@chaeplin
I have two masternode server but i can not find healtly iptables rules.
I would be glad if you help me.
I use Ubuntu 14.04 x64 and i changed SSH port, activated Host Access Control and banned all IPs for all services. (excepting my local static IPs and node IPs)
Do you think these measures enough?
Thank you.
I think.
a sample of mine.
#-----
*filter
:INPUT ACCEPT [1038:145425]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [434:87191]
:BADCLIENT - [0:0]
#
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --dport 0 -j DROP
-A INPUT -p tcp -f -m tcp -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --dport 0 -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
#
-A INPUT -p tcp -m tcp --dport 9998 -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp --dport 9999 -j BADCLIENT
-A INPUT -p tcp -m tcp --sport 9999 -j BADCLIENT
#
-A INPUT -p tcp -m tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
#
-A INPUT -p tcp -m tcp --dport 9999 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 8 --connlimit-mask 24 --connlimit-saddr -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp --dport 9999 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 2 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 9999 -j ACCEPT
#
-A INPUT -p tcp -m tcp --dport 22 -s 192.168.0.0/24 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -j DROP
#
-A OUTPUT -o eth0 -j ACCEPT
#
-A BADCLIENT -j RETURN
#
COMMIT
#-----
# ban BADCLIENT
# iptables -I BADCLIENT -p tcp -m tcp -j REJECT --reject-with tcp-reset -s ipaddress
