Date: Sun, 11 Feb 2024 05:20:06 -0800 From: Hosney Osman <hosneybinosman@gmail.com> To: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: IP Tables Best Practice Message-ID: <CA%2B%2B4CRmEjDW7pxwmVgf%2BkK%2BGj3rsD6PseWBEsRSar9n6Bm1ktQ@mail.gmail.com> In-Reply-To: <CA%2B%2B4CRm1eNZk=VzXLLePWk2tBq%2B2L4T6jZkg6R1ZvBkSmxp0dw@mail.gmail.com> References: <CA%2B%2B4CRm1eNZk=VzXLLePWk2tBq%2B2L4T6jZkg6R1ZvBkSmxp0dw@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] [-- Attachment #2 --] #!/bin/bash ################################################################################ # scriptTemplate # # # # Use this template as the beginning of a new program. Place a short # # description of the script here. # # # # Change History # # 25/10/2022 Hosney Osman Original code. This is a template for creating # # new Bash shell scripts. # # Add new history entries as needed. # # # # # ################################################################################ ################################################################################ ################################################################################ # # # Copyright (C) 2022 Hosney Osman # # hosneyosman@outlook.com # # # # This program is free software; you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # # the Free Software Foundation; either version 2 of the License, or # # (at your option) any later version. # # # # but WITHOUT ANY WARRANTY; without even the implied warranty of # # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # # GNU General Public License for more details. # # # # You should have received a copy of the GNU General Public License # # along with this program; if not, write to the Free Software # # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # # ################################################################################ ################################################################################ ################################################################################ ## 01. Log INPUT traffic iptables -I INPUT 1 -j LOG ## 02. Log FORWARD Traffic iptables -I FORWARD 1 -j LOG ## 03. Log OUTPUT Traffic iptables -I OUTPUT 1 -j LOG ## 04. To log network activity in the NAT table execute the following commands for tracking activity in their respective chains iptables -t nat -I PREROUTING 1 -j LOG iptables -t nat -I POSTROUTING 1 -j LOG iptables -t nat -I OUTPUT 1 -j LOG ## 05. IP Tables Flush Command iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT ## 06. default policy for each of the chains iptables --policy INPUT DROP iptables --policy FORWARD DROP iptables --policy OUTPUT DROP ## 07. Open LoopBack Interface iptables --append INPUT --in-interface lo --jump ACCEPT iptables --append OUTPUT --out-interface lo --jump ACCEPT ## 08. Allow Connections Initiated by the Machine ## Allow Connection Initiated by wireless interface iptables --append OUTPUT --out-interface wlp2s0 --jump ACCEPT ## Allow Connection Initiated by wire interface iptables --append OUTPUT --out-interface enp0s31f6 --jump ACCEPT iptables --append INPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT ## 09. Filter untrusted traffic iptables -A INPUT --in-interface wlp2s0 iptables -A INPUT --in-interface enp0s31f6 ## 10. Block Invalid Packets ## This rule blocks all packets that are not a SYN packet and don’t belong to an established TCP connection. iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP ## 11. Block New Packets That Are Not SYN ## This blocks all packets that are new (don’t belong to an established connection) and don’t use the SYN flag. ## This rule is similar to the “Block Invalid Packets” one, but we found that it catches some packets that the other one doesn’t. iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP ## 12. Block Uncommon MSS Values ## The above iptables rule blocks new packets (only SYN packets can be new packets as per the two previous rules) ## that use a TCP MSS value that is not common. This helps to block dumb SYN floods. iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP ## 13. Block Packets With Bogus TCP Flags ## The below ruleset blocks packets that use bogus TCP flags, ie. TCP flags that legitimate packets wouldn’t use. iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP ## 14. Block Packets From Private Subnets (Spoofing) ## These rules block spoofed packets originating from private (local) subnets. ## On your public network interface you usually don’t want to receive packets from private source IPs. ## These rules assume that your loopback interface uses the 127.0.0.0/8 IP space. ## These five sets of rules alone already block many TCP-based DDoS attacks at very high packet rates. ## With the kernel settings and rules mentioned above, you’ll be able to filter ACK and SYN-ACK attacks at line rate. iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP ## 15. Additional Rules ## This drops all ICMP packets. ICMP is only used to ping a host to find out if it’s still alive. ## Because it’s usually not needed and only represents another vulnerability that attackers can exploit, ## we block all ICMP packets to mitigate Ping of Death (ping flood), ICMP flood and ICMP fragmentation flood. iptables -t mangle -A PREROUTING -p icmp -j DROP ## 16. This iptables rule helps against connection attacks. ## It rejects connections