Iptables / Ip6tables - a few questionsiptables rules to block ssh remote forwarded portsiptables port forwardingFsockOpen problem with Iptables inside OpenVZ VMiptables - quick safety eval & limit max conns over timeHelp With IPTables: Traffic Forced To Specific NIC?How do I configure iptables in DD-WRT to block Skype on br1 only?Problems with multicasts in “iptables”Configuring iptables on dd-wrt routerCentos 7 , Master-slave replication iptables?debian kvm server with iptables is dropping bridge packets
How to determine the distribution of Ubuntu
What's is the easiest way to purchase a stock and hold it
Why use nominative in Coniugatio periphrastica passiva?
How to say "invitation for war"?
Do 'destroy' effects count as damage?
Old robot movie with robots in cages being hurt at a carnival show
Gambler's Fallacy Dice
What should I wear to go and sign an employment contract?
Can't think of a good word or term to describe not feeling or thinking
In Dutch history two people are referred to as "William III"; are there any more cases where this happens?
Connecting circles clockwise in TikZ
Is my company merging branches wrong?
400–430 degrees Celsius heated bath
why "American-born", not "America-born"?
Good examples of "two is easy, three is hard" in computational sciences
Minimum number puzzle!
Warped chessboard
Are there any nuances between "dismiss" and "ignore"?
Managing heat dissipation in a magic wand
Presenting 2 results for one variable using a left brace
Way of refund if scammed?
Working hours and productivity expectations for game artists and programmers
Why does an injection from a set to a countable set imply that set is countable?
Do most Taxis give Receipts in London?
Iptables / Ip6tables - a few questions
iptables rules to block ssh remote forwarded portsiptables port forwardingFsockOpen problem with Iptables inside OpenVZ VMiptables - quick safety eval & limit max conns over timeHelp With IPTables: Traffic Forced To Specific NIC?How do I configure iptables in DD-WRT to block Skype on br1 only?Problems with multicasts in “iptables”Configuring iptables on dd-wrt routerCentos 7 , Master-slave replication iptables?debian kvm server with iptables is dropping bridge packets
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
1
So, i was working on my iptables.
#!/bin/bash
iptables-restore < /etc/iptables.test.rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
## On drop les scans XMAS et NULL.
iptables -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# Dropper silencieusement tous les paquets broadcastés.
iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP
# Droping all invalid packets
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
# Autorise les connexions déjà établies et localhost
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
#TOR
iptables -A OUTPUT -p tcp -m tcp --dport 9050 -m state --state NEW -j ACCEPT
# ICMP (Ping)
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -j DROP
# DNS
iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
# HTTP
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
# HTTPS
iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
# Mail SMTP
iptables -A OUTPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
#Transmission
iptables -A INPUT -p udp --dport 51413 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp --sport 51413 -m state --state NEW -j ACCEPT
# NTP (horloge du serveur)
iptables -A OUTPUT -p udp --dport 123 -m state --state NEW -j ACCEPT
# On log les paquets en entrée.
iptables -A INPUT -j LOG
# On log les paquets en sortie.
iptables -A OUTPUT -j LOG
# On log les paquets forward.
iptables -A FORWARD -j LOG
ip6tables -F
ip6tables -X
ip6tables -t nat -F
ip6tables -t nat -X
ip6tables -t mangle -F
ip6tables -t mangle -X
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP
## On drop les scans XMAS et NULL.
ip6tables -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
ip6tables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
ip6tables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
ip6tables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# Dropper silencieusement tous les paquets broadcastés.
ip6tables -A INPUT -m pkttype --pkt-type broadcast -j DROP
# Droping all invalid packets
ip6tables -A INPUT -m state --state INVALID -j DROP
ip6tables -A FORWARD -m state --state INVALID -j DROP
ip6tables -A OUTPUT -m state --state INVALID -j DROP
# Autorise les connexions déjà établies et localhost
ip6tables -A INPUT -m state --state ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
#ip6tables -A INPUT -p icmpv6 -j DROP
#ip6tables -A OUTPUT -p icmpv6 -j DROP
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
#ip6tables -A INPUT -p icmpv6 --icmpv6-type router-solicitation -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbour-advertisement -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbour-solicitation -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
#ip6tables -A OUTPUT -p icmpv6 --icmpv6-type router-advertisement -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type router-solicitation -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbour-advertisement -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbour-solicitation -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 -j DROP
