An example Zcash iptables firewall for Linux cloud servers

Herewith, an example Zcash iptables firewall for Linux cloud servers (and dedicated nodes)

Sources / References ;

Firstly, install Fail2ban for some basic DDoS protection as per the following guide ;

iptables firewall example ;

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 53 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 53 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8232 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8233 -j ACCEPT

Allow several ICMP types

sudo iptables -A INPUT -p icmp -m icmp --icmp-type host-unreachable -j ACCEPT
sudo iptables -A INPUT -p icmp -m icmp --icmp-type port-unreachable -j ACCEPT
sudo iptables -A INPUT -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
sudo iptables -A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
sudo iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 2/s -j ACCEPT
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
sudo iptables -A INPUT -p tcp --syn -j DROP
sudo iptables -A OUTPUT -o lo -j ACCEPT
sudo iptables -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP

Note that rule sets are always applied in descending order preference. Port 22 is the ‘default’ SSH port (for most Linux VPS). Port 53 is for DNS. Port 8232 is only allowing localhost connections for rpcuser in the above example, for additional security. However, if you plan on mining directly to your VPS from your ‘home’ mining rig then you would need to omit this single rule. Port 8233 is open for incoming Zcash P2P connectivity.

Some users might prefer to avoid conntrack rules (or be required to) on a ‘castrated’ VPS whose provider has not made available the extension. Those rules can be replaced with the following ;

sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -m state --state INVALID -j DROP

sudo iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A OUTPUT -m state --state INVALID -j DROP

If you are also running a web server then remember to add INPUT rules for ports 80 and/or 443

A guide for ‘Dual Stack’ Tor Node Set-up and connectivity is being worked on. Cheers!

How to load the iptables config. automatically at system boot / restart ;

sudo nano /etc/network/interfaces

Add the following at the end of your existing IPv4 config ;

pre-up iptables-restore < /etc/iptables.rules

List iptables with ;

sudo iptables -L

Save iptables with ;

sudo sh -c "iptables-save -c > /etc/iptables.rules"

Restore iptables with ;

sudo sh -c "iptables-restore -c < /etc/iptables.rules"

Reload / restart Fail2ban with ;

sudo /etc/init.d/fail2ban restart

Reset iptables with ;

sudo iptables -F

Herewith, an expansion to the Linux cloud server iptables firewall presented above.

We now include additional protection for common ‘abuse’ protocols and/or port scanning.

Some assumptions are incorporated; i.e. that your not running an outgoing mail server, that your likely running a http/https webserver, that you are not running MySQL, that you do not require ‘default’ VNC or alternative proxy ports. That you are running a full Zcash node. :zcash: :sunglasses:

sudo iptables -A INPUT -i lo -j ACCEPT

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

sudo iptables -A INPUT -p tcp --dport 1 -j REJECT // TCPMUX
sudo iptables -A INPUT -p udp --dport 1 -j REJECT // TCPMUX

sudo iptables -A INPUT -p udp --dport 19 -j REJECT // Chargen Protocol - Fraggle Attack

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT // Accept SSH (Use of Fail2ban is essential)

sudo iptables -A INPUT -p tcp --dport 23 -j REJECT // Telnet
sudo iptables -A INPUT -p udp --dport 23 -j REJECT // Telnet

sudo iptables -A INPUT -p tcp --dport 25 -j REJECT // SMTP
sudo iptables -A INPUT -p udp --dport 25 -j REJECT // SMTP

sudo iptables -A INPUT -p tcp --dport 53 -j ACCEPT // Accept DNS
sudo iptables -A INPUT -p udp --dport 53 -j ACCEPT // Accept DNS

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT // Recommended Tor DirPort / HTTP Webserver
sudo iptables -A INPUT -p udp --dport 80 -j REJECT // Protect port 80 from UDP DDoS Attacks (Tor is TCP only)

sudo iptables -A INPUT -p tcp --dport 111 -j REJECT // Open Network Computing Remote Procedure Call
sudo iptables -A INPUT -p udp --dport 111 -j REJECT // Open Network Computing Remote Procedure Call

sudo iptables -A INPUT -p tcp --dport 135:139 -j REJECT // Microsoft EPMAP / NetBIOS
sudo iptables -A INPUT -p udp --dport 135:139 -j REJECT // Microsoft EPMAP / NetBIOS

sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT // Recommended Tor ORPort / HTTPS Webserver
sudo iptables -A INPUT -p udp --dport 443 -j REJECT // Protect port 443 from UDP DDoS Attacks (Tor is TCP only)

sudo iptables -A INPUT -p tcp --dport 445 -j REJECT // Microsoft-DS Active Directory, Windows shares
sudo iptables -A INPUT -p udp --dport 445 -j REJECT // Microsoft-DS Active Directory, Windows shares

