Here is a bash script to set up an iptables firewall that logs bad packets
#!/bin/bash # these commands must be run as root # run the following command to create the logndrop chain before running the script # iptables -N LOGNDROP # set default policy to accept so you don't lock yourself out iptables -P INPUT ACCEPT # flush (remove) all existing rules iptables -F # accept packets for active and approved connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # accept localhost packets iptables -A INPUT -i lo -j ACCEPT # accept ping packets iptables -A INPUT -p icmp -j ACCEPT # drop packets from certain IP addresses iptables -A INPUT -s 999.999.999.999 -j DROP # drop packets from a range of IP addresses iptables -A INPUT -m iprange --src-range 999.999.999.0-999.999.999.999 -j DROP # drop multicast and broadcast packets without logging # useful if your host doesn't firewall between servers and you get floods of traffic from nearby IP's iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP iptables -A INPUT -m pkttype --pkt-type multicast -j DROP # DDOS protection: limit DNS to 10 queries every 30 seconds # http://chroot-me.in/blog/index.php/blog/34 iptables -A INPUT -p tcp --dport 53 -m recent --set iptables -A INPUT -p tcp --dport 53 -m recent --update --seconds 30 --hitcount 10 -j LOGNDROP # accept incoming packets on port 22,80 iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT # SSL must only be open on IP addresses which support it # this is why you have one certificate per IP address # because otherwise the whole world gets confused iptables -A INPUT -p tcp --dport 443 -d 999.999.999.999 -j ACCEPT #ssl # accept all traffic from a certain IP address iptables -A INPUT -s 999.999.999.999 -j ACCEPT # accept traffic on a range of ports for certain IP address iptables -A INPUT -s 999.999.999.999 -p tcp --dport 800:900 -j ACCEPT # join the input chain to logndrop for all unmatched packets iptables -A INPUT -j LOGNDROP # join the forward chain to logndrop for all packets iptables -A FORWARD -j LOGNDROP # accept all outgoing traffic iptables -P OUTPUT ACCEPT # set up a log and drop chain # log all packets chucked through logndrop, limited to help prevent logs consuming entire hard drive iptables -A LOGNDROP -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[BLOCK] " # drop all packets in the logndrop chain iptables -A LOGNDROP -j DROP # wait 10 seconds to allow user to see any errors before listing active rules sleep 10 # list all rules to make sure everything is ok # the n option turns off the dns lookup which can speed things up iptables -L -v -n # save the rules to automatically reload them after a reboot # centos save firewall rules: /sbin/service iptables save iptables-save > /etc/iptables.up.rules
After executing the script, always flip back up to the top of the content to see if you left any errors behind.
To actually enable persistence, you should make use of the restore command either as part of the networking or as an @reboot cron job.
Fail2ban is good for keeping your ssh safe.
It keeps your SSH protected by default but you could also apply longer term bans for extra security.