Thanks to:
http://bencane.com/2012/09/17/iptables-linux-firewall-rules-for-a-basic-web-server/
http://www.linux.org/threads/base-iptables-rules-that-will-apply-to-virtually-any-web-server.10/ (used this script with modifications)
NOTES:
Here is a simple script that allows all outbound connections and the inbound connections coming back from those outbound connections (conntrack). Also port 80 and port 22 and port 443 are allowed in. A few more rules as well. Some rules are commented out for your use. Make sure you have an alternate connection because if you block yourself out of ssh, you might be out of luck (restarting the pc/server will clear the rules, unless you have a setting that says on boot read these iptables)
CLEAR ALL:
Clear all rules (this is good to keep handy, maybe save it as a script called iptables-clear-all.sh):
iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT
MAIN TABLE:
I use that to start off my iptables main script, first i clear previous rules with the above script then I get into the good stuff.
#!/bin/bash # Leave a log message that it launched logger "iptables.sh launched" # CLEAR iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT # DEFAULTS: iptables -P INPUT DROP iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT # LOOPBACK AND 127.0.0.1 iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -s 127.0.0.1/32 -j ACCEPT # INPUTS iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT # iptables -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT # iptables -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT # iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT # OTHER iptables -A INPUT -m state --state INVALID -j DROP iptables -A FORWARD -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP # EXPERIMENTAL # EXPERIMENTAL # EXPERIMENTAL iptables -A INPUT -m state --state INVALID -j DROP iptables -A FORWARD -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP # 4) BLACKLIST IP's (if we need it) # iptables -A INPUT -s "BLOCK_THIS_IP" -j DROP # Block a specific ip-address # iptables -A INPUT -s "BLOCK_THIS_IP" -j DROP # Block a specific ip-address # iptables -A INPUT -s "BLOCK_THIS_IP" -j DROP # Block a specific ip-address # iptables -A INPUT -s "BLOCK_THIS_IP" -j DROP # Block a specific ip-address # FTP_BRUTE CHAIN iptables -A INPUT -p tcp -m multiport --dports 20,21 -m state --state NEW -m recent --set --name FTP_BRUTE iptables -A INPUT -p tcp -m multiport --dports 20,21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name FTP_BRUTE -j DROP # SYNFLOOD CHAIN (causes errors plus I dont want it) # iptables -A INPUT -m state --state NEW -p tcp -m tcp --syn -m recent --name SYNFLOOD --set # iptables -A INPUT -m state --state NEW -p tcp -m tcp --syn -m recent --name SYNFLOOD --update --seconds 1 --hitcount 60 -j DROP # Logging CHAIN iptables -N LOGGING iptables -A INPUT -j LOGGING iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 6 iptables -A LOGGING -j DROP
Notes: The synflood was commented out because my iptables didnt like the second command, it said some error came about. Also the DNS rules I crossed out as this is not a dns server, so the only dns traffic ill be doing is connecting to a dns server (and receiving traffic back from one but thats handled by conntrack). So everything below experimental you can choose to leave out if you want, however everything above worked 100% for me. My wordpress is still alive.
HOW TO LOAD IT ON BOOT:
Save the above into a readable and executable script and just have /etc/rc.local load it.
Pretend I saved the script as /etc/iptables.sh
chmod +x /etc/iptables.sh
In my rc.local, I would put (above the exit 0)
logger "BOOT TIME - rc.local about to launch /etc/iptables.sh" /etc/iptables.sh exit 0 #<-- note this exit 0 should be there already
HOW TO MONITOR ITS WORKINGS:
This will show you live counters, whats blocked and accepted:
watch -n0 “iptables -nvL”
watch -n0 “(iptables -nvL > /tmp/now123); (diff -U0 /tmp/prev123 /tmp/now123 > /tmp/diff); (cat /tmp/diff); (mv -f /tmp/now123 /tmp/prev123);”
Slow it down some:
watch -n2 “(iptables -nvL > /tmp/now123); (diff -U0 /tmp/prev123 /tmp/now123 > /tmp/diff); (cat /tmp/diff); (mv -f /tmp/now123 /tmp/prev123);”
While loop scripts to watch iptables: