Herewith, an expansion to the Linux cloud server iptables firewall presented above.
We now include additional protection for common ‘abuse’ protocols and/or port scanning.
Some assumptions are incorporated; i.e. that your not running an outgoing mail server, that your likely running a http/https webserver, that you are not running MySQL, that you do not require ‘default’ VNC or alternative proxy ports. That you are running a full Zcash node.
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
sudo iptables -A INPUT -p tcp --dport 1 -j REJECT // TCPMUX
sudo iptables -A INPUT -p udp --dport 1 -j REJECT // TCPMUX
sudo iptables -A INPUT -p udp --dport 19 -j REJECT // Chargen Protocol - Fraggle Attack
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT // Accept SSH (Use of Fail2ban is essential)
sudo iptables -A INPUT -p tcp --dport 23 -j REJECT // Telnet
sudo iptables -A INPUT -p udp --dport 23 -j REJECT // Telnet
sudo iptables -A INPUT -p tcp --dport 25 -j REJECT // SMTP
sudo iptables -A INPUT -p udp --dport 25 -j REJECT // SMTP
sudo iptables -A INPUT -p tcp --dport 53 -j ACCEPT // Accept DNS
sudo iptables -A INPUT -p udp --dport 53 -j ACCEPT // Accept DNS
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT // Recommended Tor DirPort / HTTP Webserver
sudo iptables -A INPUT -p udp --dport 80 -j REJECT // Protect port 80 from UDP DDoS Attacks (Tor is TCP only)
sudo iptables -A INPUT -p tcp --dport 111 -j REJECT // Open Network Computing Remote Procedure Call
sudo iptables -A INPUT -p udp --dport 111 -j REJECT // Open Network Computing Remote Procedure Call
sudo iptables -A INPUT -p tcp --dport 135:139 -j REJECT // Microsoft EPMAP / NetBIOS
sudo iptables -A INPUT -p udp --dport 135:139 -j REJECT // Microsoft EPMAP / NetBIOS
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT // Recommended Tor ORPort / HTTPS Webserver
sudo iptables -A INPUT -p udp --dport 443 -j REJECT // Protect port 443 from UDP DDoS Attacks (Tor is TCP only)
sudo iptables -A INPUT -p tcp --dport 445 -j REJECT // Microsoft-DS Active Directory, Windows shares
sudo iptables -A INPUT -p udp --dport 445 -j REJECT // Microsoft-DS Active Directory, Windows shares
sudo iptables -A INPUT -p tcp --dport 512 -j REJECT // Rexec, Remote Process Execution
sudo iptables -A INPUT -p tcp --dport 513 -j REJECT // rlogin
sudo iptables -A INPUT -p tcp --dport 514 -j REJECT // Remote Shell
sudo iptables -A INPUT -p tcp --dport 515 -j REJECT // Line Printer Daemon (LPD)
sudo iptables -A INPUT -p tcp --dport 1433 -j REJECT // Microsoft SQL Server database management system (MSSQL) server
sudo iptables -A INPUT -p udp --dport 1433 -j REJECT // Microsoft SQL Server database management system (MSSQL) server
sudo iptables -A INPUT -p tcp --dport 3128 -j REJECT // Squid caching web proxy
sudo iptables -A INPUT -p udp --dport 3128 -j REJECT // Squid caching web proxy
sudo iptables -A INPUT -p tcp --dport 3306 -j REJECT // MySQL
sudo iptables -A INPUT -p udp --dport 3306 -j REJECT // MySQL
sudo iptables -A INPUT -p tcp --dport 3389 -j REJECT // Microsoft Terminal Server (RDP)
sudo iptables -A INPUT -p udp --dport 3389 -j REJECT // Microsoft Terminal Server (RDP)
sudo iptables -A INPUT -p tcp --dport 5060 -j REJECT // Session Initiation Protocol (SIP)
sudo iptables -A INPUT -p udp --dport 5060 -j REJECT // Session Initiation Protocol (SIP)
