Ultimate Linux iptables stateful firewall rules to block all hacking attacks!

Posted on

These Linux iptables firewall rules block different spoofing attacks, portscan attacks, blocking ping and blocking bogus ip addresses etc! Most importantly blocking all incoming + forwarding network traffic and block some outgoing traffic to specific bogus ip addresses! This article is not about how to allow incoming traffic to open ports but to block all remote incoming traffic and only allow all outgoing traffic. When you open any incoming ports you’re more vulnerable for attacks. We’re going to create a separate ipv4 and ipv6 iptables rules.

First create a new ipv4 iptables rules file with sudo nano /etc/iptables/iptables.rules and copy + paste the information below. When done enable the iptables ipv4 service with sudo systemctl enable iptables.service and after you do sudo systemctl restart iptables.service to restart the service and to make the rules immediately active.

#### IPv4 Linux iptables rules - www.infohack.eu #####

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -f -j DROP
-A INPUT -s 0.0.0.0/8 -j DROP
-A INPUT -d 0.0.0.0/8 -j DROP
-A INPUT -s 100.64.0.0/10 -j DROP
-A INPUT -d 100.64.0.0/10 -j DROP
-A INPUT -i <your network interface address> -s 127.0.0.0/8 -j DROP
-A INPUT -i <your network interface address> -d 127.0.0.0/8 -j DROP
-A INPUT -s 127.0.53.53 -j DROP
-A INPUT -d 127.0.53.53 -j DROP
-A INPUT -s 169.254.0.0/16 -j DROP
-A INPUT -d 169.254.0.0/16 -j DROP
-A INPUT -s 192.0.0.0/24 -j DROP
-A INPUT -d 192.0.0.0/24 -j DROP
-A INPUT -s 192.0.2.0/24 -j DROP
-A INPUT -d 192.0.2.0/24 -j DROP
-A INPUT -s 192.88.99.0/24 -j DROP
-A INPUT -d 192.88.99.0/24 -j DROP
-A INPUT -s 192.88.99.1/32 -j DROP
-A INPUT -d 192.88.99.1/32 -j DROP
-A INPUT -s 192.88.99.2/32 -j DROP
-A INPUT -d 192.88.99.2/32 -j DROP
-A INPUT -s 198.18.0.0/15 -j DROP
-A INPUT -d 198.18.0.0/15 -j DROP
-A INPUT -s 198.51.100.0/24 -j DROP
-A INPUT -d 198.51.100.0/24 -j DROP
-A INPUT -s 203.0.113.0/24 -j DROP
-A INPUT -d 203.0.113.0/24 -j DROP
-A INPUT -s 224.0.0.0/4 -j DROP
-A INPUT -d 224.0.0.0/4 -j DROP
-A INPUT -s 233.252.0.0/24 -j DROP
-A INPUT -d 233.252.0.0/24 -j DROP
-A INPUT -s 240.0.0.0/4 -j DROP
-A INPUT -d 240.0.0.0/4 -j DROP
-A INPUT -d 255.255.255.255/32 -j DROP
-A INPUT -p icmp -j DROP
-A INPUT -p icmp --icmp-type echo-request -j DROP
-A INPUT --fragment -p icmp -j DROP
-A INPUT -p icmp --icmp-type destination-unreachable -j DROP
-A INPUT -p icmp --icmp-type router-advertisement -j DROP
-A INPUT -p icmp --icmp-type router-solicitation -j DROP
-A INPUT -p icmp --icmp-type source-quench -j DROP
-A OUTPUT -p icmp --icmp-type echo-reply -j DROP
-A OUTPUT -p icmp --icmp-type echo-request -j DROP
-A INPUT -p icmp --icmp-type echo-reply -j DROP
-A OUTPUT -p icmp -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
-A INPUT -p tcp --tcp-flags ALL SYN,FIN -j DROP
-A INPUT -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
-A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
-A INPUT -p tcp --tcp-flags ALL URG,PSH,FIN -j DROP
-A INPUT -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DROP
-A INPUT -p tcp --tcp-flags ALL FIN -j DROP
-A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP
-A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
-A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
-A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
COMMIT

Now we’re going to make a ipv6 iptables rules with sudo nano /etc/iptables/ip6tables.rules and copy + paste the information below. When done enable the iptables ipv6 service with sudo systemctl enable ip6tables.service and after you do sudo systemctl restart ip6tables.service to restart the service and to make the rules immediately active.

