Excellent Firewall Rules for Cent OS :D Will Prevent Brute Force

Posted By on Aug 9, 2010 | 0 comments


*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [467:73725]
:OPEN-TCP – [0:0]
:OPEN-UDP – [0:0]
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state –state INVALID -j DROP
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m state –state NEW -j OPEN-UDP
-A INPUT -p tcp -m tcp –tcp-flags FIN,SYN,RST,ACK SYN -m state –state NEW -j OPEN-TCP
-A INPUT -j REJECT –reject-with icmp-proto-unreachable
-A INPUT -p tcp -m recent –set –name TCP-PORTSCAN –rsource -j REJECT –reject-with tcp-reset
-A INPUT -p udp -m recent –set –name UDP-PORTSCAN –rsource -j REJECT –reject-with icmp-port-unreachable
-A OPEN-TCP -p tcp -m recent –update –seconds 60 –name TCP-PORTSCAN –rsource -j REJECT –reject-with tcp-reset
-A OPEN-TCP -p tcp -m tcp -m multiport –dports 80,113,2049,23456,51413,64738 -j ACCEPT
-A OPEN-TCP -p tcp -m tcp –dport 22 -m state –state NEW -m recent –update –seconds 60 –hitcount 4 –name SSH –rsource -j ULOG –ulog-prefix “SSH_brute_force”
-A OPEN-TCP -p tcp -m tcp –dport 22 -m state –state NEW -m recent –update –seconds 60 –hitcount 4 –name SSH –rsource -j DROP
-A OPEN-TCP -p tcp -m tcp –dport 22 -m state –state NEW -m recent –set –name SSH -j ACCEPT
-A OPEN-UDP -p udp -m recent –update –seconds 60 –name UDP-PORTSCAN –rsource -j REJECT –reject-with icmp-port-unreachable
COMMIT