From 78b109cbfc1945be5ffba763c11350fc277aaa26 Mon Sep 17 00:00:00 2001
From: Claudio Maradonna <claudio@unitoo.pw>
Date: Sun, 11 Apr 2021 19:02:40 +0200
Subject: [PATCH] Updated README. Add iptables basic rules

---
 README.md                          |  2 +-
 iptables/iptables-http-full-f2b.fw | 22 ++++++++++++++++++++++
 iptables/iptables-http-full.fw     | 20 ++++++++++++++++++++
 iptables/iptables-ssh-only.fw      | 14 ++++++++++++++
 iptables/iptables.md               | 16 ++++++++++++++++
 5 files changed, 73 insertions(+), 1 deletion(-)
 create mode 100644 iptables/iptables-http-full-f2b.fw
 create mode 100644 iptables/iptables-http-full.fw
 create mode 100644 iptables/iptables-ssh-only.fw
 create mode 100644 iptables/iptables.md

diff --git a/README.md b/README.md
index 8df37ca..6e6c127 100644
--- a/README.md
+++ b/README.md
@@ -23,7 +23,7 @@ edit the .gitattributes file accordingly:
 
 ```txt
 neovim/*.conf gitlab-language=vim
-spacemacs/*.conf gitlab-language=elisp
+emacs/*.conf gitlab-language=elisp
 ```
 
 ## Support
diff --git a/iptables/iptables-http-full-f2b.fw b/iptables/iptables-http-full-f2b.fw
new file mode 100644
index 0000000..45db85a
--- /dev/null
+++ b/iptables/iptables-http-full-f2b.fw
@@ -0,0 +1,22 @@
+*filter
+:INPUT DROP [4414218:211789180]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [17973:1146056]
+:f2b-sshd - [0:0]
+-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 587 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+-A OUTPUT -o lo -j ACCEPT
+-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp -m tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp -m tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
+-A OUTPUT -p tcp -m tcp --sport 587 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A f2b-sshd -j RETURN
+COMMIT
diff --git a/iptables/iptables-http-full.fw b/iptables/iptables-http-full.fw
new file mode 100644
index 0000000..6b2a30b
--- /dev/null
+++ b/iptables/iptables-http-full.fw
@@ -0,0 +1,20 @@
+*filter
+:INPUT DROP [4414218:211789180]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [17973:1146056]
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 587 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+-A OUTPUT -o lo -j ACCEPT
+-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp -m tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp -m tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
+-A OUTPUT -p tcp -m tcp --sport 587 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+COMMIT
+
diff --git a/iptables/iptables-ssh-only.fw b/iptables/iptables-ssh-only.fw
new file mode 100644
index 0000000..42ec8dc
--- /dev/null
+++ b/iptables/iptables-ssh-only.fw
@@ -0,0 +1,14 @@
+*filter
+:INPUT DROP [4414218:211789180]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [17973:1146056]
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+-A OUTPUT -o lo -j ACCEPT
+-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
+COMMIT
+
diff --git a/iptables/iptables.md b/iptables/iptables.md
new file mode 100644
index 0000000..85a508f
--- /dev/null
+++ b/iptables/iptables.md
@@ -0,0 +1,16 @@
+# Configurations
+All configurations includes:
+* INPUT DROP
+* SSH port on 22.
+* SMTP port 25 as `--reject-with icmp-port-unreachable`
+
+- [ssh-only](iptables-ssh-only.fw) -> SSH
+- [http-full](iptables-http-full.fw) -> HTTP/ HTTPS/ SMTPS
+- [http-full-f2b](iptables-http-full-f2b.fw) -> HTTP/ HTTPS/ SMTPS/ fail2ban
+
+## Usage
+
+Simply:
+```bash
+iptables-restore < file.fw
+```