Iptables server security

How to setup a secure Linux server via Iptables.

Some example rules which you can add to your iptables start script:

iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT

#for SMURF attack protection
iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT
# Droping all invalid packets
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
#

#Protect your webserver on port 80&443

iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 100 -j LOG --log-prefix "Limit HTTP Conn 100:" --log-level alert
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 100 -j DROP
iptables -A INPUT -p tcp --syn --dport 443 -m connlimit --connlimit-above 100 -j LOG --log-prefix "Limit HTTPS Conn 100:" --log-level alert
iptables -A INPUT -p tcp --syn --dport 443 -m connlimit --connlimit-above 100 -j DROP
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 10 --connlimit-mask 32 -j LOG --log-prefix "Limit HTTP Conn 10:" --log-level alert
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 10 --connlimit-mask 32 -j DROP
iptables -A INPUT -p tcp --syn --dport 443 -m connlimit --connlimit-above 10 --connlimit-mask 32 -j LOG --log-prefix "Limit HTTPS Conn 10:" --log-level alert
iptables -A INPUT -p tcp --syn --dport 443 -m connlimit --connlimit-above 10 --connlimit-mask 32 -j DROP
#
# flooding of RST packets, smurf attack Rejection
iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
# Protecting portscans
# Attacking IP will be locked for 24 hours (3600 x 24 = 86400 Seconds)
iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j LOG --log-prefix "Portscan Input:" --log-level alert
iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j LOG --log-prefix "Portscan Forward:" --log-level alert
iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
# Remove attacking IP after 24 hours
iptables -A INPUT -m recent --name portscan --remove
iptables -A FORWARD -m recent --name portscan --remove
# Protect against DOS attacks
# Adjust "--connlimit-above NN" to limit the maximum connections per IP that you need.
# Adjust "--connlimit-above NNN" to the maximum total connections you want your web server to support
iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j LOG --log-prefix "Limit ConnTrack 60-20:" --log-level alert
iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
#

 

  If you like my website, feel free to donate via the Paypal button. Thank you!