#Flush all current rules from iptables
iptables –F
#Allow SSH connections on tcp port 22
iptables –A INPUT –p tcp –-dport 22 –j ACCEPT
#Set default policies for INPUT, FORWARD and OUTPUT chains
iptables –P INPUT DROP
iptables –P FORWARD DROP
iptables –P OUTPUT ACCEPT
#Set access for localhost
iptables –A INPUT –i lo –j ACCEPT
#Accept packets belonging to established and related connections
iptables –A INPUT –m state –-state ESTABLISHED,RELATED –j ACCEPT
#FTP
iptables –A INPUT –p tcp –-dport 21 -j ACCEPT
#HTTP/s
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
#SMTP
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 465 -j ACCEPT
#POP3
iptables -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp --dport 993 -j ACCEPT
#DNS
iptables -A INPUT -p tcp,udp --dport 53 -j ACCEPT
#MySql
iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
#COUNTER STRIKE/STEAM
#Steam Friends Service
iptables -A INPUT -p udp --dport 1200 -j ACCEPT
iptables -A INPUT -p udp --dport 4380 -j ACCEPT
#STEAM MAIN UDP
iptables -A INPUT -p udp --dport 27000:27015 -j ACCEPT
iptables -A INPUT -p udp --dport 27015:27030 -j ACCEPT
iptables -A INPUT -p tcp --dport 27014:27050 -j ACCEPT
#TEAMSPEAK
iptables -A INPUT -p udp --dport 9987 -j ACCEPT #Voice
iptables -I INPUT -p tcp --dport 30033 -j ACCEPT #Data
iptables -I INPUT -p tcp --dport 41144 -j ACCEPT #TSDNS
iptables -I INPUT -p udp --dport 10011 -j ACCEPT #Query
iptables -A INPUT -p udp --dport 2011:2110 -j ACCEPT #Weblist, Accouting Server /licences)
#SA:MP (+Protection)
iptables -N SAMP-DDOS
iptables -A INPUT -p udp --dport 7777 -m ttl --ttl-eq=128 -j SAMP-DDOS
iptables -A SAMP-DDOS -p udp --dport 7777 -m length --length 17:604 -j DROP
iptables -A INPUT -p udp -m ttl --ttl-eq=128 -j DROP
iptables -A INPUT -p udp --dport 7777 -m limit --limit 6/s --limit-burst 12 -j DROP
#SA:MP (without Protection)
iptables -A INPUT -p udp --dport 7777 -j ACCEPT
#METIN
iptables -A INPUT -p tcp -m tcp --dport 1022 -j ACCEPT
#Minecraft default port
iptables -A INPUT -p tcp --dport 25565 -j ACCEPT
#Depending on program or game more ports will be opened
#PROTECTION
#SYN-FLOOD This will detect all new TCP connections and will not allow not more than 1 new connections per second.
#This value can be edited as needed.
iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT
#Furtive port scanner
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
#ACCEPT INCOMING PING (first 2 rules for protection smurf attacks/ping of death)
iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
iptables -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT
# Droping all invalid packets
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
# Protecting portscans
# Attacking IP will be locked for 24 hours (3600 x 24 = 86400 Seconds)
iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
# Remove attacking IP after 24 hours
iptables -A INPUT -m recent --name portscan --remove
#SAVE iptables
service iptables save
#RESTART iptables
service iptables restart
#List iptables
iptables -L --line-numbers
Setari/Settings firewall - iptable sonicpanel Tipărire
- Setari/Settings firewall - iptable, Sonicpanel
- 0