This is my custom firewall i use for my CSS server.
Code:
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere /* Accepte Interface locale */
2 DROP all -- anywhere anywhere state INVALID /* Protection Packet non valide */
3 fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh /* Fail2Ban Rules */
4 DROP icmp -- anywhere anywhere icmp echo-request length 128:65535
5 ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 4/sec burst 8
6 ACCEPT icmp -- anywhere anywhere icmp echo-reply limit: avg 4/sec burst 8
7 DROP icmp -- anywhere anywhere
8 DROP tcp -- anywhere anywhere recent: UPDATE seconds: 21600 name: w00tlist side: source
9 w00t tcp -- anywhere anywhere
10 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED /* Accepte les Conn etablie */
11 DROP udp -- anywhere anywhere multiport dports 27014:27020 length 0:32 /* CSS: Rejette les packets trop petit */
12 DROP udp -- anywhere anywhere multiport dports 27014:27020 length 2521:65535 /* CSS: Rejette les packets trop grand */
13 ACCEPT udp -- anywhere anywhere multiport dports 27014:27020 state NEW limit: up to 1/sec burst 3 mode srcip-dstport
14 DROP udp -- anywhere anywhere multiport dports 27014:27020 /* CSS: Protection flood UDP */
15 DROP all -- anywhere anywhere PKTTYPE = broadcast /* No BroadCast */
16 DROP all -- anywhere anywhere PKTTYPE = multicast /* No MultiCast */
17 PORTSCAN all -- anywhere anywhere /* Protection Scan */
18 SPOOFED all -- anywhere anywhere /* Protection IP SPOOFED */
19 DROP tcp -- anywhere anywhere tcpflags:! FIN,SYN,RST,PSH,ACK,URG/SYN state NEW /* Protection TCP non Syn */
20 syn-flood tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/SYN /* Protection Syn Flood */
21 udp-flood udp -- anywhere anywhere multiport dports 27014:27020 /* Protection UDP Flood */
22 DROP tcp -- anywhere anywhere tcp dpts:netbios-ns:netbios-ssn /* Protection NetBios */
23 DROP all -- anywhere anywhere source IP range 91.212.226.0-91.212.226.255 /* Russe */
24 DROP all -- anywhere anywhere source IP range 80.237.56.0-80.237.63.255 /* Russe 2 */
25 DROP all -- anywhere anywhere source IP range 114.200.0.0-114.207.255.255 /* Coree du Sud */
26 DROP all -- anywhere anywhere source IP range 122.164.128.0-122.164.191.255 /* Inde */
27 DROP all -- anywhere anywhere source IP range 183.0.0.0-183.63.255.255 /* Chine */
28 DROP all -- 118-160-0-0.dynamic.hinet.net/13 anywhere /* Taiwan */
29 DROP all -- 187.103.96.0/19 anywhere /* Bresil */
30 LOG_DROP all -- ARouen-652-1-369-219.w90-17.abo.wanadoo.fr anywhere /* Cali */
31 LOG_DROP all -- ip-150.net-89-3-63.rev.numericable.fr anywhere /* Cheater CALI GE */
32 LOG all -- anywhere anywhere /* LOG pour psad */ LOG level warning
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 LOG all -- anywhere anywhere /* LOG pour psad */ LOG level warning
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp -- anywhere anywhere state NEW,ESTABLISHED /* Marquage du traffic UDP */
2 ACCEPT all -- anywhere anywhere /* Accepte tous traffic sortant */
Chain LOG_DROP (2 references)
num target prot opt source destination
1 LOG all -- anywhere anywhere limit: avg 6/hour burst 1 LOG level warning tcp-options prefix "Drop Res/Ban address: "
2 DROP all -- anywhere anywhere
Chain PORTSCAN (1 references)
num target prot opt source destination
1 DROP tcp -- anywhere anywhere tcpflags: FIN,ACK/FIN /* Fin Packets Scan */
2 DROP tcp -- anywhere anywhere tcpflags: PSH,ACK/PSH
3 DROP tcp -- anywhere anywhere tcpflags: ACK,URG/URG
4 DROP tcp -- anywhere anywhere tcpflags: FIN,RST/FIN,RST
5 DROP tcp -- anywhere anywhere tcpflags: FIN,SYN/FIN,SYN /* XMAS Packets */
6 DROP tcp -- anywhere anywhere tcpflags: SYN,RST/SYN,RST
7 DROP tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG /* XMAS Packets */
8 DROP tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/NONE /* NULL Packets */
9 DROP tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
10 DROP tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,PSH,URG
11 DROP tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
Chain SPOOFED (1 references)
num target prot opt source destination
1 DROP all -- loopback/8 anywhere
2 DROP all -- link-local/16 anywhere
3 DROP all -- 172.16.0.0/12 anywhere
4 DROP all -- 192.0.2.0/24 anywhere
5 DROP all -- 192.168.0.0/16 anywhere
6 DROP all -- localnet/8 anywhere
7 DROP all -- base-address.mcast.net/4 anywhere
8 DROP all -- 240.0.0.0/4 anywhere
9 RETURN all -- anywhere anywhere
Chain fail2ban-ssh (1 references)
num target prot opt source destination
1 RETURN all -- anywhere anywhere
Chain syn-flood (1 references)
num target prot opt source destination
1 RETURN all -- anywhere anywhere limit: avg 1/sec burst 4
2 DROP all -- anywhere anywhere
Chain udp-flood (1 references)
num target prot opt source destination
1 RETURN all -- anywhere anywhere limit: avg 48/sec burst 48
2 DROP all -- anywhere anywhere
Chain w00t (1 references)
num target prot opt source destination
1 tcp -- anywhere anywhere recent: SET name: DEFAULT side: source tcp dpt:httpflags: FIN,SYN,RST,ACK/SYN
2 tcp -- anywhere anywhere recent: UPDATE name: DEFAULT side: source tcp spt:httpflags: SYN,PSH,ACK/SYN,ACK
3 tcp -- anywhere anywhere recent: UPDATE name: DEFAULT side: source tcp dpt:httpflags: SYN,PSH,ACK/ACK
4 w00tchain tcp -- anywhere anywhere recent: REMOVE name: DEFAULT side: source tcp dpt:httpflags: PSH,ACK/PSH,ACK STRING match "|485454502f312e310d0a0d0a|" ALGO name bm TO 80
Chain w00tchain (1 references)
num target prot opt source destination
1 REJECT tcp -- anywhere anywhere recent: SET name: w00tlist side: source reject-with tcp-reset