IPTables - Are these rules useful?

[-Simple]

Hello guys,

could someone tell me if these rules are usefull and work well?
My knowledge about iptables is bad, so I hope someone could check it and maybe improve/change/add or delete something and make it usefull for everyone..

#!/bin/sh   

# Clear old rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t filter -F
iptables -t filter -X
iptables -Z
iptables -t nat -Z
iptables -t mangle -Z
iptables -t filter -Z
iptables -t raw -F PREROUTING
iptables -t raw -F OUTPUT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

# Drop everything by default.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Set the nat/mangle/raw tables' chains to ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT

iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT

# READY ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# STOP PING CMD
iptables -t filter -A INPUT -p icmp -j LOG --log-prefix "IPTABLES PING-DROP:"
iptables -t filter -A INPUT -p icmp -j DROP
iptables -t filter -A OUTPUT -p icmp -j LOG --log-prefix "IPTABLES PING-DROP:"
iptables -t filter -A OUTPUT -p icmp -j DROP

# Drop all invalid packets
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP

# Drop TCP packets that are new and are not SYN
iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP

# Drop SYN packets with suspicious MSS value
iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP

# Block packets with bogus TCP flags
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

# SSH ACCEPT
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT

# Allow outgoing SSH requests.
iptables -A OUTPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT

# Allow outgoing FTP requests. Unencrypted, use with care.
iptables -A OUTPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT

# HTTP WEB ACCEPT
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT

# DNS ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT

#
iptables -A FORWARD -p tcp --syn -m limit --limit 1/second -j ACCEPT
iptables -A FORWARD -p udp -m limit --limit 1/second -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

# Reject spoofed packets
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 224.0.0.0/4 -j DROP
iptables -A INPUT -d 224.0.0.0/4 -j DROP
iptables -A INPUT -s 240.0.0.0/5 -j DROP
iptables -A INPUT -d 240.0.0.0/5 -j DROP
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -d 0.0.0.0/8 -j DROP
iptables -A INPUT -d 239.255.255.0/24 -j DROP
iptables -A INPUT -d 255.255.255.255 -j DROP

# Drop excessive RST packets to avoid smurf attacks
iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags RST RST -j LOG --log-prefix "IPTABLES Smurf Attack:"
iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP

# Attempt to block portscans
# Anyone who tried to portscan us is locked out for an entire day.
iptables -A INPUT   -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP

# Once the day has passed, remove them from the portscan list
iptables -A INPUT   -m recent --name portscan --remove
iptables -A FORWARD -m recent --name portscan --remove

# These rules add scanners to the portscan list, and log the attempt.
iptables -A INPUT   -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "IPTABLES Portscan:"
iptables -A INPUT   -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "IPTABLES Portscan:"
iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

# MYSQL
iptables -t filter -A INPUT -p tcp --dport 3306 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 3306 -j ACCEPT

# TS Dateitransfer
iptables -t filter -A OUTPUT -p tcp --dport 41144 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 41144 -j ACCEPT

# QUERY
iptables -t filter -A OUTPUT -p tcp --dport 10011 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 10011 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 30033 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 30033 -j ACCEPT

# Account
iptables -t filter -A OUTPUT -p udp --dport 587 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 587 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 587 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 587 -j ACCEPT

# ALL TS SERVER
iptables -t filter -A OUTPUT -p udp --dport 9987 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 9987 -j ACCEPT

iptables -t filter -A OUTPUT -p tcp --dport 8087 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 8087 -j ACCEPT

iptables -N syn_flood
iptables -A INPUT -p tcp --syn -j syn_flood
iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j LOG --log-prefix "IPTABLES SYN-FLOOD:"
iptables -A syn_flood -j DROP

# Limit connections per source IP
iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset

# Limit new TCP connections per second per source IP
iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j LOG --log-prefix "IPTABLES TCP LIMIT:"
iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP

Thanks!

Best regards,
Simple

 

[NatureNMoon]

You do not have to use "syn_flood" chain or the other rules about TCP especially, --ctstate. These kinds of rules are not good for your Operation System. It makes your system slow.
Instead of these, you can just use "SYNPROXY". You can check out the link below for SYNPROXY:

https://people.netfilter.org/hawk/presentations/devconf2014/iptables-ddos-mitigation_JesperBrouer.pdf

Also, you shouldn't use ACCEPT in your rules. It can be a bug in your system, for example, if I attack your system by using the port and protocol, 9987 UDP. You will not be able to prevent/mitigate this attack due to having this rule

iptables -t filter -A OUTPUT -p udp --dport 9987 -j ACCEPT iptables -t filter -A INPUT -p udp --dport 9987 -j ACCEPT

Instead of using -j ACCEPT, you MUST use "-j RETURN", please check my thread about IPTABLES below;

Tutorial - About IPTABLES

I have just checked all the iptables scripts and I have seen that there are a lot of mistakes about IPTABLES Scripts, let me say the first mistake. You shouldn't use "ACCEPT" in your iptables scripts. This rule creates many backdoors and bugs, it may affect your servers very very bad. Instead of...

ciphers.pw

# Block packets with bogus TCP flags iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

For the rules above, you can just use "iptables -A INPUT -f -j DROP" means you are going to block all the fragmented or broken packets which come to your network. SYNPROXY will be doing the rules above, just by using 2 command lines.

Do not hesitate to keep in touch with me. I can help you with iptables rules. Just let me know by sharing what application/what kinds of applications you use. Then, I can create some rules for them.

See you for now...