1. create an iptables.rules file in /etc/
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # Accept established connections -A INPUT -i venet0:0 -m state --state RELATED,ESTABLISHED -j ACCEPT # Enable HTTP/HTTPS -A INPUT -i venet0:0 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -i venet0:0 -p tcp -m tcp --dport 443 -j ACCEPT # Allow 4 connections in 300 seconds, then ban the IP for 300 seconds -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 4 --name DEFAULT --rsource -j DROP -A INPUT -i venet0:0 -p tcp -m tcp --dport 22 -j ACCEPT # Accept ping (ICMP) -A INPUT -i venet0:0 -p icmp -j ACCEPT # Drop all other connections -A INPUT -i venet0:0 -j DROP COMMIT |
2. enable iptables rules
iptables-restore < /etc/iptables.rules
3. load iptables rules on network interface up
vim /etc/networks/interface
add this line to under your public interface block
pre-up iptables-restore < /etc/iptables.rul
4. reload service iptables restart
Leave a reply