File: //var/lib/ip6tables/base.rules
*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
-F INPUT
-F OUTPUT
##
## input chains
##
-N dh-whitelist-in
-N dh-portblock-in
-N dh-invalid-packets
-N dh-explicit-drop
-N dh-ssh-limit
##
## output chains
##
-N dh-whitelist-out
-N dh-syn-flood
-N dh-udp-flood
##
## this is used to handle drops and accepts via dh/bin/firewall.pl
## so no rules are defined for these chain, but we can build it here
## to have a note of where its placed in the INPUT chain
##
-N dh-ephemeral-in
-N dh-ephemeral-out
###################
## ingress rules ##
###################
##
## negative security model without connection tracking
## note that we only handle traffic on eth1 because private traffic (on eth0) is trusted
##
-A INPUT -i eth1 -j dh-whitelist-in
-A INPUT -i eth1 -j dh-portblock-in
-A INPUT -i eth1 -j dh-ephemeral-in
-A INPUT -i eth1 -j dh-explicit-drop
-A INPUT -i eth1 -j dh-invalid-packets
-A INPUT -i eth1 -p tcp --dport 22 -j dh-ssh-limit
##
## dh-portblock-in. block ports after dh-whitelist-in and before dh-explicit-drop
##
-A dh-portblock-in -i eth1 -p tcp --dport 25 -j REJECT
##
## services that the world doesn't need to talk to
## we include NRPE here because the dh-whitelist-in chain already picked up the nag hosts
##
-A dh-explicit-drop -p tcp --dport 111 -j DROP
-A dh-explicit-drop -p udp --dport 111 -j DROP
-A dh-explicit-drop -p tcp --dport 1030 -j DROP
-A dh-explicit-drop -p udp --dport 1030 -j DROP
-A dh-explicit-drop -p tcp --dport 5666 -j DROP
##
## mitigation rules for vulnerabilities and compliance
##
## Mitigation for CVE-2019-11477 tcp_sack kernel crash.
-A dh-explicit-drop -p tcp -m tcpmss --mss 1:500 -j DROP
## PCI fails on timestamp request/response
##
## invalid packets
##
-A dh-invalid-packets -m tcp -p tcp --tcp-flags SYN,RST,ACK,FIN SYN,FIN -j DROP
-A dh-invalid-packets -m tcp -p tcp --tcp-flags SYN,RST,ACK,FIN SYN,RST -j DROP
##
## ssh rate limiting. allow no more than 10 SYNs on TCP dpt:22 in 60 seconds
## if this threshold is met, block all TCP dpt:22 packets for 60 seconds
## logs to /var/log/sshlimit.log
##
-A dh-ssh-limit -m recent --update --seconds 60 --hitcount 10 --name dh-ssh-limit --rsource -m limit --limit 1/sec -j LOG --log-prefix "dh-ssh-limit " --log-level 7
-A dh-ssh-limit -m recent --update --seconds 60 --hitcount 10 --name dh-ssh-limit --rsource -j DROP
-A dh-ssh-limit -m recent ! --rcheck --seconds 60 --reap --name dh-ssh-limit --rsource
-A dh-ssh-limit -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m recent --set --name dh-ssh-limit --rsource
##################
## egress rules ##
##################
##
## since we allow arbitrary outbound connections we need to take a negative model with this chain
##
-A OUTPUT -o eth1 -j dh-whitelist-out
-A OUTPUT -o eth1 -j dh-ephemeral-out
-A OUTPUT -o eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j dh-syn-flood
-A OUTPUT -o eth1 -p udp -j dh-udp-flood
-A OUTPUT -o eth1 -p tcp --dport 25 -j REJECT
##
## outbound SYN flood mitigation, logs to /var/log/synflood.log
##
-A dh-syn-flood -m hashlimit --hashlimit-upto 1000/s --hashlimit-burst 1000 --hashlimit-mode srcip,dstip --hashlimit-name dh-syn-flood -j RETURN
-A dh-syn-flood -m limit --limit 5/s -j LOG --log-uid --log-prefix "dh-syn-flood " --log-level 7
-A dh-syn-flood -j DROP
##
## outbound UDP flood mitigation, logs to /var/log/udpflood.log
##
-A dh-udp-flood -m hashlimit --hashlimit-upto 1000/s --hashlimit-burst 1000 --hashlimit-mode srcip,dstip --hashlimit-name dh-udp-flood -j RETURN
-A dh-udp-flood -m limit --limit 5/s -j LOG --log-uid --log-prefix "dh-udp-flood " --log-level 7
-A dh-udp-flood -j DROP
##
## DH-wide whitelists
## inbound whitelists on public interface are necessary largely to handle Machine->Rsync calls
## (our current implementation uses rsync in daemon mode listening on a random high port, on the public interface)
##
-A dh-whitelist-out -d ::1/128 -j ACCEPT
-A dh-whitelist-out -d 2607:F298::0/32 -j ACCEPT
-A dh-whitelist-out -d fc00::/7 -j ACCEPT
-A dh-whitelist-in -s ::1/128 -j ACCEPT
-A dh-whitelist-in -s 2607:F298::0/32 -j ACCEPT
-A dh-whitelist-in -s fc00::/7 -j ACCEPT