ip tables commands which ‘might’ make your firewall PCI compliant

ip tables commands which ‘might’ make your firewall PCI compliant

This is a list of the iptables commands that will setup a minimal firewall which ‘might’ be PCI compliant

This is primarily here to remind me, so I have a reference in the future.

I also have ports for FTP and SSH for a single developer IP as well as monitoring for a single monitoring server.   The format is simple and can easily be changed for other services.

Be sure to replace ‘my.ip’ with your development ip,  and ‘monitoring.ip’ with

This is on a Linux Ubuntu machine (of course)

apt-get install iptables iptables-persistent
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s my.ip/32 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -s my.ip/32 -j ACCEPT
iptables -A INPUT -p tcp --dport 5666 -s monitoring.ip/32-j ACCEPT 
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p udp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p udp --dport 443 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-unreachable


iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP
iptables -A OUTPUT -p icmp --icmp-type timestamp-reply -j DROP

iptables -t raw -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -t raw -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -t raw -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
iptables -t raw -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
iptables -t raw -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -t raw -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
iptables-save > /etc/iptables/rules.v4


awk Command to remove Non IP entries from /etc/hosts and /etc/hosts.deny

awk Command to remove Non IP entries from /etc/hosts and /etc/hosts.deny

We had a script automatically adding malicious IPS to our /etc/hosts.deny file on one of our servers.

The script went awry and ended up putting hundreds of thousands of non ip addresses into the file.  There were malicious IP addresses mixed in

I used this awk script to clean it up , and remove all of the non ip addresses,  and make the list unique.

 awk  '/ALL/ &&  $NF ~ /[0-9.]/' /etc/hosts.deny| sort -n -k2 |uniq > /etc/hosts.deny2

once I inspected the /etc/hosts.deny2  I replaced the original

mv /etc/hosts.deny2 /etc/hosts.deny


Call Now Button(208) 344-1115

SIGN UP TO
GET OUR 
FREE
 APP BLUEPRINT

Join our email list

and get your free whitepaper