#### IPv6 Linux iptables rules - www.infohack.eu #####

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -s ::/0 -j DROP
-A INPUT -d ::/0 -j DROP
-A INPUT -i <your network interface address> -s ::/128 -j DROP
-A INPUT -i <your network interface address> -d ::/128 -j DROP
-A INPUT -s ::1/128 -j DROP
-A INPUT -d ::1/128 -j DROP
-A INPUT -s ::ffff:0:0/96 -j DROP
-A INPUT -d ::ffff:0:0/96 -j DROP
-A INPUT -s ::ffff:0:0:0/96 -j DROP
-A INPUT -d ::ffff:0:0:0/96 -j DROP
-A INPUT -s ::/96 -j DROP
-A INPUT -d ::/96 -j DROP
-A INPUT -s 64:ff9b::/96 -j DROP
-A INPUT -d 64:ff9b::/96 -j DROP
-A INPUT -s 64:ff9b:1::/48 -j DROP
-A INPUT -d 64:ff9b:1::/48 -j DROP
-A INPUT -s 100::/64 -j DROP
-A INPUT -d 100::/64 -j DROP
-A INPUT -s 2001:10::/28 -j DROP
-A INPUT -d 2001:10::/28 -j DROP
-A INPUT -s 2001:db8::/32 -j DROP
-A INPUT -d 2001:db8::/32 -j DROP
-A INPUT -s fc00::/7 -j DROP
-A INPUT -d fc00::/7 -j DROP
-A INPUT -s fe80::/10 -j DROP
-A INPUT -d fe80::/10 -j DROP
-A INPUT -s fec0::/10 -j DROP
-A INPUT -d fec0::/10 -j DROP
-A INPUT -s ff00::/8 -j DROP
-A INPUT -d ff00::/8 -j DROP
-A INPUT -s 2001:0000::/32 -j DROP
-A INPUT -d 2001:0000::/32 -j DROP
-A INPUT -s 2001::/23 -j DROP
-A INPUT -d 2001::/23 -j DROP
-A INPUT -s 2001::/32 -j DROP
-A INPUT -d 2001::/32 -j DROP
-A INPUT -s 2001:1::1/128 -j DROP
-A INPUT -d 2001:1::1/128 -j DROP
-A INPUT -s 2001:1::2/128 -j DROP
-A INPUT -d 2001:1::2/128 -j DROP
-A INPUT -s 2001:2::/48 -j DROP
-A INPUT -d 2001:2::/48 -j DROP
-A INPUT -s 2001:3::/32 -j DROP
-A INPUT -d 2001:3::/32 -j DROP
-A INPUT -s 2001:4:112::/48 -j DROP
-A INPUT -d 2001:4:112::/48 -j DROP
-A INPUT -s 2001:20::/28 -j DROP
-A INPUT -d 2001:20::/28 -j DROP
-A INPUT -s 2002::/16 -j DROP
-A INPUT -d 2002::/16 -j DROP
-A INPUT -s 2002::/24 -j DROP
-A INPUT -d 2002::/24 -j DROP
-A INPUT -s 2002:a00::/24 -j DROP
-A INPUT -d 2002:a00::/24 -j DROP
-A INPUT -s 2002:7f00::/24 -j DROP
-A INPUT -d 2002:7f00::/24 -j DROP
-A INPUT -s 2002:a9fe::/32 -j DROP
-A INPUT -d 2002:a9fe::/32 -j DROP
-A INPUT -s 2002:ac10::/28 -j DROP
-A INPUT -d 2002:ac10::/28 -j DROP
-A INPUT -s 2002:c000::/40 -j DROP
-A INPUT -d 2002:c000::/40 -j DROP
-A INPUT -s 2002:c000:200::/40 -j DROP
-A INPUT -d 2002:c000:200::/40 -j DROP
-A INPUT -s 2002:c0a8::/32 -j DROP
-A INPUT -d 2002:c0a8::/32 -j DROP	
-A INPUT -s 2001:db8::/32 -j DROP
-A INPUT -d 2001:db8::/32 -j DROP
-A INPUT -s 2002:c612::/31 -j DROP
-A INPUT -d 2002:c612::/31 -j DROP
-A INPUT -s 2002:c633:6400::/40 -j DROP
-A INPUT -d 2002:c633:6400::/40 -j DROP
-A INPUT -s 2002:cb00:7100::/40	-j DROP
-A INPUT -d 2002:cb00:7100::/40	-j DROP
-A INPUT -s 2002:e000::/20 -j DROP
