1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
|
*filter
# Loopback
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
# Drop corrupt (evil) null packets.
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Drop corrupt (evil) syn packets.
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Drop XMAS (corrupt/evil) packets
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# Anti DoS attack
#-A INPUT -p tcp --dport 1:1024 -m limit --limit 1/seconds --limit-burst 100 -j ACCEPT
# DNS client
#-A OUTPUT -p udp --dport 53 -m udp -j ACCEPT
#-A INPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
# mDNS (zeroconf, bonjour)
#-A INPUT -p udp --sport 5353 --dport 5353 -j ACCEPT
#-A OUTPUT -p udp --dport 5353 --sport 5353 -j ACCEPT
# DHCP client
#-A OUTPUT -p udp --dport 67:68 -j ACCEPT
#-A INPUT -p udp -m state --state ESTABLISHED,RELATED --sport 67:68 -j ACCEPT
# Ping client
#-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
#-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
# Ping server
#-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
#-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
# Traceroute client
#-A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
#-A INPUT -p icmp --icmp-type 11 -j ACCEPT
#-A OUTPUT -p udp -m udp --match multiport --dports 33434:33523 -j ACCEPT
#-A INPUT -p udp -m udp --match multiport --sports 33434:33523 -j ACCEPT
# Traceroute server
#-A INPUT -p icmp --icmp-type 8 -j ACCEPT
#-A INPUT -p udp --dport 33434:33523 -j REJECT
# NTP client
# May the part "-m state --state ESTABLISHED,RELATED" has to be dropped (not tested yet).
#-A OUTPUT -p udp --dport 123 -j ACCEPT
#-A INPUT -p udp --sport 123 -m state --state ESTABLISHED,RELATED -j ACCEPT
# NTP Server
#-A INPUT -p udp --dport 123 -j ACCEPT
#-A OUTPUT -p udp --sport 123 -j ACCEPT
# SSH client
#-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 22 -j ACCEPT
#-A INPUT -p tcp -m state --state ESTABLISHED --sport 22 -j ACCEPT
# SSH server
#-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 22 -j ACCEPT
#-A OUTPUT -p tcp -m state --state ESTABLISHED --sport 22 -j ACCEPT
# OpenVPN client
#-A OUTPUT -p udp -m state --state NEW,ESTABLISHED --dport 1194 -j ACCEPT
#-A INPUT -p udp -m state --state ESTABLISHED --sport 1194 -j ACCEPT
# OpenVPN server
#-A INPUT -p udp -m state --state NEW,ESTABLISHED --dport 1194 -j ACCEPT
#-A OUTPUT -p udp -m state --state ESTABLISHED --sport 1194 -j ACCEPT
# Web client
#-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
#-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
#-A INPUT -p tcp -m state --state ESTABLISHED,RELATED --sport 80 -j ACCEPT
#-A INPUT -p tcp -m state --state ESTABLISHED,RELATED --sport 443 -j ACCEPT
# Web server (HTTPS)
#-A INPUT -p tcp --dport 443 -j ACCEPT
#-A OUTPUT -p tcp -m tcp --sport 443 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Web server (HTTP)
#-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 80 -j ACCEPT
#-A OUTPUT -p tcp -m tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT
# FTP client (control)
#-A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
#-A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
# (Passive mode)
#-A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
#-A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
# (Active mode)
#-A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
#-A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
# FTP server (control)
#-A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate ESTABLISHED,NEW -j ACCEPT
#-A OUTPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# (Active mode)
#-A INPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
#-A OUTPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# (Passive mode)
#-A INPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED -j ACCEPT
#-A OUTPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# CUPS client (to connect to printers)
#-A OUTPUT -p tcp --dport 631 -j ACCEPT
#-A INPUT -p tcp --sport 631 -j ACCEPT
# CUPS server (only required for remote access)
#-A INPUT -p tcp --dport 631 -j ACCEPT
#-A OUTPUT -p tcp --sport 631 -j ACCEPT
# Socket printing client
#-A OUTPUT -p tcp -m tcp --dport 9100 -j ACCEPT
#-A INPUT -p tcp -m state --state ESTABLISHED,RELATED --sport 9100 -j ACCEPT
# POP3 client
#-A OUTPUT -p tcp --dport 995 -j ACCEPT
#-A INPUT -p tcp -m state --state ESTABLISHED,RELATED --sport 995 -j ACCEPT
# SMTP client
#-A OUTPUT -p tcp --dport 465 -j ACCEPT
#-A INPUT -p tcp -m state --state ESTABLISHED,RELATED --sport 465 -j ACCEPT
# IMAP client
#-A OUTPUT -p tcp --dport 993 -j ACCEPT
#-A INPUT -p tcp -m state --state ESTABLISHED,RELATED --sport 993 -j ACCEPT
# Whois client
#-A OUTPUT -p tcp --dport 43 -j ACCEPT
#-A INPUT -p tcp --sport 43 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Git client
#-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 9418 -j ACCEPT
#-A INPUT -p tcp -m state --state ESTABLISHED --sport 9418 -j ACCEPT
# Git server
#-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 9418 -j ACCEPT
#-A OUTPUT -p tcp -m state --state RELATED,ESTABLISHED --sport 9418 -j ACCEPT
# MsTeams/MsSkype clients (in addition to TCP 80 & 443)
#-A OUTPUT -p udp --match multiport --dports 3478:3481 -j ACCEPT
#-A INPUT -p udp --match multiport --sports 3478:3481 -j ACCEPT
# Allow all for vbox host-only network
#-A OUTPUT -o vboxnet0 -j ACCEPT
#-A INPUT -i vboxnet0 -j ACCEPT
# Allow all docker servers
#-A OUTPUT -o docker0 -m state --state NEW,RELATED -j ACCEPT
#-A INPUT -i docker0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Some client ports for debugging.
#-A OUTPUT -p tcp -m tcp --match multiport --dports 10000:10010 -j ACCEPT
#-A INPUT -p tcp -m state --state ESTABLISHED,RELATED --match multiport --sports 10000:10010 -j ACCEPT
#-A OUTPUT -p udp -m udp --match multiport --dports 10000:10010 -j ACCEPT
#-A INPUT -p udp -m state --state ESTABLISHED,RELATED --match multiport --sports 10000:10010 -j ACCEPT
# Some server ports for debugging.
#-A INPUT -p tcp --match multiport --dports 10000:10010 -j ACCEPT
#-A OUTPUT -p tcp -m tcp --match multiport --sports 10000:10010 -m state --state RELATED,ESTABLISHED -j ACCEPT
#-A INPUT -p udp --match multiport --dports 10000:10010 -j ACCEPT
#-A OUTPUT -p udp -m udp --match multiport --sports 10000:10010 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Log blocked connection attemps
#-A INPUT -j LOG --log-prefix "FwBadIn: " --log-level 6
-A FORWARD -j LOG --log-prefix "FwBadFwd: " --log-level 6
-A OUTPUT -j LOG --log-prefix "FwBadOut: " --log-level 6
# Disallow any non-whitelisted packets (Use either DROP or REJECT. Your choice)
-A INPUT -j DROP
-A FORWARD -j REJECT
-A OUTPUT -j REJECT
COMMIT
|
