# Generated by Shutter *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :Dmz - [0:0] :ValidCheck - [0:0] :Jail - [0:0] :Bastards - [0:0] :Public - [0:0] :AllowIP - [0:0] :Allowed - [0:0] :Private - [0:0] :DropJail - [0:0] :DropBastards - [0:0] :DropInvalid - [0:0] :DropScan - [0:0] :DropDDOS - [0:0] # [CHAIN:FAIL2BAN] -A INPUT -i lo -j ACCEPT -A INPUT -j Jail -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -j ValidCheck -A INPUT -j Dmz -A INPUT -j Bastards -A INPUT -j Public -A INPUT -j AllowIP -A INPUT ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Block:" -A INPUT -j DROP ################################################################## # Jail goes here. Jail and any fail2ban chains will be # taken care of dynamically in locker-restore. ################################################################## # [RULES:JAIL] ################################################################## # Validity/Scanning/DDOS checking ################################################################## -A ValidCheck -m state --state INVALID -j DropInvalid -A ValidCheck -p tcp --tcp-flags ALL FIN,URG,PSH -j DropScan -A ValidCheck -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DropScan -A ValidCheck -p tcp --tcp-flags ALL ALL -j DropScan -A ValidCheck -p tcp --tcp-flags ALL FIN -j DropScan -A ValidCheck -p tcp --tcp-flags ACK,FIN FIN -j DropScan -A ValidCheck -p tcp --tcp-flags ACK,PSH PSH -j DropScan -A ValidCheck -p tcp --tcp-flags ACK,URG URG -j DropScan -A ValidCheck -p tcp --tcp-flags FIN,RST FIN,RST -j DropScan -A ValidCheck -p tcp --tcp-flags ALL SYN,FIN -j DropScan -A ValidCheck -p tcp --tcp-flags ALL URG,PSH,FIN -j DropScan -A ValidCheck -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DropScan -A ValidCheck -p tcp --tcp-flags SYN,RST SYN,RST -j DropScan -A ValidCheck -p tcp --tcp-flags SYN,FIN SYN,FIN -j DropScan -A ValidCheck -p tcp --tcp-flags ALL NONE -j DropScan -A ValidCheck -p tcp --tcp-option 64 -j DropScan -A ValidCheck -p tcp --tcp-option 128 -j DropScan -A ValidCheck -p tcp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DropDDOS -A ValidCheck -p udp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DropDDOS -A ValidCheck -j RETURN ################################################################## # DMZ. Read from iface.dmz and added as: # -A INPUT -i -j ACCEPT ################################################################## # [RULES:DMZ] -A Dmz -j RETURN ################################################################## # All IP address ranges that are permanently banned. If # no IP addresses are given, then all will be assumed that no ip # addresses are banned and create the following rule # -A Bastards -j RETURN # otherwise a list of banned ips will be generated from ip.deny # and will look like this: # -A Bastards -s / -j DropBastards ################################################################## # [RULES:BASTARDS] -A Bastards -j RETURN ################################################################## # A list of authorized ports for the public access. If there are # entries in the ports.public file then they will be added as: # -A Public -m state --state NEW -p -m --dport -j ACCEPT ################################################################## # [RULES:PUBLIC] -A Public -j RETURN ################################################################## # All IP address ranges that are allowed to access the ports. If # no IP addresses are given, then all will be assumed and a rule # to jump to the Allowed chain will be created: # -A AllowIP -j Allowed # otherwise a list of allowed ips will be generated from ip.allow # and will look like this: # -A AllowIP -s 129.101.159.128/26 -j Allowed ################################################################## # [RULES:ALLOWIP] -A AllowIP -j RETURN ################################################################## # Allowed. If a packet has met all the requirements it will end # up here. This should be a static chain. ################################################################## -A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 0 -j ACCEPT -A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 3 -j ACCEPT -A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT -A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 11 -j ACCEPT -A Allowed -j Private -A Allowed ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Authorized:" -A Allowed -j ACCEPT ################################################################## # A list of authorized ports for the allowed IPs. If there are # entries in the ports.private file then they will be added as: # -A Private -m state --state NEW -p -m --dport -j RETURN ################################################################## # [RULES:PRIVATE] -A Private ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Unauthorized:" -A Private -j DROP ################################################################## # Log and Drops ################################################################## -A DropJail ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Jail:" -A DropJail -j DROP -A DropBastards ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Bastards:" -A DropBastards -j DROP -A DropInvalid ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Invalid:" -A DropInvalid -j DROP -A DropScan ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Scan detected:" -A DropScan -j DROP -A DropDDOS ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: DDOS detected:" -A DropDDOS -j DROP ################################################################## # NATing ################################################################## # [RULES:FORWARD] -A FORWARD ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Bad NAT:" -A FORWARD -j DROP ################################################################## # Add any additional rules that fail2ban has added ################################################################## # [RULES:FAIL2BAN] COMMIT *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # [RULES:POSTROUTING] COMMIT