summaryrefslogtreecommitdiff
path: root/firewallsetup
diff options
context:
space:
mode:
Diffstat (limited to 'firewallsetup')
-rw-r--r--firewallsetup/README.md28
-rw-r--r--firewallsetup/firewall67
-rw-r--r--firewallsetup/firewall-down15
-rw-r--r--firewallsetup/firewall-reload3
4 files changed, 113 insertions, 0 deletions
diff --git a/firewallsetup/README.md b/firewallsetup/README.md
new file mode 100644
index 0000000..58ed5b4
--- /dev/null
+++ b/firewallsetup/README.md
@@ -0,0 +1,28 @@
+# firewallsetup
+## Fast Firewall Setup
+
+This is a script for setting up a firewall with settings for tarpitting ssh and basic protections that everyone needs.
+
+## Download the rules to /etc/
+```
+git clone https://github.com/ChrisTitusTech/firewallsetup.git
+````
+## Make the Rules Permenant
+### Debian-based Distributions
+```
+sudo apt install iptables-persistent
+sudo /etc/init.d/netfilter-persistent save
+```
+### Arch Linux Distributions
+*Use iptable-save which is pre-installed*
+```
+sudo iptables-save > /etc/iptables/iptables.rules
+```
+### RHEL / CentOS Distributions
+*This is by far the simpliest way to save rules and check them # chkconfig --list | grep iptables*
+
+*Note: chkconfig iptables on only needs to be run once to turn the service on*
+```
+sudo chkconfig iptables on
+sudo service iptables save
+```
diff --git a/firewallsetup/firewall b/firewallsetup/firewall
new file mode 100644
index 0000000..b047a19
--- /dev/null
+++ b/firewallsetup/firewall
@@ -0,0 +1,67 @@
+#!/bin/bash
+#
+# iptables example configuration script
+
+# Drop ICMP echo-request messages sent to broadcast or multicast addresses
+echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
+
+# Drop source routed packets
+echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
+
+# Enable TCP SYN cookie protection from SYN floods
+echo 1 > /proc/sys/net/ipv4/tcp_syncookies
+
+# Don't accept ICMP redirect messages
+echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
+
+# Don't send ICMP redirect messages
+echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
+
+# Enable source address spoofing protection
+echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
+
+# Log packets with impossible source addresses
+echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
+
+# Flush all chains
+/sbin/iptables --flush
+
+# Allow unlimited traffic on the loopback interface
+/sbin/iptables -A INPUT -i lo -j ACCEPT
+/sbin/iptables -A OUTPUT -o lo -j ACCEPT
+
+# Set default policies
+/sbin/iptables --policy INPUT DROP
+/sbin/iptables --policy OUTPUT DROP
+/sbin/iptables --policy FORWARD DROP
+
+# Previously initiated and accepted exchanges bypass rule checking
+# Allow unlimited outbound traffic
+/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+/sbin/iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
+
+#Ratelimit SSH for attack protection
+/sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
+/sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
+/sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
+
+# Allow certain ports to be accessible from the outside
+/sbin/iptables -A INPUT -p tcp --dport 25565 -m state --state NEW -j ACCEPT #Minecraft
+/sbin/iptables -A INPUT -p tcp --dport 8123 -m state --state NEW -j ACCEPT #Dynmap plugin
+
+# Other rules for future use if needed. Uncomment to activate
+# /sbin/iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT # http
+# /sbin/iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT # https
+
+# UDP packet rule. This is just a random udp packet rule as an example only
+# /sbin/iptables -A INPUT -p udp --dport 5021 -m state --state NEW -j ACCEPT
+
+# Allow pinging of your server
+/sbin/iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
+
+
+# Drop all other traffic
+/sbin/iptables -A INPUT -j DROP
+
+# print the activated rules to the console when script is completed
+/sbin/iptables -nL
diff --git a/firewallsetup/firewall-down b/firewallsetup/firewall-down
new file mode 100644
index 0000000..23a74cb
--- /dev/null
+++ b/firewallsetup/firewall-down
@@ -0,0 +1,15 @@
+#!/bin/bash
+/sbin/iptables -F
+/sbin/iptables -X
+/sbin/iptables -t nat -F
+/sbin/iptables -t nat -X
+/sbin/iptables -t mangle -F
+/sbin/iptables -t mangle -X
+
+# the rules allow us to reconnect by opening up all traffic.
+/sbin/iptables -P INPUT ACCEPT
+/sbin/iptables -P FORWARD ACCEPT
+/sbin/iptables -P OUTPUT ACCEPT
+
+# print out all rules to the console after running this file.
+/sbin/iptables -nL
diff --git a/firewallsetup/firewall-reload b/firewallsetup/firewall-reload
new file mode 100644
index 0000000..948123a
--- /dev/null
+++ b/firewallsetup/firewall-reload
@@ -0,0 +1,3 @@
+#!/bin/bash
+/etc/firewallsetup/firewall-down
+/etc/firewallsetup/firewall
generated by cgit v1.2.3 (git 2.39.1) at 2025-07-09 01:01:47 +0000