An example Zcash iptables firewall for Linux cloud servers

xyZcash · June 12, 2017, 9:55am

Herewith, an expansion to the Linux cloud server iptables firewall presented above.

We now include additional protection for common ‘abuse’ protocols and/or port scanning.

reference: http://map.norsecorp.com

Some assumptions are incorporated; i.e. that your not running an outgoing mail server, that your likely running a http/https webserver, that you are not running MySQL, that you do not require ‘default’ VNC or alternative proxy ports. That you are running a full Zcash node.

sudo iptables -A INPUT -i lo -j ACCEPT

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

sudo iptables -A INPUT -p tcp --dport 1 -j REJECT // TCPMUX
sudo iptables -A INPUT -p udp --dport 1 -j REJECT // TCPMUX

sudo iptables -A INPUT -p udp --dport 19 -j REJECT // Chargen Protocol - Fraggle Attack

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT // Accept SSH (Use of Fail2ban is essential)

sudo iptables -A INPUT -p tcp --dport 23 -j REJECT // Telnet
sudo iptables -A INPUT -p udp --dport 23 -j REJECT // Telnet

sudo iptables -A INPUT -p tcp --dport 25 -j REJECT // SMTP
sudo iptables -A INPUT -p udp --dport 25 -j REJECT // SMTP

sudo iptables -A INPUT -p tcp --dport 53 -j ACCEPT // Accept DNS
sudo iptables -A INPUT -p udp --dport 53 -j ACCEPT // Accept DNS

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT // Recommended Tor DirPort / HTTP Webserver
sudo iptables -A INPUT -p udp --dport 80 -j REJECT // Protect port 80 from UDP DDoS Attacks (Tor is TCP only)

sudo iptables -A INPUT -p tcp --dport 111 -j REJECT // Open Network Computing Remote Procedure Call
sudo iptables -A INPUT -p udp --dport 111 -j REJECT // Open Network Computing Remote Procedure Call

sudo iptables -A INPUT -p tcp --dport 135:139 -j REJECT // Microsoft EPMAP / NetBIOS
sudo iptables -A INPUT -p udp --dport 135:139 -j REJECT // Microsoft EPMAP / NetBIOS

sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT // Recommended Tor ORPort / HTTPS Webserver
sudo iptables -A INPUT -p udp --dport 443 -j REJECT // Protect port 443 from UDP DDoS Attacks (Tor is TCP only)

sudo iptables -A INPUT -p tcp --dport 445 -j REJECT // Microsoft-DS Active Directory, Windows shares
sudo iptables -A INPUT -p udp --dport 445 -j REJECT // Microsoft-DS Active Directory, Windows shares

sudo iptables -A INPUT -p tcp --dport 512 -j REJECT // Rexec, Remote Process Execution
sudo iptables -A INPUT -p tcp --dport 513 -j REJECT // rlogin
sudo iptables -A INPUT -p tcp --dport 514 -j REJECT // Remote Shell
sudo iptables -A INPUT -p tcp --dport 515 -j REJECT // Line Printer Daemon (LPD)

sudo iptables -A INPUT -p tcp --dport 1433 -j REJECT // Microsoft SQL Server database management system (MSSQL) server
sudo iptables -A INPUT -p udp --dport 1433 -j REJECT // Microsoft SQL Server database management system (MSSQL) server

sudo iptables -A INPUT -p tcp --dport 3128 -j REJECT // Squid caching web proxy
sudo iptables -A INPUT -p udp --dport 3128 -j REJECT // Squid caching web proxy

sudo iptables -A INPUT -p tcp --dport 3306 -j REJECT // MySQL
sudo iptables -A INPUT -p udp --dport 3306 -j REJECT // MySQL

sudo iptables -A INPUT -p tcp --dport 3389 -j REJECT // Microsoft Terminal Server (RDP)
sudo iptables -A INPUT -p udp --dport 3389 -j REJECT // Microsoft Terminal Server (RDP)

