Edit file File name : base.rules Content :*filter :INPUT ACCEPT :FORWARD ACCEPT :OUTPUT ACCEPT -F INPUT -F OUTPUT ## ## input chains ## -N dh-whitelist-in -N dh-portblock-in -N dh-invalid-packets -N dh-explicit-drop -N dh-ssh-limit ## ## output chains ## -N dh-whitelist-out -N dh-syn-flood -N dh-udp-flood ## ## this is used to handle drops and accepts via dh/bin/firewall.pl ## so no rules are defined for these chain, but we can build it here ## to have a note of where its placed in the INPUT chain ## -N dh-ephemeral-in -N dh-ephemeral-out ################### ## ingress rules ## ################### ## ## negative security model without connection tracking ## note that we only handle traffic on eth1 because private traffic (on eth0) is trusted ## -A INPUT -i eth1 -j dh-whitelist-in -A INPUT -i eth1 -j dh-portblock-in -A INPUT -i eth1 -j dh-ephemeral-in -A INPUT -i eth1 -j dh-explicit-drop -A INPUT -i eth1 -j dh-invalid-packets -A INPUT -i eth1 -p tcp --dport 22 -j dh-ssh-limit ## ## dh-portblock-in. block ports after dh-whitelist-in and before dh-explicit-drop ## -A dh-portblock-in -i eth1 -p tcp --dport 25 -j REJECT ## ## services that the world doesn't need to talk to ## we include NRPE here because the dh-whitelist-in chain already picked up the nag hosts ## -A dh-explicit-drop -p tcp --dport 111 -j DROP -A dh-explicit-drop -p udp --dport 111 -j DROP -A dh-explicit-drop -p tcp --dport 1030 -j DROP -A dh-explicit-drop -p udp --dport 1030 -j DROP -A dh-explicit-drop -p tcp --dport 5666 -j DROP ## ## mitigation rules for vulnerabilities and compliance ## ## Mitigation for CVE-2019-11477 tcp_sack kernel crash. -A dh-explicit-drop -p tcp -m tcpmss --mss 1:500 -j DROP ## PCI fails on timestamp request/response ## ## invalid packets ## -A dh-invalid-packets -m tcp -p tcp --tcp-flags SYN,RST,ACK,FIN SYN,FIN -j DROP -A dh-invalid-packets -m tcp -p tcp --tcp-flags SYN,RST,ACK,FIN SYN,RST -j DROP ## ## ssh rate limiting. allow no more than 10 SYNs on TCP dpt:22 in 60 seconds ## if this threshold is met, block all TCP dpt:22 packets for 60 seconds ## logs to /var/log/sshlimit.log ## -A dh-ssh-limit -m recent --update --seconds 60 --hitcount 10 --name dh-ssh-limit --rsource -m limit --limit 1/sec -j NFLOG --nflog-prefix "dh-ssh-limit " -A dh-ssh-limit -m recent --update --seconds 60 --hitcount 10 --name dh-ssh-limit --rsource -j DROP -A dh-ssh-limit -m recent ! --rcheck --seconds 60 --reap --name dh-ssh-limit --rsource -A dh-ssh-limit -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m recent --set --name dh-ssh-limit --rsource ################## ## egress rules ## ################## ## ## since we allow arbitrary outbound connections we need to take a negative model with this chain ## -A OUTPUT -o eth1 -j dh-whitelist-out -A OUTPUT -o eth1 -j dh-ephemeral-out -A OUTPUT -o eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j dh-syn-flood -A OUTPUT -o eth1 -p udp -j dh-udp-flood ## ## outbound SYN flood mitigation, logs to /var/log/synflood.log ## -A dh-syn-flood -m hashlimit --hashlimit-upto 1000/s --hashlimit-burst 1000 --hashlimit-mode srcip,dstip --hashlimit-name dh-syn-flood -j RETURN -A dh-syn-flood -m limit --limit 5/s -j NFLOG --nflog-prefix "dh-syn-flood " -A dh-syn-flood -j DROP ## ## outbound UDP flood mitigation, logs to /var/log/udpflood.log ## -A dh-udp-flood -m hashlimit --hashlimit-upto 1000/s --hashlimit-burst 1000 --hashlimit-mode srcip,dstip --hashlimit-name dh-udp-flood -j RETURN -A dh-udp-flood -m limit --limit 5/s -j NFLOG --nflog-prefix "dh-udp-flood " -A dh-udp-flood -j DROP ## ## DH-wide whitelists ## inbound whitelists on public interface are necessary largely to handle Machine->Rsync calls ## (our current implementation uses rsync in daemon mode listening on a random high port, on the public interface) ## -A dh-whitelist-out -d ::1/128 -j ACCEPT -A dh-whitelist-out -d 2607:F298::0/32 -j ACCEPT -A dh-whitelist-out -d fc00::/7 -j ACCEPT -A dh-whitelist-in -s ::1/128 -j ACCEPT -A dh-whitelist-in -s 2607:F298::0/32 -j ACCEPT -A dh-whitelist-in -s fc00::/7 -j ACCEPT Save