sudo iptables -A INPUT -p tcp --dport 5900 -j REJECT // Remote Frame Buffer protocol (RFB) / Virtual Network Computing (VNC) RDP
sudo iptables -A INPUT -p udp --dport 5900 -j REJECT // Remote Frame Buffer protocol (RFB) / Virtual Network Computing (VNC) RDP
sudo iptables -A INPUT -p tcp --dport 6000:6063 -j REJECT // X11—used between an X client and server over the network
sudo iptables -A INPUT -p udp --dport 6000:6063 -j REJECT // X11—used between an X client and server over the network
sudo iptables -A INPUT -p tcp --dport 8000 -j REJECT // Common Proxy Port
sudo iptables -A INPUT -p udp --dport 8000 -j REJECT // Common Proxy Port
sudo iptables -A INPUT -p tcp --dport 8080 -j REJECT // HTTP alternate (http_alt)—commonly used for Web proxy and caching server
sudo iptables -A INPUT -p udp --dport 8080 -j REJECT // HTTP alternate (http_alt)—commonly used for Web proxy and caching server
sudo iptables -A INPUT -p tcp --dport 8090 -j REJECT // CCDN legacy (port scanning)
sudo iptables -A INPUT -p udp --dport 8090 -j REJECT // CCDN legacy (port scanning)
sudo iptables -A INPUT -p tcp --dport 8118 -j REJECT // Privoxy—advertisement-filtering Web proxy
sudo iptables -A INPUT -p udp --dport 8118 -j REJECT // Privoxy—advertisement-filtering Web proxy
sudo iptables -A INPUT -p tcp --dport 8123 -j REJECT // Polipo Web proxy
sudo iptables -A INPUT -p udp --dport 8123 -j REJECT // Polipo Web proxy
sudo iptables -A INPUT -p tcp --dport 8232 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT // Zcash RPCPort (from/to localhost)
sudo iptables -A INPUT -p tcp --dport 8233 -j ACCEPT // Zcash P2P Port - Allow incomming connections
sudo iptables -A INPUT -p tcp --dport 8888 -j REJECT // Common Proxy Port
sudo iptables -A INPUT -p udp --dport 8888 -j REJECT // Common Proxy Port
sudo iptables -A INPUT -p udp --dport 53413 -j REJECT // Netis Router (port scan vulnerability)
sudo iptables -A INPUT -p icmp -m icmp --icmp-type host-unreachable -j ACCEPT
sudo iptables -A INPUT -p icmp -m icmp --icmp-type port-unreachable -j ACCEPT
sudo iptables -A INPUT -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
sudo iptables -A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
sudo iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 2/s -j ACCEPT
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
sudo iptables -A INPUT -p tcp --syn -j DROP
sudo iptables -A OUTPUT -o lo -j ACCEPT
sudo iptables -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
…
Altogether now (copy/paste) …
sudo iptables -A INPUT -i lo -j ACCEPT && sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT && sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP && sudo iptables -A INPUT -p tcp --dport 1 -j REJECT && sudo iptables -A INPUT -p udp --dport 1 -j REJECT && sudo iptables -A INPUT -p udp --dport 19 -j REJECT && sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT && sudo iptables -A INPUT -p tcp --dport 23 -j REJECT && sudo iptables -A INPUT -p udp --dport 23 -j REJECT && sudo iptables -A INPUT -p tcp --dport 25 -j REJECT && sudo iptables -A INPUT -p udp --dport 25 -j REJECT && sudo iptables -A INPUT -p tcp --dport 53 -j ACCEPT && sudo iptables -A INPUT -p udp --dport 53 -j ACCEPT && sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT && sudo iptables -A INPUT -p udp --dport 80 -j REJECT && sudo iptables -A INPUT -p tcp --dport 111 -j REJECT && sudo iptables -A INPUT -p udp --dport 111 -j REJECT && sudo iptables -A INPUT -p tcp --dport 135:139 -j REJECT && sudo iptables -A INPUT -p udp --dport 135:139 -j REJECT && sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT && sudo iptables -A INPUT -p udp --dport 443 -j REJECT && sudo iptables -A INPUT -p tcp --dport 445 -j REJECT && sudo iptables -A INPUT -p udp --dport 445 -j REJECT && sudo iptables -A INPUT -p tcp --dport 512 -j REJECT && sudo iptables -A INPUT -p tcp --dport 513 -j REJECT && sudo iptables -A INPUT -p tcp --dport 514 -j REJECT && sudo iptables -A INPUT -p tcp --dport 515 -j REJECT && sudo iptables -A INPUT -p tcp --dport 1433 -j REJECT && sudo iptables -A INPUT -p udp --dport 1433 -j REJECT && sudo iptables -A INPUT -p tcp --dport 3128 -j REJECT && sudo iptables -A INPUT -p udp --dport 3128 -j REJECT && sudo iptables -A INPUT -p tcp --dport 3306 -j REJECT && sudo iptables -A INPUT -p udp --dport 3306 -j REJECT && sudo iptables -A INPUT -p tcp --dport 3389 -j REJECT && sudo iptables -A INPUT -p udp --dport 3389 -j REJECT && sudo iptables -A INPUT -p tcp --dport 5060 -j REJECT && sudo iptables -A INPUT -p udp --dport 5060 -j REJECT && sudo iptables -A INPUT -p tcp --dport 5900 -j REJECT && sudo iptables -A INPUT -p udp --dport 5900 -j REJECT && sudo iptables -A INPUT -p tcp --dport 6000:6063 -j REJECT && sudo iptables -A INPUT -p udp --dport 6000:6063 -j REJECT && sudo iptables -A INPUT -p tcp --dport 8000 -j REJECT && sudo iptables -A INPUT -p udp --dport 8000 -j REJECT && sudo iptables -A INPUT -p tcp --dport 8080 -j REJECT && sudo iptables -A INPUT -p udp --dport 8080 -j REJECT && sudo iptables -A INPUT -p tcp --dport 8090 -j REJECT && sudo iptables -A INPUT -p udp --dport 8090 -j REJECT && sudo iptables -A INPUT -p tcp --dport 8118 -j REJECT && sudo iptables -A INPUT -p udp --dport 8118 -j REJECT && sudo iptables -A INPUT -p tcp --dport 8123 -j REJECT && sudo iptables -A INPUT -p udp --dport 8123 -j REJECT && sudo iptables -A INPUT -p tcp --dport 8232 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT && sudo iptables -A INPUT -p tcp --dport 8233 -j ACCEPT && sudo iptables -A INPUT -p tcp --dport 8888 -j REJECT && sudo iptables -A INPUT -p udp --dport 8888 -j REJECT && sudo iptables -A INPUT -p udp --dport 53413 -j REJECT && sudo iptables -A INPUT -p icmp -m icmp --icmp-type host-unreachable -j ACCEPT && sudo iptables -A INPUT -p icmp -m icmp --icmp-type port-unreachable -j ACCEPT && sudo iptables -A INPUT -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT && sudo iptables -A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT && sudo iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 2/s -j ACCEPT && sudo iptables -A INPUT -p icmp --icmp-type echo-request -j DROP && sudo iptables -A INPUT -p tcp --syn -j DROP && sudo iptables -A OUTPUT -o lo -j ACCEPT && sudo iptables -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT && sudo iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
Note: ‘Home’ firewall version to be published soon. This firewall (example) has been re-factored for Zcash cloud servers, having been originally researched by tornull.org - with a view to protecting Tor .exit nodes - using the Tor Reduced-Reduced Exit policy.
If you want to help our research and our work on Zcash on Tor - see here;
Regards,