sudo iptables -A INPUT -p tcp --dport 5060 -j REJECT // Session Initiation Protocol (SIP)
sudo iptables -A INPUT -p udp --dport 5060 -j REJECT // Session Initiation Protocol (SIP)

sudo iptables -A INPUT -p tcp --dport 5900 -j REJECT // Remote Frame Buffer protocol (RFB) / Virtual Network Computing (VNC) RDP
sudo iptables -A INPUT -p udp --dport 5900 -j REJECT // Remote Frame Buffer protocol (RFB) / Virtual Network Computing (VNC) RDP

sudo iptables -A INPUT -p tcp --dport 6000:6063 -j REJECT // X11—used between an X client and server over the network
sudo iptables -A INPUT -p udp --dport 6000:6063 -j REJECT // X11—used between an X client and server over the network

sudo iptables -A INPUT -p tcp --dport 8000 -j REJECT // Common Proxy Port
sudo iptables -A INPUT -p udp --dport 8000 -j REJECT // Common Proxy Port

sudo iptables -A INPUT -p tcp --dport 8080 -j REJECT // HTTP alternate (http_alt)—commonly used for Web proxy and caching server
sudo iptables -A INPUT -p udp --dport 8080 -j REJECT // HTTP alternate (http_alt)—commonly used for Web proxy and caching server

sudo iptables -A INPUT -p tcp --dport 8090 -j REJECT // CCDN legacy (port scanning)
sudo iptables -A INPUT -p udp --dport 8090 -j REJECT // CCDN legacy (port scanning)

sudo iptables -A INPUT -p tcp --dport 8118 -j REJECT // Privoxy—advertisement-filtering Web proxy
sudo iptables -A INPUT -p udp --dport 8118 -j REJECT // Privoxy—advertisement-filtering Web proxy

sudo iptables -A INPUT -p tcp --dport 8123 -j REJECT // Polipo Web proxy
sudo iptables -A INPUT -p udp --dport 8123 -j REJECT // Polipo Web proxy

sudo iptables -A INPUT -p tcp --dport 8232 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT // Zcash RPCPort (from/to localhost)
sudo iptables -A INPUT -p tcp --dport 8233 -j ACCEPT // Zcash P2P Port - Allow incomming connections

sudo iptables -A INPUT -p tcp --dport 8888 -j REJECT // Common Proxy Port
sudo iptables -A INPUT -p udp --dport 8888 -j REJECT // Common Proxy Port

sudo iptables -A INPUT -p udp --dport 53413 -j REJECT // Netis Router (port scan vulnerability)

Allow several ICMP types
The Unofficial Samba HOWTO
https://raw.githubusercontent.com/torservers/server-config-templates/master/iptables.test.rules

sudo iptables -A INPUT -p icmp -m icmp --icmp-type host-unreachable -j ACCEPT
sudo iptables -A INPUT -p icmp -m icmp --icmp-type port-unreachable -j ACCEPT
sudo iptables -A INPUT -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
sudo iptables -A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
sudo iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 2/s -j ACCEPT
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