-A INPUT -d 2002:e000::/20 -j DROP
-A INPUT -s 2002:f000::/20 -j DROP
-A INPUT -d 2002:f000::/20 -j DROP
-A INPUT -s 2002:ffff:ffff::/48 -j DROP
-A INPUT -d 2002:ffff:ffff::/48 -j DROP
-A INPUT -s 2001::/40 -j DROP
-A INPUT -d 2001::/40 -j DROP
-A INPUT -s 2001:0:a00::/40 -j DROP
-A INPUT -d 2001:0:a00::/40 -j DROP
-A INPUT -s 2001:0:7f00::/40 -j DROP
-A INPUT -d 2001:0:7f00::/40 -j DROP
-A INPUT -s 2001:0:a9fe::/48 -j DROP
-A INPUT -d 2001:0:a9fe::/48 -j DROP
-A INPUT -s 2001:0:ac10::/44 -j DROP
-A INPUT -d 2001:0:ac10::/44 -j DROP
-A INPUT -s 2001:0:c000::/56 -j DROP
-A INPUT -d 2001:0:c000::/56 -j DROP
-A INPUT -s 2001:0:c000:200::/56 -j DROP
-A INPUT -d 2001:0:c000:200::/56 -j DROP
-A INPUT -s 2001:0:c0a8::/48 -j DROP
-A INPUT -d 2001:0:c0a8::/48 -j DROP
-A INPUT -s 2001:0:c612::/47 -j DROP
-A INPUT -d 2001:0:c612::/47 -j DROP
-A INPUT -s 2001:0:c633:6400::/56 -j DROP
-A INPUT -d 2001:0:c633:6400::/56 -j DROP
-A INPUT -s 2001:0:cb00:7100::/56 -j DROP
-A INPUT -d 2001:0:cb00:7100::/56 -j DROP
-A INPUT -s 2001:0:e000::/36 -j DROP
-A INPUT -d 2001:0:e000::/36 -j DROP
-A INPUT -s 2001:0:f000::/36 -j DROP
-A INPUT -d 2001:0:f000::/36 -j DROP
-A INPUT -s 2001:0:ffff:ffff::/64 -j DROP
-A INPUT -d 2001:0:ffff:ffff::/64 -j DROP
-A INPUT -s 2620:4f:8000::/48 -j DROP
-A INPUT -d 2620:4f:8000::/48 -j DROP
-A INPUT -p ipv6-icmp -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
-A INPUT -p tcp --tcp-flags ALL SYN,FIN -j DROP
-A INPUT -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
-A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
-A INPUT -p tcp --tcp-flags ALL URG,PSH,FIN -j DROP
-A INPUT -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DROP
-A INPUT -p tcp --tcp-flags ALL FIN -j DROP
-A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP
-A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
-A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
-A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
COMMIT

Please Donate to support my work and website! Thank you!

Bitcoin Bitcoin (BTC): bc1qh57ull2dlr6nyplxnylg3nknzzhjxhy0s30w6z

Ethereum Ethereum (ETH): 0x8a71dec3d344ca8a2e55a5499b1643f37c1ee6ac

Polkadot Polkadot (DOT): 148kirRpkuwUnP47bRXZhQxR3P7jVrBvuq1kYTvLe5kg8dfn

Tether Tether (USDT): 0x8a71dec3d344ca8a2e55a5499b1643f37c1ee6ac

Litecoin Litecoin (LTC): LhpN9rMg83CnBwEZdtRNAG718b9fts8qpE

Dogecoin Dogecoin (DOGE): DEazATJowtTJmCiMMGa3hnMYFBcZUQmLt9

Cardano Cardano (ADA): addr1qx9dy20ur3k4k5vtgqd7ez2kjq2x88sdv3xju833xnxvrzy26g5lc8rdtdgcksqmajy4dyq5vw0q6ezd9c0rzdxvcxyq07ejmp

Leave a Reply

Your email address will not be published. Required fields are marked *

Infohack.eu