Updated README. Add iptables basic rules
This commit is contained in:
parent
6af902b827
commit
78b109cbfc
5 changed files with 73 additions and 1 deletions
|
@ -23,7 +23,7 @@ edit the .gitattributes file accordingly:
|
||||||
|
|
||||||
```txt
|
```txt
|
||||||
neovim/*.conf gitlab-language=vim
|
neovim/*.conf gitlab-language=vim
|
||||||
spacemacs/*.conf gitlab-language=elisp
|
emacs/*.conf gitlab-language=elisp
|
||||||
```
|
```
|
||||||
|
|
||||||
## Support
|
## Support
|
||||||
|
|
22
iptables/iptables-http-full-f2b.fw
Normal file
22
iptables/iptables-http-full-f2b.fw
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
*filter
|
||||||
|
:INPUT DROP [4414218:211789180]
|
||||||
|
:FORWARD ACCEPT [0:0]
|
||||||
|
:OUTPUT ACCEPT [17973:1146056]
|
||||||
|
:f2b-sshd - [0:0]
|
||||||
|
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
|
||||||
|
-A INPUT -i lo -j ACCEPT
|
||||||
|
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
|
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||||
|
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||||
|
-A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||||
|
-A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||||
|
-A INPUT -p tcp -m tcp --dport 587 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||||
|
-A OUTPUT -o lo -j ACCEPT
|
||||||
|
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||||
|
-A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||||
|
-A OUTPUT -p tcp -m tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||||
|
-A OUTPUT -p tcp -m tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||||
|
-A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
|
||||||
|
-A OUTPUT -p tcp -m tcp --sport 587 -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||||
|
-A f2b-sshd -j RETURN
|
||||||
|
COMMIT
|
20
iptables/iptables-http-full.fw
Normal file
20
iptables/iptables-http-full.fw
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
*filter
|
||||||
|
:INPUT DROP [4414218:211789180]
|
||||||
|
:FORWARD ACCEPT [0:0]
|
||||||
|
:OUTPUT ACCEPT [17973:1146056]
|
||||||
|
-A INPUT -i lo -j ACCEPT
|
||||||
|
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
|
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||||
|
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||||
|
-A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||||
|
-A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||||
|
-A INPUT -p tcp -m tcp --dport 587 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||||
|
-A OUTPUT -o lo -j ACCEPT
|
||||||
|
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||||
|
-A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||||
|
-A OUTPUT -p tcp -m tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||||
|
-A OUTPUT -p tcp -m tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||||
|
-A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
|
||||||
|
-A OUTPUT -p tcp -m tcp --sport 587 -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||||
|
COMMIT
|
||||||
|
|
14
iptables/iptables-ssh-only.fw
Normal file
14
iptables/iptables-ssh-only.fw
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
*filter
|
||||||
|
:INPUT DROP [4414218:211789180]
|
||||||
|
:FORWARD ACCEPT [0:0]
|
||||||
|
:OUTPUT ACCEPT [17973:1146056]
|
||||||
|
-A INPUT -i lo -j ACCEPT
|
||||||
|
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
|
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||||
|
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||||
|
-A OUTPUT -o lo -j ACCEPT
|
||||||
|
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||||
|
-A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||||
|
-A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
|
||||||
|
COMMIT
|
||||||
|
|
16
iptables/iptables.md
Normal file
16
iptables/iptables.md
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
# Configurations
|
||||||
|
All configurations includes:
|
||||||
|
* INPUT DROP
|
||||||
|
* SSH port on 22.
|
||||||
|
* SMTP port 25 as `--reject-with icmp-port-unreachable`
|
||||||
|
|
||||||
|
- [ssh-only](iptables-ssh-only.fw) -> SSH
|
||||||
|
- [http-full](iptables-http-full.fw) -> HTTP/ HTTPS/ SMTPS
|
||||||
|
- [http-full-f2b](iptables-http-full-f2b.fw) -> HTTP/ HTTPS/ SMTPS/ fail2ban
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Simply:
|
||||||
|
```bash
|
||||||
|
iptables-restore < file.fw
|
||||||
|
```
|
Loading…
Reference in a new issue