --state NEW -j REJECT | |
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 65514 -j ACCEPT | |
#------------------------------------------ | |
# Rate Limit rsyslog Ports (TCP and UDP) | |
#------------------------------------------ | |
-A INPUT -p tcp --dport 65515 -m state --state NEW -m hashlimit --hashlimit 2/sec --hashlimit-mode srcip --hashlimit-burst 4 --hashlimit-name test -j ACCEPT | |
-A INPUT -p tcp --dport 65515 -m state --state NEW -j REJECT | |
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 65515 -j ACCEPT | |
# | |
-A INPUT -p udp -m udp --dport 65515 -m limit --limit 400/sec -j ACCEPT | |
#-A INPUT -p udp -m udp --dport 65515 -j ACCEPT | |
#------------------------------------------ | |
# TOR Relay Port | |
#------------------------------------------ | |
-A INPUT -p tcp -m state --state NEW -m tcp --dport 65443 -j ACCEPT | |
# | |
#------------------------------------------ | |
#------------------------------------------ | |
# Reject everything else and commit | |
#------------------------------------------ | |
-A INPUT -j REJECT --reject-with icmp-host-prohibited | |
-A FORWARD -j REJECT --reject-with icmp-host-prohibited | |
COMMIT | |
# | |
# -- EOF -- |