ip6tables -A OUTPUT -p icmpv6 -j DROP
#TOR
ip6tables -A OUTPUT -p tcp -m tcp --dport 9050 -m state --state NEW -j ACCEPT
# DNS
ip6tables -A OUTPUT -p tcp --dport 53 -j ACCEPT
ip6tables -A OUTPUT -p udp --dport 53 -j ACCEPT
# HTTP
ip6tables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
# HTTPS
ip6tables -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
# Mail SMTP
ip6tables -A OUTPUT -p tcp --dport 587 -m state --state NEW -j ACCEPT
#Transmission
ip6tables -A INPUT -p udp --dport 51413 -m state --state NEW -j ACCEPT
ip6tables -A OUTPUT -p udp --sport 51413 -m state --state NEW -j ACCEPT
# NTP (horloge du serveur)
ip6tables -A OUTPUT -p udp --dport 123 -m state --state NEW -j ACCEPT
# On log les paquets en entrée.
ip6tables -A INPUT -j LOG
# On log les paquets en sortie.
ip6tables -A OUTPUT -j LOG
# On log les paquets forward.
ip6tables -A FORWARD -j LOG
exit 0
I have three questions :
First, do you see any ameliorations, anything i could have forgotten to make my firewall more secure ?
Second, how to apply the rules at boot before connection to internet using network-manager ? Some said to me that placing the script in /etc/network/if-pre-up.d/iptables wasn't secure.
And last, any software besides iptables, ip6tables and fail2ban that could be useful ?
Thanks in advance !
NB : sorry, english isn't my first langage.
security iptables firewall
asked May 7 at 15:51
redravenredraven
61
add a comment |
1
So, i was working on my iptables.
#!/bin/bash
iptables-restore < /etc/iptables.test.rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
## On drop les scans XMAS et NULL.
iptables -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# Dropper silencieusement tous les paquets broadcastés.
iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP
# Droping all invalid packets
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
# Autorise les connexions déjà établies et localhost
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
#TOR
iptables -A OUTPUT -p tcp -m tcp --dport 9050 -m state --state NEW -j ACCEPT
# ICMP (Ping)
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -j DROP
# DNS
iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
# HTTP
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
# HTTPS
iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
# Mail SMTP
iptables -A OUTPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
#Transmission
iptables -A INPUT -p udp --dport 51413 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp --sport 51413 -m state --state NEW -j ACCEPT
# NTP (horloge du serveur)
iptables -A OUTPUT -p udp --dport 123 -m state --state NEW -j ACCEPT
# On log les paquets en entrée.
iptables -A INPUT -j LOG
# On log les paquets en sortie.
iptables -A OUTPUT -j LOG
# On log les paquets forward.
iptables -A FORWARD -j LOG
ip6tables -F
ip6tables -X
ip6tables -t nat -F
ip6tables -t nat -X
ip6tables -t mangle -F
ip6tables -t mangle -X
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP
## On drop les scans XMAS et NULL.
ip6tables -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
ip6tables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
ip6tables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
ip6tables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# Dropper silencieusement tous les paquets broadcastés.
ip6tables -A INPUT -m pkttype --pkt-type broadcast -j DROP
# Droping all invalid packets
ip6tables -A INPUT -m state --state INVALID -j DROP
ip6tables -A FORWARD -m state --state INVALID -j DROP
ip6tables -A OUTPUT -m state --state INVALID -j DROP
# Autorise les connexions déjà établies et localhost
ip6tables -A INPUT -m state --state ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
#ip6tables -A INPUT -p icmpv6 -j DROP
#ip6tables -A OUTPUT -p icmpv6 -j DROP
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
#ip6tables -A INPUT -p icmpv6 --icmpv6-type router-solicitation -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbour-advertisement -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbour-solicitation -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
#ip6tables -A OUTPUT -p icmpv6 --icmpv6-type router-advertisement -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type router-solicitation -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbour-advertisement -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbour-solicitation -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 -j DROP
ip6tables -A OUTPUT -p icmpv6 -j DROP
#TOR
ip6tables -A OUTPUT -p tcp -m tcp --dport 9050 -m state --state NEW -j ACCEPT
# DNS
ip6tables -A OUTPUT -p tcp --dport 53 -j ACCEPT
ip6tables -A OUTPUT -p udp --dport 53 -j ACCEPT
# HTTP
ip6tables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
# HTTPS
ip6tables -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
# Mail SMTP
ip6tables -A OUTPUT -p tcp --dport 587 -m state --state NEW -j ACCEPT
#Transmission
ip6tables -A INPUT -p udp --dport 51413 -m state --state NEW -j ACCEPT
ip6tables -A OUTPUT -p udp --sport 51413 -m state --state NEW -j ACCEPT
# NTP (horloge du serveur)
ip6tables -A OUTPUT -p udp --dport 123 -m state --state NEW -j ACCEPT
# On log les paquets en entrée.
ip6tables -A INPUT -j LOG
# On log les paquets en sortie.
ip6tables -A OUTPUT -j LOG
# On log les paquets forward.
ip6tables -A FORWARD -j LOG
exit 0
I have three questions :
First, do you see any ameliorations, anything i could have forgotten to make my firewall more secure ?
