Simple Stateful Firewall: Difference between revisions

From The Brainwrecked Wiki
Jump to navigation Jump to search
Created Simple Stateful Firewall
 
Configure IPTables: Commented iptables.rules file
 
Line 13: Line 13:
# SIMPLE STATEFUL FIREWALL
# SIMPLE STATEFUL FIREWALL
*filter
*filter
# CONFIGURE DEFAULT CHAINS
:INPUT DROP [0:0]
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [100308:88697975]
:OUTPUT ACCEPT [100308:88697975]
# ADD USER CHAINS
:TCP - [0:0]
:TCP - [0:0]
:UDP - [0:0]
:UDP - [0:0]
# ALLOW ESTABLISHED CONNECTIONS, AND CONNECTIONS RELATED TO SUCH
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# ALLOW CONNECTIONS FROM LOCALHOST
-A INPUT -i lo -j ACCEPT
-A INPUT -i lo -j ACCEPT
# DROP PACKETS THAT HAVE INVALID HEADERS, CHECKSUMS, TCP FLAGS, OR ICMP MESSAGE; AND PACKETS OUT OF SEQUENCE
-A INPUT -m conntrack --ctstate INVALID -j DROP
# ALLOW PINGS
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
 
# RESET CONNECTIONS THAT ARE NEW WITH NO CORRESPONDING SYN
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
# REJECT UDP STREAMS IF PORT IS NOT OPEN
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
# REJECT TCP CONNECTION IF PORT IS NOT OPEN
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
# REJECT ALL OTHER TRAFFIC
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable


# OPEN NECESSARY PORTS HERE
# OPEN NECESSARY PORTS HERE
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT -m comment --comment "ssh"
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT -m comment --comment "ssh"
-A TCP -p tcp -m tcp --dport 25 -j ACCEPT -m comment --comment "smtp"
-A TCP -p tcp -m tcp --dport 80 -j ACCEPT -m comment --comment "http"
-A TCP -p tcp -m tcp --dport 80 -j ACCEPT -m comment --comment "http"
-A TCP -p tcp -m tcp --dport 443 -j ACCEPT -m comment --comment "https"
-A TCP -p tcp -m tcp --dport 443 -j ACCEPT -m comment --comment "https"
Line 36: Line 57:
-A TCP -p tcp -m tcp --dport 873 -j ACCEPT  -m comment --comment "rsync"
-A TCP -p tcp -m tcp --dport 873 -j ACCEPT  -m comment --comment "rsync"
-A TCP -p tcp -m tcp --dport 993 -j ACCEPT -m comment --comment "imaps"
-A TCP -p tcp -m tcp --dport 993 -j ACCEPT -m comment --comment "imaps"
-A TCP -p tcp -m tcp --dport 64738 -j ACCEPT -m comment --comment "mumble tcp"
-A TCP -p tcp -m tcp --dport 995 -j ACCEPT -m comment --comment "pop3s"
-A UDP -p udp -m udp --dport 64738 -j ACCEPT -m comment --comment "mumble udp"
 
COMMIT
COMMIT
}}
}}

Latest revision as of 19:48, 7 December 2019

Prerequisites

Most, if not all, GNU/Linux distributions ship a default kernel that has the netfilter module.

Required Packages

Most, if not all, GNU/Linux distributions have the iptables package/binary installed by default.

Configure IPTables

/etc/iptables/iptables.rules
# SIMPLE STATEFUL FIREWALL
*filter

# CONFIGURE DEFAULT CHAINS
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [100308:88697975]

# ADD USER CHAINS
:TCP - [0:0]
:UDP - [0:0]

# ALLOW ESTABLISHED CONNECTIONS, AND CONNECTIONS RELATED TO SUCH
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# ALLOW CONNECTIONS FROM LOCALHOST
-A INPUT -i lo -j ACCEPT

# DROP PACKETS THAT HAVE INVALID HEADERS, CHECKSUMS, TCP FLAGS, OR ICMP MESSAGE; AND PACKETS OUT OF SEQUENCE
-A INPUT -m conntrack --ctstate INVALID -j DROP

# ALLOW PINGS
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT

# RESET CONNECTIONS THAT ARE NEW WITH NO CORRESPONDING SYN
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP

# REJECT UDP STREAMS IF PORT IS NOT OPEN
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable

# REJECT TCP CONNECTION IF PORT IS NOT OPEN
-A INPUT -p tcp -j REJECT --reject-with tcp-reset

# REJECT ALL OTHER TRAFFIC
-A INPUT -j REJECT --reject-with icmp-proto-unreachable

# OPEN NECESSARY PORTS HERE
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT -m comment --comment "ssh"
-A TCP -p tcp -m tcp --dport 25 -j ACCEPT -m comment --comment "smtp"
-A TCP -p tcp -m tcp --dport 80 -j ACCEPT -m comment --comment "http"
-A TCP -p tcp -m tcp --dport 443 -j ACCEPT -m comment --comment "https"
-A TCP -p tcp -m tcp --dport 465 -j ACCEPT -m comment --comment "smtps"
-A TCP -p tcp -m tcp --dport 587 -j ACCEPT -m comment --comment "starttls"
-A TCP -p tcp -m tcp --dport 873 -j ACCEPT  -m comment --comment "rsync"
-A TCP -p tcp -m tcp --dport 993 -j ACCEPT -m comment --comment "imaps"
-A TCP -p tcp -m tcp --dport 995 -j ACCEPT -m comment --comment "pop3s"

COMMIT
Retrieved from "https://wiki.bwt.com.de/index.php?title=Simple_Stateful_Firewall&oldid=327"