sudo iptables -A INPUT -p tcp --dport 512 -j REJECT // Rexec, Remote Process Execution
sudo iptables -A INPUT -p tcp --dport 513 -j REJECT // rlogin
sudo iptables -A INPUT -p tcp --dport 514 -j REJECT // Remote Shell
sudo iptables -A INPUT -p tcp --dport 515 -j REJECT // Line Printer Daemon (LPD)

sudo iptables -A INPUT -p tcp --dport 1433 -j REJECT // Microsoft SQL Server database management system (MSSQL) server
sudo iptables -A INPUT -p udp --dport 1433 -j REJECT // Microsoft SQL Server database management system (MSSQL) server

sudo iptables -A INPUT -p tcp --dport 3128 -j REJECT // Squid caching web proxy
sudo iptables -A INPUT -p udp --dport 3128 -j REJECT // Squid caching web proxy

sudo iptables -A INPUT -p tcp --dport 3306 -j REJECT // MySQL
sudo iptables -A INPUT -p udp --dport 3306 -j REJECT // MySQL

sudo iptables -A INPUT -p tcp --dport 3389 -j REJECT // Microsoft Terminal Server (RDP)
sudo iptables -A INPUT -p udp --dport 3389 -j REJECT // Microsoft Terminal Server (RDP)

sudo iptables -A INPUT -p tcp --dport 5060 -j REJECT // Session Initiation Protocol (SIP)
sudo iptables -A INPUT -p udp --dport 5060 -j REJECT // Session Initiation Protocol (SIP)

sudo iptables -A INPUT -p tcp --dport 5900 -j REJECT // Remote Frame Buffer protocol (RFB) / Virtual Network Computing (VNC) RDP
sudo iptables -A INPUT -p udp --dport 5900 -j REJECT // Remote Frame Buffer protocol (RFB) / Virtual Network Computing (VNC) RDP

sudo iptables -A INPUT -p tcp --dport 6000:6063 -j REJECT // X11—used between an X client and server over the network
sudo iptables -A INPUT -p udp --dport 6000:6063 -j REJECT // X11—used between an X client and server over the network

sudo iptables -A INPUT -p tcp --dport 8000 -j REJECT // Common Proxy Port
sudo iptables -A INPUT -p udp --dport 8000 -j REJECT // Common Proxy Port

sudo iptables -A INPUT -p tcp --dport 8080 -j REJECT // HTTP alternate (http_alt)—commonly used for Web proxy and caching server
sudo iptables -A INPUT -p udp --dport 8080 -j REJECT // HTTP alternate (http_alt)—commonly used for Web proxy and caching server

sudo iptables -A INPUT -p tcp --dport 8090 -j REJECT // CCDN legacy (port scanning)
sudo iptables -A INPUT -p udp --dport 8090 -j REJECT // CCDN legacy (port scanning)

sudo iptables -A INPUT -p tcp --dport 8118 -j REJECT // Privoxy—advertisement-filtering Web proxy
sudo iptables -A INPUT -p udp --dport 8118 -j REJECT // Privoxy—advertisement-filtering Web proxy

sudo iptables -A INPUT -p tcp --dport 8123 -j REJECT // Polipo Web proxy
sudo iptables -A INPUT -p udp --dport 8123 -j REJECT // Polipo Web proxy

sudo iptables -A INPUT -p tcp --dport 8232 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT // Zcash RPCPort (from/to localhost)
sudo iptables -A INPUT -p tcp --dport 8233 -j ACCEPT // Zcash P2P Port - Allow incomming connections

sudo iptables -A INPUT -p tcp --dport 8888 -j REJECT // Common Proxy Port
sudo iptables -A INPUT -p udp --dport 8888 -j REJECT // Common Proxy Port

sudo iptables -A INPUT -p udp --dport 53413 -j REJECT // Netis Router (port scan vulnerability)

sudo iptables -A INPUT -p icmp -m icmp --icmp-type host-unreachable -j ACCEPT
sudo iptables -A INPUT -p icmp -m icmp --icmp-type port-unreachable -j ACCEPT
sudo iptables -A INPUT -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
sudo iptables -A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
sudo iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 2/s -j ACCEPT
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