Second, how to apply the rules at boot before connection to internet using network-manager ? Some said to me that placing the script in /etc/network/if-pre-up.d/iptables wasn't secure.
And last, any software besides iptables, ip6tables and fail2ban that could be useful ?
Thanks in advance !
NB : sorry, english isn't my first langage.
security iptables firewall
asked May 7 at 15:51
redravenredraven
61
add a comment |
1
1
1
So, i was working on my iptables.
#!/bin/bash
iptables-restore < /etc/iptables.test.rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
## On drop les scans XMAS et NULL.
iptables -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# Dropper silencieusement tous les paquets broadcastés.
iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP
# Droping all invalid packets
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
# Autorise les connexions déjà établies et localhost
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
#TOR
iptables -A OUTPUT -p tcp -m tcp --dport 9050 -m state --state NEW -j ACCEPT
# ICMP (Ping)
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -j DROP
# DNS
iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
# HTTP
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
# HTTPS
iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
# Mail SMTP
iptables -A OUTPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
#Transmission
iptables -A INPUT -p udp --dport 51413 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp --sport 51413 -m state --state NEW -j ACCEPT
# NTP (horloge du serveur)
iptables -A OUTPUT -p udp --dport 123 -m state --state NEW -j ACCEPT
# On log les paquets en entrée.
iptables -A INPUT -j LOG
# On log les paquets en sortie.
iptables -A OUTPUT -j LOG
# On log les paquets forward.
iptables -A FORWARD -j LOG
ip6tables -F
ip6tables -X
ip6tables -t nat -F
ip6tables -t nat -X
ip6tables -t mangle -F
ip6tables -t mangle -X
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP
## On drop les scans XMAS et NULL.
ip6tables -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
ip6tables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
ip6tables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
ip6tables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# Dropper silencieusement tous les paquets broadcastés.
ip6tables -A INPUT -m pkttype --pkt-type broadcast -j DROP
# Droping all invalid packets
ip6tables -A INPUT -m state --state INVALID -j DROP
ip6tables -A FORWARD -m state --state INVALID -j DROP
ip6tables -A OUTPUT -m state --state INVALID -j DROP
# Autorise les connexions déjà établies et localhost
ip6tables -A INPUT -m state --state ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
#ip6tables -A INPUT -p icmpv6 -j DROP
#ip6tables -A OUTPUT -p icmpv6 -j DROP
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
#ip6tables -A INPUT -p icmpv6 --icmpv6-type router-solicitation -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbour-advertisement -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbour-solicitation -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
#ip6tables -A OUTPUT -p icmpv6 --icmpv6-type router-advertisement -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type router-solicitation -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbour-advertisement -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbour-solicitation -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 -j DROP
ip6tables -A OUTPUT -p icmpv6 -j DROP
#TOR
ip6tables -A OUTPUT -p tcp -m tcp --dport 9050 -m state --state NEW -j ACCEPT
# DNS
ip6tables -A OUTPUT -p tcp --dport 53 -j ACCEPT
ip6tables -A OUTPUT -p udp --dport 53 -j ACCEPT
# HTTP
ip6tables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
# HTTPS
ip6tables -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
# Mail SMTP
ip6tables -A OUTPUT -p tcp --dport 587 -m state --state NEW -j ACCEPT
#Transmission
ip6tables -A INPUT -p udp --dport 51413 -m state --state NEW -j ACCEPT
ip6tables -A OUTPUT -p udp --sport 51413 -m state --state NEW -j ACCEPT
# NTP (horloge du serveur)
ip6tables -A OUTPUT -p udp --dport 123 -m state --state NEW -j ACCEPT
# On log les paquets en entrée.
ip6tables -A INPUT -j LOG
# On log les paquets en sortie.
ip6tables -A OUTPUT -j LOG
# On log les paquets forward.
ip6tables -A FORWARD -j LOG
exit 0
I have three questions :
First, do you see any ameliorations, anything i could have forgotten to make my firewall more secure ?
Second, how to apply the rules at boot before connection to internet using network-manager ? Some said to me that placing the script in /etc/network/if-pre-up.d/iptables wasn't secure.
