Updated README. Add iptables basic rules

2021-04-11 19:02:40 +02:00 · 2021-04-11 19:02:40 +02:00 · 78b109cbfc
parent 6af902b827
commit 78b109cbfc
5 changed files with 73 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -23,7 +23,7 @@ edit the .gitattributes file accordingly:

 ```txt
 neovim/*.conf gitlab-language=vim
-spacemacs/*.conf gitlab-language=elisp
+emacs/*.conf gitlab-language=elisp
 ```

 ## Support
--- a/iptables/iptables-http-full-f2b.fw
+++ b/iptables/iptables-http-full-f2b.fw
@ -0,0 +1,22 @@
+*filter
+:INPUT DROP [4414218:211789180]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [17973:1146056]
+:f2b-sshd - [0:0]
+-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 587 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+-A OUTPUT -o lo -j ACCEPT
+-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp -m tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp -m tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
+-A OUTPUT -p tcp -m tcp --sport 587 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A f2b-sshd -j RETURN
+COMMIT
--- a/iptables/iptables-http-full.fw
+++ b/iptables/iptables-http-full.fw
@ -0,0 +1,20 @@
+*filter
+:INPUT DROP [4414218:211789180]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [17973:1146056]
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 587 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+-A OUTPUT -o lo -j ACCEPT
+-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp -m tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp -m tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
+-A OUTPUT -p tcp -m tcp --sport 587 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+COMMIT
+
--- a/iptables/iptables-ssh-only.fw
+++ b/iptables/iptables-ssh-only.fw
@ -0,0 +1,14 @@
+*filter
+:INPUT DROP [4414218:211789180]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [17973:1146056]
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+-A OUTPUT -o lo -j ACCEPT
+-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
+COMMIT
+
--- a/iptables/iptables.md
+++ b/iptables/iptables.md
@ -0,0 +1,16 @@
+# Configurations
+All configurations includes:
+* INPUT DROP
+* SSH port on 22.
+* SMTP port 25 as `--reject-with icmp-port-unreachable`
+
+- [ssh-only](iptables-ssh-only.fw) -> SSH
+- [http-full](iptables-http-full.fw) -> HTTP/ HTTPS/ SMTPS
+- [http-full-f2b](iptables-http-full-f2b.fw) -> HTTP/ HTTPS/ SMTPS/ fail2ban
+
+## Usage
+
+Simply:
+```bash
+iptables-restore < file.fw
+```