Friday, March 15, 2013

Base IPTables rules that will apply to virtually any web server

Base IPTables rules that will apply to virtually any web server

Hello,
I have put together some basic iptables based firewall rules that I feel should apply to virtually any web server running cPanel/WHM that is connected to the internet. Please give me your feedback and improvements!

I popped the iptables rules into a bash script that can be easily commented and run in order to apply these rules.
#!/bin/bash
#####################################################################

# 1) Clear old Rules
iptables -F                                                 # Delete all existing rules

# 2) Default Drop
iptables -P INPUT DROP                                            # Set default chain policies to DROP
iptables -P FORWARD DROP                                        # Set default chain policies to DROP
iptables -P OUTPUT DROP                                            # Set default chain policies to DROP

# 3) Loopback                                                     
iptables -A INPUT -i lo -j ACCEPT                                    # Allow loopback access from INPUT
iptables -A OUTPUT -o lo -j ACCEPT                                    # Allow loopback access from Output

# 4) BLACKLIST IP's
# iptables -A INPUT -s "BLOCK_THIS_IP" -j DROP                                # Block a specific ip-address
# iptables -A INPUT -s "BLOCK_THIS_IP" -j DROP                                # Block a specific ip-address
# iptables -A INPUT -s "BLOCK_THIS_IP" -j DROP                                # Block a specific ip-address
# iptables -A INPUT -s "BLOCK_THIS_IP" -j DROP                                # Block a specific ip-address

# 5) WHITELIST IP's
iptables -A INPUT -s 127.0.0.1/32 -j ACCEPT                                # Allow Anything from localhost     
iptables -A INPUT -s "ALLOW_THIS_IP"/32 -j ACCEPT                                # Allow Anything from KeyServer


# 6) ALLOWED SERVICES
iptables -A OUTPUT -o eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT            # PORT 25   SMTP   - Allow connections to outbound
iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT                            # PORT 54   DNS    - Allow connections to outbound 
iptables -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT            # PORT 80   httpd  - Allow connections from anywhere
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT        # PORT 80   httpd  - Rate Limit from outside
iptables -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT            # PORT 443  SSL    - Allow connections from anywhere
iptables -A INPUT -p tcp -m tcp --dport 2082 -m state --state NEW,ESTABLISHED -j ACCEPT            # PORT 2082 cPanel - Allow connections to outbound 
iptables -A INPUT -p tcp -m tcp --dport 2083 -m state --state NEW,ESTABLISHED -j ACCEPT            # PORT 2083 cPanel - Allow connections to outbound 
iptables -A INPUT -p tcp -m tcp --dport 2086 -m state --state NEW,ESTABLISHED -j ACCEPT            # PORT 2086 WHM    - Allow connections to outbound 
iptables -A INPUT -p tcp -m tcp --dport 2087 -m state --state NEW,ESTABLISHED -j ACCEPT            # PORT 2087 WHM    - Allow connections to outbound 

# 7) PING
iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP                # Drop Ping from address-mask-request
iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP                    # Drop Ping from timestamp-request
iptables -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT                     # Rate Limit Ping from outside 

# 8) Validate packets
iptables -A INPUT   -m state --state INVALID -j DROP                            # Drop invalid packets 
iptables -A FORWARD -m state --state INVALID -j DROP                            # Drop invalid packets 
iptables -A OUTPUT  -m state --state INVALID -j DROP                            # Drop invalid packets 
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP                    # Drop TCP - SYN,FIN packets 
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP                    # Drop TCP - SYN,RST packets 

# 9) Reject Invalid networks (Spoof)
iptables -A INPUT -s 10.0.0.0/8       -j DROP                                # (Spoofed network)
iptables -a INPUT -s 192.0.0.1/24     -j DROP                                # (Spoofed network)
iptables -A INPUT -s 169.254.0.0/16   -j DROP                                # (Spoofed network)
iptables -A INPUT -s 172.16.0.0/12    -j DROP                                # (Spoofed network)
iptables -A INPUT -s 224.0.0.0/4      -j DROP                                # (Spoofed network)
iptables -A INPUT -d 224.0.0.0/4      -j DROP                                # (Spoofed network)
iptables -A INPUT -s 240.0.0.0/5      -j DROP                                # (Spoofed network)
iptables -A INPUT -d 240.0.0.0/5      -j DROP                                # (Spoofed network)
iptables -A INPUT -s 0.0.0.0/8        -j DROP                                # (Spoofed network)
iptables -A INPUT -d 0.0.0.0/8        -j DROP                                # (Spoofed network)
iptables -A INPUT -d 239.255.255.0/24 -j DROP                                # (Spoofed network)
iptables -A INPUT -d 255.255.255.255  -j DROP                                # (Spoofed network)


# 10) CHAINS

# FTP_BRUTE CHAIN
iptables -A INPUT -p tcp -m multiport --dports 20,21 -m state --state NEW -m recent --set --name FTP_BRUTE
iptables -A INPUT -p tcp -m multiport --dports 20,21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name FTP_BRUTE -j DROP

# SYNFLOOD CHAIN
iptables -A INPUT -m state --state NEW -p tcp -m tcp --syn -m recent --name SYNFLOOD--set                        
iptables -A INPUT -m state --state NEW -p tcp -m tcp --syn -m recent --name SYNFLOOD --update --seconds 1 --hitcount 60 -j DROP

# Logging CHAIN
iptables -N LOGGING                                                # Create `LOGGING` chain for logging denied packets
iptables -A INPUT -j LOGGING                                            # Create `LOGGING` chain for logging denied packets     
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 6    # Log denied packets to /var/log/messages
iptables -A LOGGING -j DROP                                            # Drop everything

No comments:

Post a Comment