sudo iptables -A INPUT -p tcp --syn -j DROP

sudo iptables -A OUTPUT -o lo -j ACCEPT

sudo iptables -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

sudo iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP

…

Altogether now (copy/paste) …

sudo iptables -A INPUT -i lo -j ACCEPT && sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT && sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP && sudo iptables -A INPUT -p tcp --dport 1 -j REJECT && sudo iptables -A INPUT -p udp --dport 1 -j REJECT && sudo iptables -A INPUT -p udp --dport 19 -j REJECT && sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT && sudo iptables -A INPUT -p tcp --dport 23 -j REJECT && sudo iptables -A INPUT -p udp --dport 23 -j REJECT && sudo iptables -A INPUT -p tcp --dport 25 -j REJECT && sudo iptables -A INPUT -p udp --dport 25 -j REJECT && sudo iptables -A INPUT -p tcp --dport 53 -j ACCEPT && sudo iptables -A INPUT -p udp --dport 53 -j ACCEPT && sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT && sudo iptables -A INPUT -p udp --dport 80 -j REJECT && sudo iptables -A INPUT -p tcp --dport 111 -j REJECT && sudo iptables -A INPUT -p udp --dport 111 -j REJECT && sudo iptables -A INPUT -p tcp --dport 135:139 -j REJECT && sudo iptables -A INPUT -p udp --dport 135:139 -j REJECT && sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT && sudo iptables -A INPUT -p udp --dport 443 -j REJECT && sudo iptables -A INPUT -p tcp --dport 445 -j REJECT && sudo iptables -A INPUT -p udp --dport 445 -j REJECT && sudo iptables -A INPUT -p tcp --dport 512 -j REJECT && sudo iptables -A INPUT -p tcp --dport 513 -j REJECT && sudo iptables -A INPUT -p tcp --dport 514 -j REJECT && sudo iptables -A INPUT -p tcp --dport 515 -j REJECT && sudo iptables -A INPUT -p tcp --dport 1433 -j REJECT && sudo iptables -A INPUT -p udp --dport 1433 -j REJECT && sudo iptables -A INPUT -p tcp --dport 3128 -j REJECT && sudo iptables -A INPUT -p udp --dport 3128 -j REJECT && sudo iptables -A INPUT -p tcp --dport 3306 -j REJECT && sudo iptables -A INPUT -p udp --dport 3306 -j REJECT && sudo iptables -A INPUT -p tcp --dport 3389 -j REJECT && sudo iptables -A INPUT -p udp --dport 3389 -j REJECT && sudo iptables -A INPUT -p tcp --dport 5060 -j REJECT && sudo iptables -A INPUT -p udp --dport 5060 -j REJECT && sudo iptables -A INPUT -p tcp --dport 5900 -j REJECT && sudo iptables -A INPUT -p udp --dport 5900 -j REJECT && sudo iptables -A INPUT -p tcp --dport 6000:6063 -j REJECT && sudo iptables -A INPUT -p udp --dport 6000:6063 -j REJECT && sudo iptables -A INPUT -p tcp --dport 8000 -j REJECT && sudo iptables -A INPUT -p udp --dport 8000 -j REJECT && sudo iptables -A INPUT -p tcp --dport 8080 -j REJECT && sudo iptables -A INPUT -p udp --dport 8080 -j REJECT && sudo iptables -A INPUT -p tcp --dport 8090 -j REJECT && sudo iptables -A INPUT -p udp --dport 8090 -j REJECT && sudo iptables -A INPUT -p tcp --dport 8118 -j REJECT && sudo iptables -A INPUT -p udp --dport 8118 -j REJECT && sudo iptables -A INPUT -p tcp --dport 8123 -j REJECT && sudo iptables -A INPUT -p udp --dport 8123 -j REJECT && sudo iptables -A INPUT -p tcp --dport 8232 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT && sudo iptables -A INPUT -p tcp --dport 8233 -j ACCEPT && sudo iptables -A INPUT -p tcp --dport 8888 -j REJECT && sudo iptables -A INPUT -p udp --dport 8888 -j REJECT && sudo iptables -A INPUT -p udp --dport 53413 -j REJECT && sudo iptables -A INPUT -p icmp -m icmp --icmp-type host-unreachable -j ACCEPT && sudo iptables -A INPUT -p icmp -m icmp --icmp-type port-unreachable -j ACCEPT && sudo iptables -A INPUT -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT && sudo iptables -A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT && sudo iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 2/s -j ACCEPT && sudo iptables -A INPUT -p icmp --icmp-type echo-request -j DROP && sudo iptables -A INPUT -p tcp --syn -j DROP && sudo iptables -A OUTPUT -o lo -j ACCEPT && sudo iptables -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT && sudo iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP

Note: ‘Home’ firewall version to be published soon. This firewall (example) has been re-factored for Zcash cloud servers, having been originally researched by tornull.org - with a view to protecting Tor .exit nodes - using the Tor Reduced-Reduced Exit policy.

link here soon!

If you want to help our research and our work on Zcash on Tor - see here;

Zcash on Tor : A Community Funded Proposal

Regards,