First, admit that the internet trolls have won. You can no longer leave the keys to your car under the sun visor. So, trust no one and block everything!
I present a copy of my iptables firewall rules, slightly modified for ambiguity.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 |
*filter # Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT # Force SYN packet check -A INPUT -p tcp ! --syn -m state --state NEW -j DROP # Force fragmented packet check -A INPUT -f -j DROP # Drop XMAS packets -A INPUT -p tcp --tcp-flags ALL ALL -j DROP # Drop NULL packets -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # Accept all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow all outbound traffic - you can modify this to only allow certain traffic -A OUTPUT -j ACCEPT # Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL). -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT # Allow email (postfix, dovecot) -A INPUT -p tcp --dport 465 -j ACCEPT -A INPUT -p tcp --dport 25 -j ACCEPT -A INPUT -p tcp --dport 587 -j ACCEPT -A INPUT -p tcp --dport 993 -j ACCEPT # Allow SSH connections # The -dport number should be the same port number you set in sshd_config -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT # Drop ping -A INPUT -p icmp -m icmp --icmp-type 8 -j DROP # Log iptables denied calls -A INPUT -j LOG --log-prefix "iptables denied: " --log-level 7 # Reject all other inbound - default deny unless explicitly allowed policy -A INPUT -j REJECT -A FORWARD -j REJECT COMMIT |