From 3ce5afa60fe949d5f4a272ebaed92bf24aad0b11 Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Tue, 27 Jun 2017 23:18:10 -0400
Subject: [PATCH] Network hardening via iptables

Change-Id: I3a3d36af792641522e74ce45b0de3fa7ff791d58
---
 server/CommandListener.cpp | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/server/CommandListener.cpp b/server/CommandListener.cpp
index b16da18..7f5e99d 100755
--- a/server/CommandListener.cpp
+++ b/server/CommandListener.cpp
@@ -230,6 +230,34 @@ CommandListener::CommandListener() :
     createChildChains(V4, "nat", "PREROUTING", NAT_PREROUTING);
     createChildChains(V4, "nat", "POSTROUTING", NAT_POSTROUTING);
 
+
+    //Credit: https://javapipe.com/iptables-ddos-protection
+    execIptables(V4V6, "-w", "-A", "INPUT", "-m", "conntrack", "--ctstate", "INVALID", "-j", "DROP", NULL);
+    execIptables(V4V6, "-w", "-A", "OUTPUT", "-m", "conntrack", "--ctstate", "INVALID", "-j", "DROP", NULL);
+    execIptables(V4V6, "-w", "-A", "FORWARD", "-m", "conntrack", "--ctstate", "INVALID", "-j", "DROP", NULL);
+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "!", "--syn", "-m", "conntrack", "--ctstate", "NEW", "-j", "DROP", NULL);
+    execIptables(V4, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "-m", "conntrack", "--ctstate", "NEW", "-m", "tcpmss", "!", "--mss", "536:65535", "-j", "DROP", NULL);
+    execIptables(V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "-m", "conntrack", "--ctstate", "NEW", "-m", "tcpmss", "!", "--mss", "1220:65535", "-j", "DROP", NULL);
+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "FIN,SYN,RST,PSH,ACK,URG", "NONE", "-j", "DROP", NULL);
+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "FIN,SYN", "FIN,SYN", "-j", "DROP", NULL);
+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "SYN,RST", "SYN,RST", "-j", "DROP", NULL);
+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "SYN,FIN", "SYN,FIN", "-j", "DROP", NULL);
+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "FIN,RST", "FIN,RST", "-j", "DROP", NULL);
+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "FIN,ACK", "FIN", "-j", "DROP", NULL);
+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ACK,URG", "URG", "-j", "DROP", NULL);
+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ACK,FIN", "FIN", "-j", "DROP", NULL);
+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ACK,PSH", "PSH", "-j", "DROP", NULL);
+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ALL", "ALL", "-j", "DROP", NULL);
+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ALL", "NONE", "-j", "DROP", NULL);
+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ALL", "FIN,PSH,URG", "-j", "DROP", NULL);
+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ALL", "SYN,FIN,PSH,URG", "-j", "DROP", NULL);
+    execIptables(V4V6, "-w", "-t", "raw", "-A", "PREROUTING", "-p", "tcp", "--tcp-flags", "ALL", "SYN,RST,ACK,FIN,URG", "-j", "DROP", NULL);
+    execIptables(V4, "-w", "-t", "raw", "-A", "PREROUTING", "-s", "0.0.0.0/8", "-j", "DROP", NULL);
+    execIptables(V4, "-w", "-t", "raw", "-A", "PREROUTING", "-s", "127.0.0.0/8", "!", "-i", "lo", "-j", "DROP", NULL);
+    execIptables(V4, "-w", "-t", "raw", "-A", "PREROUTING", "-f", "-j", "DROP", NULL);
+    execIptables(V4V6, "-w", "-A", "INPUT", "-p", "tcp", "-m", "connlimit", "--connlimit-above", "64", "!", "-i", "lo", "-j", "REJECT", NULL);
+
+
     // Let each module setup their child chains
     setupOemIptablesHook();
 
-- 
2.13.2