And last, any software besides iptables, ip6tables and fail2ban that could be useful ?
Thanks in advance !
NB : sorry, english isn't my first langage.
security iptables firewall
asked May 7 at 15:51
redravenredraven
61
So, i was working on my iptables.
#!/bin/bash
iptables-restore < /etc/iptables.test.rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
## On drop les scans XMAS et NULL.
iptables -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# Dropper silencieusement tous les paquets broadcastés.
iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP
# Droping all invalid packets
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
# Autorise les connexions déjà établies et localhost
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
#TOR
iptables -A OUTPUT -p tcp -m tcp --dport 9050 -m state --state NEW -j ACCEPT
# ICMP (Ping)
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -j DROP
# DNS
iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
# HTTP
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
# HTTPS
iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
# Mail SMTP
iptables -A OUTPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
#Transmission
iptables -A INPUT -p udp --dport 51413 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp --sport 51413 -m state --state NEW -j ACCEPT
# NTP (horloge du serveur)
iptables -A OUTPUT -p udp --dport 123 -m state --state NEW -j ACCEPT
# On log les paquets en entrée.
iptables -A INPUT -j LOG
# On log les paquets en sortie.
iptables -A OUTPUT -j LOG
# On log les paquets forward.
iptables -A FORWARD -j LOG
ip6tables -F
ip6tables -X
ip6tables -t nat -F
ip6tables -t nat -X
ip6tables -t mangle -F
ip6tables -t mangle -X
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP
## On drop les scans XMAS et NULL.
ip6tables -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
ip6tables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
ip6tables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
ip6tables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# Dropper silencieusement tous les paquets broadcastés.
ip6tables -A INPUT -m pkttype --pkt-type broadcast -j DROP
# Droping all invalid packets
ip6tables -A INPUT -m state --state INVALID -j DROP
ip6tables -A FORWARD -m state --state INVALID -j DROP
ip6tables -A OUTPUT -m state --state INVALID -j DROP
# Autorise les connexions déjà établies et localhost
ip6tables -A INPUT -m state --state ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
#ip6tables -A INPUT -p icmpv6 -j DROP
#ip6tables -A OUTPUT -p icmpv6 -j DROP
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
#ip6tables -A INPUT -p icmpv6 --icmpv6-type router-solicitation -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbour-advertisement -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbour-solicitation -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
#ip6tables -A OUTPUT -p icmpv6 --icmpv6-type router-advertisement -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type router-solicitation -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbour-advertisement -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbour-solicitation -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 -j DROP
ip6tables -A OUTPUT -p icmpv6 -j DROP
#TOR
ip6tables -A OUTPUT -p tcp -m tcp --dport 9050 -m state --state NEW -j ACCEPT
# DNS
ip6tables -A OUTPUT -p tcp --dport 53 -j ACCEPT
ip6tables -A OUTPUT -p udp --dport 53 -j ACCEPT
# HTTP
ip6tables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
# HTTPS
ip6tables -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
# Mail SMTP
ip6tables -A OUTPUT -p tcp --dport 587 -m state --state NEW -j ACCEPT
#Transmission
ip6tables -A INPUT -p udp --dport 51413 -m state --state NEW -j ACCEPT
ip6tables -A OUTPUT -p udp --sport 51413 -m state --state NEW -j ACCEPT
# NTP (horloge du serveur)
ip6tables -A OUTPUT -p udp --dport 123 -m state --state NEW -j ACCEPT
# On log les paquets en entrée.
ip6tables -A INPUT -j LOG
# On log les paquets en sortie.
ip6tables -A OUTPUT -j LOG
# On log les paquets forward.
ip6tables -A FORWARD -j LOG
exit 0
I have three questions :
First, do you see any ameliorations, anything i could have forgotten to make my firewall more secure ?
Second, how to apply the rules at boot before connection to internet using network-manager ? Some said to me that placing the script in /etc/network/if-pre-up.d/iptables wasn't secure.
And last, any software besides iptables, ip6tables and fail2ban that could be useful ?
Thanks in advance !
NB : sorry, english isn't my first langage.
security iptables firewall
security iptables firewall
asked May 7 at 15:51
redravenredraven
61
asked May 7 at 15:51
redravenredraven
61
asked May 7 at 15:51
redravenredraven
61
asked May 7 at 15:51
redravenredraven
61
asked May 7 at 15:51
redravenredraven
61
61
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f966208%2fiptables-ip6tables-a-few-questions%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
draft saved
draft discarded
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f966208%2fiptables-ip6tables-a-few-questions%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
