#!/bin/sh
#File: /etc/rc.d/rc.firewall
# Immediately log and drop any known abusive IPs
iptables -A INPUT -p tcp -s 87.118.104.44 -m limit \
--limit 1/minute --limit-burst 10 -j LOG \
--log-prefix "[DROPPED_NODE]" --log-level 4
iptables -A INPUT -p tcp -s 87.118.104.44 -j DROP
# Allow from any to any on 127.0.0.1/32
iptables -A INPUT -s 127.0.0.1/32 -j ACCEPT
iptables -A OUTPUT -s 127.0.0.1/32 -j ACCEPT
# Track connection state
iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow all foreign IPs to access ports 443 and 80
iptables -A INPUT -p TCP --dport 443 -j ACCEPT
iptables -A INPUT -p TCP --dport 80 -j ACCEPT
# Allow access from a specified foreign IP
# to this server's port 8080
iptables -A INPUT -p TCP -s 172.16.88.2/32 --dport 8080 -j ACCEPT
# Allow access from a specified foreign IP
# to any port listening on this server
iptables -A INPUT -p TCP -s 172.13.88.3/32 -j ACCEPT
# Drop incoming UDP packets on port 137 and 138 without logging
iptables -A INPUT -p UDP --dport 137 -j DROP
iptables -A INPUT -p UDP --dport 138 -j DROP
# Accept all other incoming UDP packets
iptables -A INPUT -p UDP -j ACCEPT
# Log and Drop everything else
iptables -A INPUT -j LOG -m limit --limit 1/minute \
--limit-burst 10 --log-prefix "[DROPPED_NODE]" --log-level 4
iptables -A INPUT -j DROP
Useful Commands
# View all rules
iptables -L -v
# View INPUT rules
iptables -L INPUT -nv
#-------------------------------
# View max tracked connections
cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
# Set max tracked connections
# add the following line to rc.local if sysctl.conf doesn't exist
echo 128000 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
# View Current HASHSIZE
cat /proc/sys/net/ipv4/netfilter/ip_conntrack_buckets
More Info On Tweaking Connection Tracking Settings
0 Comments Send your comment ↓
Leave a Reply