[CentOS]iptables設定例(さくらさん)
http://knowledge.sakura.ad.jp/beginner/4048/
# (1) policy settings.
# set only OUTPUT to ACCEPT. In terms of INPUT and FORWARD, set only ports will be set to ACCEPT later.
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# (2) set loopback(connection from myself) to ACCEPT
-A INPUT -i lo -j ACCEPT
# (3) set packet has no data to DROP
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# (4) set connection is seems SYNflood attack to DROP.
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# (5) set connection is seems Staelth Scan to DROP.
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# (6) settings for icmp(ping)
# use hashlimit
# -m hashlimit : use hashlimit module
# -hashlimit-name t_icmp : record file name
# -hashlimit 1/m : upper limit is only one packet within one minuit
# -hashlimit-burst 10 : limitation will be enable when receive 10 packets within stipulated time.
# -hashlimit-mode srcip : access will be limited by source IP
# -hashlimit-htable-expire 120000 : avairable time of limitation (unit=ms)
-A INPUT -p icmp --icmp-type echo-request -m hashlimit --hashlimit-name t_icmp --hashlimit 1/m --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-htable-expire 120000 -j ACCEPT
# (7) accept all packets regardless port number once established connection
-A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
# (8) accept to receive return packet of any DNS access
-A INPUT -p udp --sport 53 -j ACCEPT
# (9) settings for SSH accept
# use hashlimit
# -m hashlimit : use hashlimit module
# -hashlimit-name t_sshd : record file name
# -hashlimit 1/m : upper limitation is only 1 packet within 1 minuit when limitation is enable
# -hashlimit-burst 10 : limitation will be enable when receive 10 packets within stipulated time.
# -hashlimit-mode srcip : access will be limited by source IP
# -hashlimit-htable-expire 120000 : avairable time of limitation (unit=ms)
-A INPUT -p tcp -m state --syn --state NEW --dport 22 -m hashlimit --hashlimit-name t_sshd --hashlimit 1/m --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-htable-expire 120000 -j ACCEPT
# (10) write settings for acceptable protocol and port individually below
# Here is the example to accept HTTP(TCP 80) and HTTPS(TCP 443)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
COMMIT