IPTABLES
Перейти к навигации
Перейти к поиску
notables.sh
#!/bin/bash echo [iptables] Reset tables iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT # Save Iptables echo [iptables] Saving state iptables-save
iptables.sh
#!/bin/bash echo [iptables] Reset tables iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X ip6tables -P INPUT ACCEPT ip6tables -P FORWARD ACCEPT ip6tables -P OUTPUT ACCEPT iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT echo [iptables] Politics # SSHGUARD # iptables -N sshguard # Politics ip6tables -P INPUT DROP ip6tables -P FORWARD ACCEPT ip6tables -P OUTPUT ACCEPT iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -A FORWARD -i docker0 -j ACCEPT iptables -A FORWARD -o docker0 -j ACCEPT ip6tables -A FORWARD -i docker0 -j ACCEPT ip6tables -A FORWARD -o docker0 -j ACCEPT # iptables -N sshguard # iptables -A INPUT -j sshguard # iptables -A INPUT -m multiport -p tcp --destination-ports 21,22,110,143 -j sshguard RULE_DROP_BAD=1 RULE_KERNEL=0 if [[ "${RULE_DROP_BAD}" == "1" ]]; then echo [iptables] Drop bad packets iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,PSH SYN,PSH -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,URG SYN,URG -j DROP iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP #- iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP #- iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP #- iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #- iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP iptables -A OUTPUT -p icmp -m icmp --icmp-type timestamp-reply -j DROP iptables -A INPUT -m state --state INVALID -j DROP iptables -A FORWARD -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j DROP iptables -A INPUT -p udp --dport 0 -j DROP fi if [[ "${RULE_KERNEL}" == "1" ]]; then echo [iptables] Kernel settings # Kernel settings echo 1 > /proc/sys/net/ipv4/ip_forward for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done sysctl net.ipv4.ip_forward=1 sysctl net.ipv4.conf.default.rp_filter=1 sysctl net.ipv4.ip_dynaddr=1 fi echo [iptables] Allow iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -s 127.0.0.1 -j ACCEPT ## Ban list iptables -A INPUT -s 81.95.137.135 -j DROP iptables -A INPUT -s 95.213.163.163 -j DROP iptables -A INPUT -s 138.201.136.42 -j DROP ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ip6tables -A INPUT -s ::1 -j ACCEPT # Allow only: # PING echo "- PING" iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT # DNS echo "- DNS" iptables -A INPUT -p tcp --dport 53 -j ACCEPT iptables -A INPUT -p udp --dport 53 -j ACCEPT # HTTP echo "- HTTP" iptables -A INPUT -p tcp --dport 80 -j ACCEPT echo "- HTTPS" iptables -A INPUT -p tcp --dport 443 -j ACCEPT # SSH echo "- SSH" iptables -A INPUT -p tcp --dport 22 -j ACCEPT # SQUID echo "- SQUID" iptables -A INPUT -p tcp --dport 3128 -j ACCEPT # iptables -A INPUT -p tcp --dport 8084 -j ACCEPT echo [iptables] Router virbr0 to eth0 #iptables -I FORWARD -i virbr0 -d 192.168.122.0/24 -j DROP #iptables -A FORWARD -i virbr0 -s 192.168.122.0/24 -j ACCEPT #iptables -A FORWARD -i eth0 -d 192.168.122.0/24 -j ACCEPT iptables -t nat -A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN iptables -t nat -A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN iptables -t nat -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 iptables -t nat -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 iptables -t nat -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE iptables -t mangle -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill iptables -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT iptables -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT iptables -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT iptables -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT iptables -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT iptables -A FORWARD -i virbr0 -o virbr0 -j ACCEPT iptables -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable iptables -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable iptables -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT iptables -A INPUT -i virbr0 -p tcp --dport 111 -j ACCEPT iptables -A INPUT -i virbr0 -p udp --dport 111 -j ACCEPT iptables -A INPUT -i virbr0 -p tcp --dport 2049 -j ACCEPT iptables -A INPUT -i virbr0 -p udp --dport 2049 -j ACCEPT iptables -A INPUT -i virbr0 -p tcp --dport 123 -j ACCEPT iptables -A INPUT -i virbr0 -p udp --dport 123 -j ACCEPT echo [iptables] Router docker to eth0 bridges=( `ifconfig | grep -A 1 'br-' | grep 'br-' | awk '{print $1}'` ) networks=( `ifconfig | grep -A 1 'br-' | grep 'addr\:' | awk '{print $2}' | awk -F\: '{print $2}'` ) broadcasts=( `ifconfig | grep -A 1 'br-' | grep 'addr\:' | awk '{print $4}' | awk -F\: '{print $2}'` ) docker_iface="docker0" iptables -N DOCKER iptables -t nat -N DOCKER iptables -t filter -N DOCKER-USER # iptables -t filter -F DOCKER # iptables -t filter -X DOCKER iptables -t filter -N DOCKER-ISOLATION-STAGE-1 iptables -t filter -N DOCKER-ISOLATION-STAGE-2 # iptables -t filter -F DOCKER-ISOLATION-STAGE-1 # iptables -t filter -X DOCKER-ISOLATION-STAGE-1 # iptables -t filter -F DOCKER-ISOLATION-STAGE-2 # iptables -t filter -X DOCKER-ISOLATION-STAGE-2 iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER iptables -t nat -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER iptables -t nat -A POSTROUTING -s 172.17.0.0/16 ! -o ${docker_iface} -j MASQUERADE for i in "${!bridges[@]}"; do iptables -t nat -A POSTROUTING -s ${networks[$i]}/${broadcasts[$i]} ! -o ${bridges[$i]} -j MASQUERADE done; iptables -t nat -A DOCKER -i ${docker_iface} -j RETURN for i in "${!bridges[@]}"; do iptables -t nat -A DOCKER -i ${bridges[$i]} -j RETURN done; iptables -A FORWARD -j DOCKER-USER iptables -A FORWARD -j DOCKER-ISOLATION-STAGE-1 iptables -A FORWARD -o ${docker_iface} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -o ${docker_iface} -j DOCKER iptables -A FORWARD -i ${docker_iface} ! -o ${docker_iface} -j ACCEPT iptables -A FORWARD -i ${docker_iface} -o ${docker_iface} -j ACCEPT for i in "${!bridges[@]}"; do iptables -A FORWARD -o ${bridges[$i]} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -o ${bridges[$i]} -j DOCKER iptables -A FORWARD -i ${bridges[$i]} ! -o ${bridges[$i]} -j ACCEPT iptables -A FORWARD -i ${bridges[$i]} -o ${bridges[$i]} -j ACCEPT done; iptables -A DOCKER-ISOLATION-STAGE-1 -i ${docker_iface} ! -o ${docker_iface} -j DOCKER-ISOLATION-STAGE-2 for i in "${!bridges[@]}"; do iptables -A DOCKER-ISOLATION-STAGE-1 -i ${bridges[$i]} ! -o ${bridges[$i]} -j DOCKER-ISOLATION-STAGE-2 done; iptables -A DOCKER-ISOLATION-STAGE-1 -j RETURN iptables -A DOCKER-ISOLATION-STAGE-2 -o ${docker_iface} -j DROP for i in "${!bridges[@]}"; do iptables -A DOCKER-ISOLATION-STAGE-2 -o ${bridges[$i]} -j DROP done; iptables -A DOCKER-ISOLATION-STAGE-2 -j RETURN iptables -A DOCKER-USER -j RETURN # Save Iptables echo [iptables] Saving state iptables-save > /etc/iptables.rules
#!/usr/bin/env bash echo [iptables] Reset tables iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X ip6tables -P INPUT ACCEPT ip6tables -P FORWARD ACCEPT ip6tables -P OUTPUT ACCEPT iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT echo [iptables] Politics # SSHGUARD # iptables -N sshguard # Politics ip6tables -P INPUT DROP ip6tables -P FORWARD ACCEPT ip6tables -P OUTPUT ACCEPT iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -A FORWARD -i docker0 -j ACCEPT iptables -A FORWARD -o docker0 -j ACCEPT ip6tables -A FORWARD -i docker0 -j ACCEPT ip6tables -A FORWARD -o docker0 -j ACCEPT # iptables -N sshguard # iptables -A INPUT -j sshguard # iptables -A INPUT -m multiport -p tcp --destination-ports 21,22,110,143 -j sshguard RULE_DROP_BAD=1 RULE_KERNEL=0 if [[ "${RULE_DROP_BAD}" == "1" ]]; then echo [iptables] Drop bad packets iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,PSH SYN,PSH -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,URG SYN,URG -j DROP iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP #- iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP #- iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP #- iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #- iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP iptables -A OUTPUT -p icmp -m icmp --icmp-type timestamp-reply -j DROP iptables -A INPUT -m state --state INVALID -j DROP iptables -A FORWARD -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j DROP iptables -A INPUT -p udp --dport 0 -j DROP fi if [[ "${RULE_KERNEL}" == "1" ]]; then echo [iptables] Kernel settings # Kernel settings echo 1 > /proc/sys/net/ipv4/ip_forward for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done sysctl net.ipv4.ip_forward=1 sysctl net.ipv4.conf.default.rp_filter=1 sysctl net.ipv4.ip_dynaddr=1 fi echo [iptables] Allow iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -s 127.0.0.1 -j ACCEPT ## Ban list iptables -A INPUT -s 81.95.137.135 -j DROP iptables -A INPUT -s 95.213.163.163 -j DROP iptables -A INPUT -s 138.201.136.42 -j DROP ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ip6tables -A INPUT -s ::1 -j ACCEPT # Allow only: # PING echo "- PING" iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT # DNS echo "- DNS" iptables -A INPUT -p tcp --dport 53 -j ACCEPT iptables -A INPUT -p udp --dport 53 -j ACCEPT # HTTP echo "- HTTP" iptables -A INPUT -p tcp --dport 80 -j ACCEPT echo "- HTTPS" iptables -A INPUT -p tcp --dport 443 -j ACCEPT # SSH echo "- SSH" iptables -A INPUT -p tcp --dport 22 -j ACCEPT echo [iptables] Router docker to eth0 bridges=( `ifconfig | grep -A 1 'br-' | grep 'br-' | awk '{print $1}' | awk -F\: '{print $1}'` ) networks=( `ifconfig | grep -A 1 'br-' | grep 'inet ' | awk '{print $2}'` ) broadcasts=( `ifconfig | grep -A 1 'br-' | grep 'inet ' | awk '{print $6}'` ) docker_iface="docker0" iptables -N DOCKER iptables -t nat -N DOCKER iptables -t filter -N DOCKER-USER # iptables -t filter -F DOCKER # iptables -t filter -X DOCKER iptables -t filter -N DOCKER-ISOLATION-STAGE-1 iptables -t filter -N DOCKER-ISOLATION-STAGE-2 # iptables -t filter -F DOCKER-ISOLATION-STAGE-1 # iptables -t filter -X DOCKER-ISOLATION-STAGE-1 # iptables -t filter -F DOCKER-ISOLATION-STAGE-2 # iptables -t filter -X DOCKER-ISOLATION-STAGE-2 iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER iptables -t nat -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER iptables -t nat -A POSTROUTING -s 172.17.0.0/16 ! -o ${docker_iface} -j MASQUERADE for i in "${!bridges[@]}"; do iptables -t nat -A POSTROUTING -s ${networks[$i]}/${broadcasts[$i]} ! -o ${bridges[$i]} -j MASQUERADE done; iptables -t nat -A DOCKER -i ${docker_iface} -j RETURN for i in "${!bridges[@]}"; do iptables -t nat -A DOCKER -i ${bridges[$i]} -j RETURN done; iptables -A FORWARD -j DOCKER-USER iptables -A FORWARD -j DOCKER-ISOLATION-STAGE-1 iptables -A FORWARD -o ${docker_iface} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -o ${docker_iface} -j DOCKER iptables -A FORWARD -i ${docker_iface} ! -o ${docker_iface} -j ACCEPT iptables -A FORWARD -i ${docker_iface} -o ${docker_iface} -j ACCEPT for i in "${!bridges[@]}"; do iptables -A FORWARD -o ${bridges[$i]} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -o ${bridges[$i]} -j DOCKER iptables -A FORWARD -i ${bridges[$i]} ! -o ${bridges[$i]} -j ACCEPT iptables -A FORWARD -i ${bridges[$i]} -o ${bridges[$i]} -j ACCEPT done; iptables -A DOCKER-ISOLATION-STAGE-1 -i ${docker_iface} ! -o ${docker_iface} -j DOCKER-ISOLATION-STAGE-2 for i in "${!bridges[@]}"; do iptables -A DOCKER-ISOLATION-STAGE-1 -i ${bridges[$i]} ! -o ${bridges[$i]} -j DOCKER-ISOLATION-STAGE-2 done; iptables -A DOCKER-ISOLATION-STAGE-1 -j RETURN iptables -A DOCKER-ISOLATION-STAGE-2 -o ${docker_iface} -j DROP for i in "${!bridges[@]}"; do iptables -A DOCKER-ISOLATION-STAGE-2 -o ${bridges[$i]} -j DROP done; iptables -A DOCKER-ISOLATION-STAGE-2 -j RETURN iptables -A DOCKER-USER -j RETURN # Save Iptables echo [iptables] Saving state iptables-save > /etc/iptables.rules