S
S
Sveratum2014-06-10 12:28:24
iptables
Sveratum, 2014-06-10 12:28:24

How to analyze the script for adding iptables rules?

Good day!
There is a script for CentOs 6.5 (it's called - I wrote it as best I could):

#!/bin/sh
### Script iptables ###
# Очищаем предыдущие записи
iptables -F
# Установка политик по умолчанию
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# Разрешаем локальный интерфейс и внутреннию сеть
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth1 -j ACCEPT
# Отбрасываем кривые пакеты
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Блокирование bruteforce-атак
iptables -A INPUT -p tcp --syn -m multiport --dports 1:79,81:65535 -m state --state NEW -m recent --name brutforce --set
iptables -A INPUT -p tcp --syn -m multiport --dports 1:79,81:65535 -m state --state NEW -m recent --name brutforce --update --seconds 3600 --rttl --hitcount 10 -j DROP
# Блокирование DDoS по 80 порту веб-сервера
iptables -A INPUT -i eth0 -p tcp --syn --dport 80 -m state --state NEW -m recent --name ddos --set
iptables -A INPUT -i eth0 -p tcp --syn --dport 80 -m state --state NEW -m recent --name ddos --update --seconds 60 --rttl --hitcount 100 -j DROP
# Простая защита от DoS-атаки
# Защита от спуфинга
iptables -I INPUT -i eth0 -m conntrack --ctstate NEW,INVALID -p tcp --tcp-flags SYN,ACK SYN,ACK -j REJECT --reject-with tcp-reset
# Защита от попытки открыть входящее соединение TCP не через SYN
iptables -I INPUT -i eth0 -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
# Закрываемся от кривого icmp
iptables -I INPUT -i eth0 -p icmp -f -j DROP
# REL, ESTB allow
iptables -A INPUT -i eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
# Защита сервера SSH от брутфорса
iptables -A INPUT -i eth0 -p tcp --syn --dport 22 -m recent --name dmitro --set
iptables -A INPUT -i eth0 -p tcp --syn --dport 22 -m recent --name dmitro --update --seconds 30 --hitcount 3 -j DROP
# Разрешаем получать данные от DHCP-сервера. (Allow DHCP)
iptables -A INPUT -i eth0 -p UDP --dport 68 --sport 67 -j ACCEPT
# Разрешаем рабочие порты
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --sport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
# web, с ограничением в 4 соединения в секунду
iptables -A INPUT -i eth0 -p tcp --dport 80 -m recent --name overload --update --seconds 1 --hitcount 4 -j REJECT
iptables -A INPUT -i eth0 -p tcp --dport 80 -m recent --name overload --set -j ACCEPT
# Разрешение главных типов протокола ICMP
iptables -A INPUT -i eth0 -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type 12 -j ACCEPT
# Просмотр
# iptables -L --line-number
echo
echo "Adding DONE, maybe OK, you maybe free - goodbye!"
echo "Now Save it!"
service iptables save
echo
service iptables restart
echo "Ready!?"

eth0 - looks at the Internet
eth1 - local, which is generally used for service purposes and has no access from outside
. How correct is it and how good is it?
And there are still doubts about its work, for example, a cloud platform, when I run the script, will the connection be broken (for example, ssh), and if it does, how will everything work out and will the connection appear after execution?

Answer the question

In order to leave comments, you need to log in

2 answer(s)
S
shaazz, 2014-06-10
@shaazz

I'll post the second part of the question. If there is any doubt about the script, then hang on the crown with a delay of 10 minutes, for example, an anti-script (everything is allowed).

S
Sveratum, 2014-06-12
@srsd

The script fulfills no problems.
The question is how correct is it, and how effective is it?
Perhaps something needs to be added or removed?
One more thing to add:
#Allow ICMP requests for ping
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -j ACCEPT

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question