dave
1/3/2018 - 9:24 PM

Staging server iptables rules for whitelisted server on lockdown from DDoS. File stored at: /etc/iptables/rules.v4 Import using: iptables-

Staging server iptables rules for whitelisted server on lockdown from DDoS. File stored at: /etc/iptables/rules.v4

Import using: iptables-restore < /etc/iptables/rules.v4

rules
content_copyfile_download
# Generated by iptables-save v1.4.21 on Mon May  9 20:41:12 2016
*security
:INPUT ACCEPT [1415:137812]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1180:736063]
COMMIT
# Completed on Mon May  9 20:41:12 2016
# Generated by iptables-save v1.4.21 on Mon May  9 20:41:12 2016
*raw
:PREROUTING ACCEPT [5693:394220]
:OUTPUT ACCEPT [1180:736063]
COMMIT
# Completed on Mon May  9 20:41:12 2016
# Generated by iptables-save v1.4.21 on Mon May  9 20:41:12 2016
*nat
:PREROUTING ACCEPT [4195:251450]
:INPUT ACCEPT [37:2242]
:OUTPUT ACCEPT [103:7096]
:POSTROUTING ACCEPT [103:7096]
COMMIT
# Completed on Mon May  9 20:41:12 2016
# Generated by iptables-save v1.4.21 on Mon May  9 20:41:12 2016
*mangle
:PREROUTING ACCEPT [5693:394220]
:INPUT ACCEPT [5693:394220]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1180:736063]
:POSTROUTING ACCEPT [1180:736063]
-A PREROUTING -p tcp -m tcp --sport 21 -j TOS --set-tos 0x08/0xff
-A PREROUTING -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08/0xff
-A PREROUTING -p tcp -m tcp --sport 80 -j TOS --set-tos 0x08/0xff
-A PREROUTING -p tcp -m tcp --sport 25 -j TOS --set-tos 0x10/0xff
-A PREROUTING -p tcp -m tcp --sport 110 -j TOS --set-tos 0x10/0xff
-A PREROUTING -p tcp -m tcp --sport 143 -j TOS --set-tos 0x10/0xff
-A PREROUTING -p tcp -m tcp --sport 512:65535 -j TOS --set-tos 0x00/0xff
-A POSTROUTING -p tcp -m tcp --dport 21 -j TOS --set-tos 0x08/0xff
-A POSTROUTING -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08/0xff
-A POSTROUTING -p tcp -m tcp --dport 80 -j TOS --set-tos 0x08/0xff
-A POSTROUTING -p tcp -m tcp --dport 25 -j TOS --set-tos 0x10/0xff
-A POSTROUTING -p tcp -m tcp --dport 110 -j TOS --set-tos 0x10/0xff
-A POSTROUTING -p tcp -m tcp --dport 143 -j TOS --set-tos 0x10/0xff
-A POSTROUTING -p tcp -m tcp --dport 512:65535 -j TOS --set-tos 0x00/0xff
COMMIT
# Completed on Mon May  9 20:41:12 2016
# Generated by iptables-save v1.4.21 on Mon May  9 20:41:12 2016
*filter
:INPUT ACCEPT [172:13224]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [440:638882]
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp --sport 22 -j ACCEPT

# gravityforms 
-A INPUT -s gravityforms.com -j ACCEPT
-A OUTPUT -d gravityforms.com -j ACCEPT
-A INPUT -s gravityhelp.com -j ACCEPT
-A OUTPUT -d gravityhelp.com -j ACCEPT

# acf 
-A INPUT -s advancedcustomfields.com -j ACCEPT
-A OUTPUT -s advancedcustomfields.com -j ACCEPT

# wpml
-A INPUT -s wpml.org -j ACCEPT
-A OUTPUT -d wpml.org -j ACCEPT
-A INPUT -s api.wpml.org -j ACCEPT
-A OUTPUT -d api.wpml.org -j ACCEPT
-A INPUT -s onthegosystems.com -j ACCEPT
-A OUTPUT -d onthegosystems.com -j ACCEPT

# linode
-A INPUT -s mirrors.linode.com -j ACCEPT
-A OUTPUT -d mirrors.linode.com -j ACCEPT
-A INPUT -s longview.linode.com -j ACCEPT
-A OUTPUT -d longview.linode.com -j ACCEPT

