Quản trị net diễn đàn chia sẻ thông tin các thủ thuật mạng, internet bảo mật thông tin dành cho giới IT VIệt hy vọng là nơi bổ ích cho cộng đồng

Iptables deny All scipt

Bên dưới là mẩu iptables được cấu hình sẳn nhiều tính năng

- Harderning linux
- Deny All port not use
- Hạn chế ddos attack
- Open 1 số port phổ biến
......

1. Tạo file iptables.sh
#vi iptables.sh

2. Chạy file iptables.sh này
#sh iptables.sh

3. Tất các rule sau trong này sẽ update vào iptables service.

Trích dẫn:

#!/bin/sh
# My system IP/set ip address of server
SERVER_IP="125.212.219.53"
### Interfaces ###
PUB_IF="eth0" # public interface
LO_IF="lo" # loopback
LAN_IF="eth1" # VPS, LAN / private net

# Flushing all rules
iptables -F
iptables -X

IPT="/sbin/iptables"
SYSCTL="/sbin/sysctl"

#------------------------------------------------------------------------------------------------------------
#Hardening Linux http://www.cyberciti.biz/tips/linux-security.html

#yum update -y
#xoa cac pham ko bao mat
yum -y erase inetd xinetd ypserv tftp-server telnet-server rsh-serve

echo "Setting sysctl IPv4 settings..."
$SYSCTL net.ipv4.ip_forward=0
$SYSCTL net.ipv4.conf.all.send_redirects=0
$SYSCTL net.ipv4.conf.default.send_redirects=0
$SYSCTL net.ipv4.conf.all.accept_source_route=0
$SYSCTL net.ipv4.conf.all.accept_redirects=0
$SYSCTL net.ipv4.conf.all.secure_redirects=0
$SYSCTL net.ipv4.conf.all.log_martians=1
$SYSCTL net.ipv4.conf.default.accept_source_route=0
$SYSCTL net.ipv4.conf.default.accept_redirects=0
$SYSCTL net.ipv4.conf.default.secure_redirects=0
$SYSCTL net.ipv4.icmp_echo_ignore_broadcasts=1
$SYSCTL net.ipv4.tcp_syncookies=1
$SYSCTL net.ipv4.conf.all.rp_filter=1
$SYSCTL net.ipv4.conf.default.rp_filter=1
$SYSCTL kernel.exec-shield=1
$SYSCTL kernel.randomize_va_space=1
sysctl -p
#http://www.cyberciti.biz/tips/linux-...-security.html
#-----------------------------------------------------------------------------------------------------

# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Unlimited VPN / LAN access
#$IPT -A INPUT -i ${LAN_IF} -j ACCEPT
#$IPT -A OUTPUT -o ${LAN_IF} -j ACCEPT

# Allow incoming ssh only
iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT

# ----------Allow incoming ssh only from IP 202.54.1.20-------------------

#iptables -A INPUT -p tcp -s 202.54.1.20 -d $SERVER_IP --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -p tcp -s $SERVER_IP -d 202.54.1.20 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT

# Allow Ping
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

# Allow outbound DNS
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT

# Allow FTP
iptables -A OUTPUT -p tcp --sport 20:21 -j ACCEPT
iptables -A INPUT -p tcp --dport 20:21 -j ACCEPT

# Allow HTTP and HTTPS
iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --sports 80,443 -j ACCEPT

# Allow IMAP and IMAPS
iptables -A INPUT -p tcp -m multiport --dports 143,993 -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --sports 143,993 -j ACCEPT

# Allow Sendmail
iptables -A INPUT -p tcp -m multiport --dports 25,465,587 -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --sports 25,465,587 -j ACCEPT

#-----------------------------DDOS attacker----------------------------------------

# Prevent DoS attack

#iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

# Block sync
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Sync"
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# Block Fragments
$IPT -A INPUT -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets"
$IPT -A INPUT -f -j DROP

# Block bad stuff
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

$IPT -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets"
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # NULL packets

$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets"
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS

$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan"
$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans

$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

# Log and block spoofed ips
$IPT -N spooflist
for ipblock in $SPOOFIP
do
$IPT -A spooflist -i ${PUB_IF} -s $ipblock -j LOG --log-prefix " SPOOF List Block "
$IPT -A spooflist -i ${PUB_IF} -s $ipblock -j DROP
done
$IPT -I INPUT -j spooflist
$IPT -I OUTPUT -j spooflist
$IPT -I FORWARD -j spooflist

# Log and get rid of broadcast / multicast and invalid
$IPT -A INPUT -i ${PUB_IF} -m pkttype --pkt-type broadcast -j LOG --log-prefix " Broadcast "
$IPT -A INPUT -i ${PUB_IF} -m pkttype --pkt-type broadcast -j DROP

$IPT -A INPUT -i ${PUB_IF} -m pkttype --pkt-type multicast -j LOG --log-prefix " Multicast "
$IPT -A INPUT -i ${PUB_IF} -m pkttype --pkt-type multicast -j DROP

$IPT -A INPUT -i ${PUB_IF} -m state --state INVALID -j LOG --log-prefix " Invalid "
$IPT -A INPUT -i ${PUB_IF} -m state --state INVALID -j DROP

#Block 50 kết nói đồng thời ( concurrent connections) from the same IP address.
#Something to do as default is to limit using IPTABLES (linux firewall) the ammount of connections from the same IP in a short time (why would an user hook 150 times to your port 80 ?)
#Check trong vòng 60 giây, nếu package lớn hơn 50 thì sẽ Block

iptables -I INPUT -p tcp --dport 80 -i ${PUB_IF} -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 80 -i ${PUB_IF} -m state --state NEW -m recent --update --seconds 60 --hitcount 50 -j DROP

#-----------------------------------------------------------------------------------

# Allow download and install Applications - full outgoing connection but no incomming stuff

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#Xem IP nao dang tan cong DDOS
#netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

#Kill All process of IP

#yum -y install dsniff
#tcpkill host xxx.xxx.xxx.xxx

# Block IP and Subnet, Port http://www.cyberciti.biz/faq/linux-iptables-drop/

#iptables -A INPUT -s 125.58.55.44 -j DROP ---> Block IP
#iptables -A INPUT -s 163.235.144.110 -p tcp --destination-port 25 -j DROP ---> Block IP truy cap vao Port 25

#### FILES Block IP from List#####
BLOCKED_IP_TDB=/root/blocked.ip.txt
SPOOFIP="127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 169.254.0.0/16 0.0.0.0/8 240.0.0.0/4 255.255.255.255/32 168.254.0.0/16 224.0.0.0/4 240.0.0.0/5 248.0.0.0/5 192.0.2.0/24"
BADIPS=$( [[ -f ${BLOCKED_IP_TDB} ]] && egrep -v "^#|^$" ${BLOCKED_IP_TDB})

rpm -Uvh http://dl.fedoraproject.org/pub/epel...6-8.noarch.rpm
yum -y install fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo service fail2ban restart

# Drop All - make sure nothing comes or goes out of this box
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP

# Save and Restart IPtable

/etc/init.d/iptables save
/etc/init.d/iptables restart

exit 0