from hosts that have more than 80 established connections. ## If you face any issues you should raise the limit as this could cause troubles with ## legitimate clients that establish a large number of TCP connections. iptables -A INPUT -p tcp -m connlimit --connlimit-above 80 -j REJECT --reject-with tcp-reset ## 17. Limits the new TCP connections that a client can establish per second. ## This can be useful against connection attacks, ## but not so much against SYN floods because the usually use an endless amount of different spoofed source IPs. iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP ## 18. This rule blocks fragmented packets. ## Normally you don’t need those and blocking fragments will mitigate UDP fragmentation flood. ## But most of the time UDP fragmentation floods use a high amount of bandwidth that is likely to exhaust the capacity of your network card, ## which makes this rule optional and probably not the most useful one. iptables -t mangle -A PREROUTING -f -j DROP ## 19. This limits incoming TCP RST packets to mitigate TCP RST floods. Effectiveness of this rule is questionable. iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP ## 20. Mitigating SYN Floods With SYNPROXY ## SYNPROXY is a new target of iptables that has been added in Linux kernel version 3.12 and iptables 1.4.21. ## CentOS 7 backported the feature and it’s available in its 3.10 default kernel. ## The purpose of SYNPROXY is to check whether the host that sent the SYN packet actually establishes a full TCP connection ## or just does nothing after it sent the SYN packet. ## If it does nothing, it discards the packet with minimal performance impact. ## While the iptables rules that we provided above already block most TCP-based attacks, ## the attack type that can still slip through them if sophisticated enough is a SYN flood. ## It’s important to note that the performance of the rules will always be better if we find a certain pattern or signature to block, ## such as packet length (-m length), TOS (-m tos), TTL (-m ttl) or strings and hex values (-m string and -m u32 for the more advanced users). ## But in some rare cases that’s not possible or at least not easy to achieve. So, in these cases, you can make use of SYNPROXY. ## Here are iptables SYNPROXY rules that help mitigate SYN floods that bypass our other rules: iptables -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460 iptables -A INPUT -m conntrack --ctstate INVALID -j DROP [-- Attachment #3 --] #!/bin/sh # # # Script is for stoping Portscan and smurf attack ### first flush all the iptables Rules iptables -F # INPUT iptables Rules # Accept loopback input iptables -A INPUT -i lo -p all -j ACCEPT # allow 3 way handshake iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ### DROPspoofing packets iptables -A INPUT -s 10.0.0.0/8 -j DROP iptables -A INPUT -s 169.254.0.0/16 -j DROP iptables -A INPUT -s 172.16.0.0/12 -j DROP iptables -A INPUT -s 127.0.0.0/8 -j DROP iptables -A INPUT -s 192.168.0.0/24 -j DROP iptables -A INPUT -s 224.0.0.0/4 -j DROP iptables -A INPUT -d 224.0.0.0/4 -j DROP iptables -A INPUT -s 240.0.0.0/5 -j DROP iptables -A INPUT -d 240.0.0.0/5 -j DROP iptables -A INPUT -s 0.0.0.0/8 -j DROP iptables -A INPUT -d 0.0.0.0/8 -j DROP iptables -A INPUT -d 239.255.255.0/24 -j DROP iptables -A INPUT -d 255.255.255.255 -j DROP # For SMURF Attack Protection iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP iptables -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT # Droping All Invalid Packets iptables -A INPUT -m state --state INVALID -j DROP iptables -A FORWARD -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j DROP # Flooding Of RST Packets, SMURF Attack Rejection iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT # Protecting portscans # Attacking IP will be locked for 24 hours (3600 x 24 = 86400 Seconds) iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP # Remove attacking IP after 24 hours iptables -A INPUT -m recent --name portscan --remove iptables -A FORWARD -m recent --name portscan --remove # These rules add scanners to the portscan list, and log the attempt. iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:" iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:" iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP # Allow the following ports through from outside iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT # Allow ping means ICMP port is open (If you do not want ping replace ACCEPT with REJECT) iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # Lastly reject All INPUT traffic iptables -A INPUT -j REJECT ################# Below are for OUTPUT iptables rules ############################################# ## Allow loopback OUTPUT iptables -A OUTPUT -o lo -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow the following ports through from outside # SMTP = 25 # DNS =53 # HTTP = 80 # HTTPS = 443 # SSH = 22 ### You can also add or remove port no. as per your requirement iptables -A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT # Allow pings iptables -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # Lastly Reject all Output traffic iptables -A OUTPUT -j REJECT ## Reject Forwarding traffic iptables -A FORWARD -j REJECThelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2B%2B4CRmEjDW7pxwmVgf%2BkK%2BGj3rsD6PseWBEsRSar9n6Bm1ktQ>