| 1234567891011121314151617181920212223242526272829303132 |
- *filter
- # accept established connections
- -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- # accept local traffic
- -A INPUT -i lo -j ACCEPT
- -A OUTPUT -o lo -j ACCEPT
- # accept ping
- -A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
- # accept ssh with rate limiting
- -N LOGREJECTSSH
- -A LOGREJECTSSH -j LOG --log-prefix "iptables deny: " --log-level 7
- -A LOGREJECTSSH -j REJECT
- -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name SSH --rsource
- -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 --name SSH --rttl --rsource -j LOGREJECTSSH
- -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
- # drop invalid
- -A INPUT -m conntrack --ctstate INVALID -j DROP
- # reject all others (linux compliant blacklist)
- -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
- -A INPUT -p tcp -j REJECT --reject-with tcp-rst
- -A INPUT -j REJECT --reject-with icmp-proto-unreachable
- # drop forwards
- -A FORWARD -j DROP
- COMMIT
|
