Unix/Linux Go Back    



Need help for iptables rules

Security




Kindly Note - This is a Single User Post by Forum Member Thomas342 Regarding:
Need help for iptables rules.
Please Follow The Primary Link Above to View the Full Discussion.

   
Old Unix and Linux 12-29-2016
Thomas342 Thomas342 is offline
Banned
 
Join Date: Dec 2016
Last Activity: 10 January 2017, 1:16 PM EST
Posts: 4
Thanks: 2
Thanked 0 Times in 0 Posts
Need help for iptables rules

Hello,

I did 2 scripts. The second one is, I hope, more secure.
What do you think?


Basic connection (no server, no router, no DHCP and the Ipv6 is disabled)

#######script one
####################


Code:
iptables -F
iptables -X -t filter
iptables -P INPUT DROP 
iptables -P FORWARD DROP 
iptables -P OUTPUT ACCEPT

#lo
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -o lo -j ACCEPT

#CONNECTION
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT

#PING ACCEPTED AND OPENING PORTS THAT I NEED
iptables -A INPUT -p icmp --icmp-type echo-request -m conntrack --ctstate NEW -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p tcp --dport xxxx -j ACCEPT
iptables -A INPUT -p udp --dport xxxx -j ACCEPT

#LOG
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
iptables -A FORWARD -j LOG



######SCRIPT 2 ### SCRIPT (MORE SECURE) #####
#######################

Code:
iptables -F
iptables -X -t filter
iptables -P INPUT -j DROP
iptables -P FORWARD DROP 
iptables -P OUTPUT -j DROP

modprobe ip-conntrack

#lo
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -o lo -j ACCEPT

#connection
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state ! --state INVALID -j ACCEPT

#PING ACCEPTED AND OPENING PORTS THAT I NEED
iptables -A INPUT -p icmp --icmp-type echo-request -m conntrack --ctstate NEW -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -d 0.0.0.0/0 -p tcp --sport xxxx -m state --state ESTABLISHED -j ACCEPT (I don't know if I must add 0.0.0.0/0 or 192.168.0.0/24)
iptables -A INPUT -m limit --limit 7/s -j LOG

#LOG
iptables -A OUTPUT -m limit --limit 7/s -j LOG
iptables -A FORWARD -m limit --limit 7/s -j LOG


Thanks in advance