sudo iptables -A INPUT -p tcp --syn -j DROP

sudo iptables -A OUTPUT -o lo -j ACCEPT

sudo iptables -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

sudo iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP

Altogether now (copy/paste) …

sudo iptables -A INPUT -i lo -j ACCEPT && sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT && sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP && sudo iptables -A INPUT -p tcp --dport 1 -j REJECT && sudo iptables -A INPUT -p udp --dport 1 -j REJECT && sudo iptables -A INPUT -p udp --dport 19 -j REJECT && sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT && sudo iptables -A INPUT -p tcp --dport 23 -j REJECT && sudo iptables -A INPUT -p udp --dport 23 -j REJECT && sudo iptables -A INPUT -p tcp --dport 25 -j REJECT && sudo iptables -A INPUT -p udp --dport 25 -j REJECT && sudo iptables -A INPUT -p tcp --dport 53 -j ACCEPT && sudo iptables -A INPUT -p udp --dport 53 -j ACCEPT && sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT && sudo iptables -A INPUT -p udp --dport 80 -j REJECT && sudo iptables -A INPUT -p tcp --dport 111 -j REJECT && sudo iptables -A INPUT -p udp --dport 111 -j REJECT && sudo iptables -A INPUT -p tcp --dport 135:139 -j REJECT && sudo iptables -A INPUT -p udp --dport 135:139 -j REJECT && sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT && sudo iptables -A INPUT -p udp --dport 443 -j REJECT && sudo iptables -A INPUT -p tcp --dport 445 -j REJECT && sudo iptables -A INPUT -p udp --dport 445 -j REJECT && sudo iptables -A INPUT -p tcp --dport 512 -j REJECT && sudo iptables -A INPUT -p tcp --dport 513 -j REJECT && sudo iptables -A INPUT -p tcp --dport 514 -j REJECT && sudo iptables -A INPUT -p tcp --dport 515 -j REJECT && sudo iptables -A INPUT -p tcp --dport 1433 -j REJECT && sudo iptables -A INPUT -p udp --dport 1433 -j REJECT && sudo iptables -A INPUT -p tcp --dport 3128 -j REJECT && sudo iptables -A INPUT -p udp --dport 3128 -j REJECT && sudo iptables -A INPUT -p tcp --dport 3306 -j REJECT && sudo iptables -A INPUT -p udp --dport 3306 -j REJECT && sudo iptables -A INPUT -p tcp --dport 3389 -j REJECT && sudo iptables -A INPUT -p udp --dport 3389 -j REJECT && sudo iptables -A INPUT -p tcp --dport 5060 -j REJECT && sudo iptables -A INPUT -p udp --dport 5060 -j REJECT && sudo iptables -A INPUT -p tcp --dport 5900 -j REJECT && sudo iptables -A INPUT -p udp --dport 5900 -j REJECT && sudo iptables -A INPUT -p tcp --dport 6000:6063 -j REJECT && sudo iptables -A INPUT -p udp --dport 6000:6063 -j REJECT && sudo iptables -A INPUT -p tcp --dport 8000 -j REJECT && sudo iptables -A INPUT -p udp --dport 8000 -j REJECT && sudo iptables -A INPUT -p tcp --dport 8080 -j REJECT && sudo iptables -A INPUT -p udp --dport 8080 -j REJECT && sudo iptables -A INPUT -p tcp --dport 8090 -j REJECT && sudo iptables -A INPUT -p udp --dport 8090 -j REJECT && sudo iptables -A INPUT -p tcp --dport 8118 -j REJECT && sudo iptables -A INPUT -p udp --dport 8118 -j REJECT && sudo iptables -A INPUT -p tcp --dport 8123 -j REJECT && sudo iptables -A INPUT -p udp --dport 8123 -j REJECT && sudo iptables -A INPUT -p tcp --dport 8232 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT && sudo iptables -A INPUT -p tcp --dport 8233 -j ACCEPT && sudo iptables -A INPUT -p tcp --dport 8888 -j REJECT && sudo iptables -A INPUT -p udp --dport 8888 -j REJECT && sudo iptables -A INPUT -p udp --dport 53413 -j REJECT && sudo iptables -A INPUT -p icmp -m icmp --icmp-type host-unreachable -j ACCEPT && sudo iptables -A INPUT -p icmp -m icmp --icmp-type port-unreachable -j ACCEPT && sudo iptables -A INPUT -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT && sudo iptables -A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT && sudo iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 2/s -j ACCEPT && sudo iptables -A INPUT -p icmp --icmp-type echo-request -j DROP && sudo iptables -A INPUT -p tcp --syn -j DROP && sudo iptables -A OUTPUT -o lo -j ACCEPT && sudo iptables -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT && sudo iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP

Note: ‘Home’ firewall version to be published soon. This firewall (example) has been re-factored for Zcash cloud servers, having been originally researched by tornull.org - with a view to protecting Tor .exit nodes - using the Tor Reduced-Reduced Exit policy.

  • link here soon!

If you want to help our research and our work on Zcash on Tor - see here;

Regards,