Firewall

From Jon's Wiki
Revision as of 00:04, 16 June 2009 by Johnno (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Sick of chunderheads from Romania trying to hammer down your SSH door? Use keys. Disable passwords. Then, use this iptables script. Whitelist your SSH. For all other IPs, they're allowed two connection attempts per minute, after which they get one sticky connection per minute, which should piss them off, after which they get dropped.

#!/bin/sh

echo Adding iptables firewall rules
IPTABLES=/sbin/iptables

# set chain policies
${IPTABLES} -F
${IPTABLES} -t nat -F
${IPTABLES} -P INPUT ACCEPT
${IPTABLES} -P FORWARD ACCEPT
${IPTABLES} -P OUTPUT ACCEPT

# allow established connections
${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# SSH Whitelist
${IPTABLES} -A INPUT -p TCP --dport 22 -s 192.168.0.0/24 -j ACCEPT
${IPTABLES} -A INPUT -p TCP --dport 22 -s <ipaddress>/32 -j ACCEPT

# Throttle SSH from everywhere else
${IPTABLES} -A INPUT -p TCP --dport 22 -m hashlimit --hashlimit-mode srcip --hashlimit 2/minute --hashlimit-burst 1 --hashlimit-name SSH_OK -j ACCEPT
${IPTABLES} -A INPUT -p TCP --dport 22 -m hashlimit --hashlimit-mode srcip --hashlimit 1/minute --hashlimit-burst 1 --hashlimit-name SSH_DODGY -j REJECT
${IPTABLES} -A INPUT -p TCP --dport 22 -j DROP