Bosphorus
Member
- Joined
- Oct 15, 2010
- Messages
- 139
- Reaction score
- 12
Good Night!
I'll be explaining here in this simple tutorial, a small firewall to protect your server.
I'm no expert on the subject, but i will give some tips here.
This firewall works on policy DROP (Deny), and allow only the necessary.
This is quite logical, because if you will not use, why leave it open?
Come on, hands to work!
Create the file on this path.
Edit the firewall.sh and copy this lines.
Save the file.
Now, make him executable.
Now, make him start with server.
Do you can now execute your firewall with this command.
Can you see the DROP logs on
Ready.
This is just a short tutorial on how to make your server more secure.
If have something wrong, please let me know!
Any questions, post them here.
This does not solve 100% of DDOS attacks.
If helped, give me reputation.
Thanks
Credits: Stian and Don Daniello
(Some rules)
I'll be explaining here in this simple tutorial, a small firewall to protect your server.
I'm no expert on the subject, but i will give some tips here.
This firewall works on policy DROP (Deny), and allow only the necessary.
This is quite logical, because if you will not use, why leave it open?
Come on, hands to work!
Create the file on this path.
Code:
cd /etc/init.d/
vi firewall.sh (USE YOUR EDITOR)
Edit the firewall.sh and copy this lines.
Code:
#!/bin/bash
########################################
# Firewall #
########################################
# Variaveis
# Interface Externa (YOUR NETWORK INTERFACE)
if_ext=eth0
# Politica Default - DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# ------------------------------------------------
# Protection against TCP syncookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Ignore ICMP
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
# Allow access to localhost
iptables -I INPUT -p all -s 127.0.0.1 -j ACCEPT
# Allow connections from origin
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow external access to ports
iptables -I INPUT -i $if_ext -p tcp --dport 80 -j ACCEPT # HTTP
iptables -I INPUT -i $if_ext -p tcp --dport 7171 -j ACCEPT # TIBIA
iptables -I INPUT -i $if_ext -p tcp --dport 7172 -j ACCEPT # TIBIA GAME PORT
# Limit connections on Tibia Ports
iptables -A INPUT -p tcp -m recent --rcheck --seconds 60 -j REJECT
iptables -A INPUT -p tcp --dport 7171 -m connlimit --connlimit-above 10 -m recent --set -j REJECT
iptables -A INPUT -p tcp --dport 7172 -m connlimit --connlimit-above 10 -m recent --set -j REJECT
# Allow SSH (PUTTY)
iptables -I INPUT -i $if_ext -p tcp --dport 22 -j ACCEPT
# Limit connections
iptables -I INPUT -p tcp -m state --state NEW,ESTABLISHED -m recent --set -j ACCEPT
iptables -I INPUT -p tcp -m state --state NEW -m recent --update --seconds 3 --hitcount 20 -j DROP
# Block TCP-CONNECT scan attempts (SYN bit packets)
#iptables -A INPUT -p tcp --syn -j DROP
# Block TCP-SYN scan attempts (only SYN bit packets)
iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH SYN -j DROP
# Block TCP-FIN scan attempts (only FIN bit packets)
iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH FIN -j DROP
# Block TCP-ACK scan attempts (only ACK bit packets)
iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH ACK -j DROP
# Block TCP-NULL scan attempts (packets without flag)
iptables -A INPUT -m conntrack --ctstate INVALID -p tcp --tcp-flags ! SYN,RST,ACK,FIN,URG,PSH SYN,RST,ACK,FIN,URG,PSH -j DROP
#Block "Christmas Tree" TCP-XMAS scan attempts (packets with FIN, URG, PSH bits)
iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH FIN,URG,PSH -j DROP
# Block DOS - Teardrop
iptables -A INPUT -p UDP -f -j DROP
# Block DDOS - Smurf
iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP
iptables -A INPUT -p ICMP --icmp-type echo-request -m pkttype --pkttype broadcast -j DROP
iptables -A INPUT -p ICMP --icmp-type echo-request -m limit --limit 3/s -j ACCEPT
# Block DDOS - SYN-flood
iptables -A INPUT -p TCP --syn -m iplimit --iplimit-above 9 -j DROP
# Block DDOS - SMBnuke
iptables -A INPUT -p UDP --dport 135:139 -j DROP
iptables -A INPUT -p TCP --dport 135:139 -j DROP
# Block DDOS - Jolt
iptables -A INPUT -p ICMP -f -j DROP
# Block DDOS - Fraggle
iptables -A INPUT -p UDP -m pkttype --pkt-type broadcast -j DROP
iptables -A INPUT -p UDP -m limit --limit 3/s -j ACCEPT
# Creates logs of the rest of the connections
iptables -A INPUT -i $if_ext -p all -j LOG --log-prefix " - FIREWALL: droped -> "
Save the file.
Now, make him executable.
Code:
chmod +x firewall.sh
Now, make him start with server.
Code:
update-rc.d firewall.sh defaults
Do you can now execute your firewall with this command.
Code:
sh firewall.sh
Can you see the DROP logs on
Code:
cat /var/log/messages
Ready.
This is just a short tutorial on how to make your server more secure.
If have something wrong, please let me know!
Any questions, post them here.
This does not solve 100% of DDOS attacks.
If helped, give me reputation.
Thanks
Credits: Stian and Don Daniello
(Some rules)
Last edited: