Example stateful firewall with block list

diff --git a/iptables.rules b/iptables.rules
new file mode 100644 (file)
index 0000000..a884c60
--- /dev/null
+++ b/iptables.rules
@@ -0,0 +1,42 @@
+# This set of IPTABLES rules is adapted from:
+# https://wiki.archlinux.org/index.php/Simple_stateful_firewall
+# Retrieved: 2018-09-11
+# Generated by iptables-save v1.8.0 on Tue Sep 11 14:41:53 2018
+*mangle
+:PREROUTING ACCEPT [40249:20804765]
+:INPUT ACCEPT [39481:20735931]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [8471:887466]
+:POSTROUTING ACCEPT [8392:882867]
+COMMIT
+# Completed on Tue Sep 11 14:41:53 2018
+# Generated by iptables-save v1.8.0 on Tue Sep 11 14:41:53 2018
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [317:30781]
+:TCP - [0:0]
+:UDP - [0:0]
+
+# First allow all related connections.  Avoids the overhead
+# of checking thousands of IP addresses first
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+# Packets on the loopback interface cannot come from the outside world
+-A INPUT -i lo -j ACCEPT
+# Invalid packets are always dropped
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+# Drop all packets coming from the ban list
+-A INPUT -m set --match-set glocker src -j DROP
+-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
+-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
+-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
+-A INPUT -p tcp -j REJECT --reject-with tcp-reset
+-A INPUT -j REJECT --reject-with icmp-proto-unreachable
+# Prevent all outgoing traffic to banned IP addresses also
+-A OUTPUT -m set --match-set glocker dst -j DROP
+
+-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
+
+COMMIT
+# Completed on Tue Sep 11 14:41:53 2018