From aaabd915f58601cc6152132b036f6be83f510364 Mon Sep 17 00:00:00 2001 From: Julien Oculi Date: Wed, 29 May 2024 12:40:06 +0200 Subject: [PATCH] feat: add `iptables` config files --- iptables/_deploy.sh | 2 ++ iptables/_install.sh | 1 + iptables/iptables/rules.sh | 29 +++++++++++++++++++++++++++++ 3 files changed, 32 insertions(+) create mode 100644 iptables/_deploy.sh create mode 100644 iptables/_install.sh create mode 100644 iptables/iptables/rules.sh diff --git a/iptables/_deploy.sh b/iptables/_deploy.sh new file mode 100644 index 0000000..9ae9b56 --- /dev/null +++ b/iptables/_deploy.sh @@ -0,0 +1,2 @@ +iptables -F +source ./iptables/rules.sh diff --git a/iptables/_install.sh b/iptables/_install.sh new file mode 100644 index 0000000..07ffbeb --- /dev/null +++ b/iptables/_install.sh @@ -0,0 +1 @@ +nala install iptables diff --git a/iptables/iptables/rules.sh b/iptables/iptables/rules.sh new file mode 100644 index 0000000..64650f2 --- /dev/null +++ b/iptables/iptables/rules.sh @@ -0,0 +1,29 @@ +# General rules +iptables -P INPUT DROP +iptables -P FORWARD DROP +iptables -P OUTPUT DROP + +# Fail2Ban +iptables -N f2b-sshd +iptables -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd +iptables -A INPUT -p tcp -m multiport --dports 55555 -j f2b-sshd + +# LoopBack +iptables -A INPUT -i lo -j ACCEPT + +# Keep Opened connection +iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + +# Anti DDOS +iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -m limit --limit 1/sec --limit-burst 1 -j ACCEPT + +# SSH +iptables -A INPUT -p tcp -m tcp --dport 55555 -j ACCEPT + +# Main proxy +iptables -A INPUT -p tcp --dport 80 -j ACCEPT # HTTP +iptables -A INPUT -p tcp --dport 443 -j ACCEPT # HTTPS +iptables -A INPUT -p udp --dport 443 -j ACCEPT # QUIC + +# Fail2Ban -Return- +iptables -A f2b-sshd -j RETURN