# new relic 
-A INPUT -s apt.newrelic.com -j ACCEPT
-A OUTPUT -d apt.newrelic.com -j ACCEPT
-A INPUT -s bam.nr-data.net -j ACCEPT
-A OUTPUT -d bam.nr-data.net -j ACCEPT
-A INPUT -s js-agent.newrelic.com -j ACCEPT
-A OUTPUT -d js-agent.newrelic.com -j ACCEPT
-A INPUT -s collector.newrelic.com -j ACCEPT
-A OUTPUT -d collector.newrelic.com -j ACCEPT
-A INPUT -s 50.31.164.0/24 -p tcp -m tcp --match multiport --dports 80,443 -j ACCEPT
-A OUTPUT -d 50.31.164.0/24 -p tcp -m tcp --match multiport --dports 80,443 -j ACCEPT
-A INPUT -s 162.247.240.0/22 -p tcp -m tcp --match multiport --dports 80,443 -j ACCEPT
-A OUTPUT -d 162.247.240.0/22 -p tcp -m tcp --match multiport --dports 80,443 -j ACCEPT
-A INPUT -s 184.73.237.85/32 -p tcp -m tcp --match multiport --dports 80,443 -j ACCEPT
-A OUTPUT -d 184.73.237.85/32 -p tcp -m tcp --match multiport --dports 80,443 -j ACCEPT

# wordpress
-A INPUT -s wordpress.org -j ACCEPT
-A OUTPUT -d wordpress.org -j ACCEPT
-A INPUT -s downloads.wordpress.org -j ACCEPT
-A OUTPUT -d downloads.wordpress.org -j ACCEPT

# Other 
-A INPUT -s 199.7.157.9/32 -p tcp -m tcp --match multiport --dports 80,443 -j ACCEPT
-A INPUT -s 103.21.244.0/22 -p tcp -m tcp --match multiport --dports 80,443 -j ACCEPT
-A INPUT -s 103.22.200.0/22 -p tcp -m tcp --match multiport --dports 80,443 -j ACCEPT
-A INPUT -s 103.31.4.0/22 -p tcp -m tcp --match multiport --dports 80,443 -j ACCEPT
-A INPUT -s 104.16.0.0/12 -p tcp -m tcp --match multiport --dports 80,443 -j ACCEPT
-A INPUT -s 108.162.192.0/18 -p tcp -m tcp --match multiport --dports 80,443 -j ACCEPT
-A INPUT -s 141.101.64.0/18 -p tcp -m tcp --match multiport --dports 80,443 -j ACCEPT
-A INPUT -s 162.158.0.0/15 -p tcp -m tcp --match multiport --dports 80,443 -j ACCEPT
-A INPUT -s 172.64.0.0/13 -p tcp -m tcp --match multiport --dports 80,443 -j ACCEPT
-A INPUT -s 173.245.48.0/20 -p tcp -m tcp --match multiport --dports 80,443 -j ACCEPT
-A INPUT -s 188.114.96.0/20 -p tcp -m tcp --match multiport --dports 80,443 -j ACCEPT
-A INPUT -s 190.93.240.0/20 -p tcp -m tcp --match multiport --dports 80,443 -j ACCEPT
-A INPUT -s 197.234.240.0/22 -p tcp -m tcp --match multiport --dports 80,443 -j ACCEPT
-A INPUT -s 198.41.128.0/17 -p tcp -m tcp --match multiport --dports 80,443 -j ACCEPT
-A INPUT -s 199.27.128.0/21 -p tcp -m tcp --match multiport --dports 80,443 -j ACCEPT
-A INPUT -s 174.112.16.0/21 -p tcp -m tcp --match multiport --dports 80,443 -j ACCEPT
-A INPUT -s 174.112.16.0/21 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 174.112.16.0/21 -p tcp -m tcp --dport 443 -j ACCEPT

# Block HTTP / HTTPS
-A INPUT -p tcp -m tcp --dport 80 -j DROP
-A INPUT -p tcp -m tcp --dport 443 -j DROP

# Cinnamon Toast Office Exception
-A INPUT ! -s 174.112.19.198/32 -p tcp -m tcp -j DROP

COMMIT