*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
-F INPUT
-F OUTPUT

##
## input chains
##
-N dh-nrpe
-N dh-metrics
-N dh-whitelist-in
-N dh-portblock-in
-N dh-invalid-packets
-N dh-explicit-drop

-N dh-ssh-limit


##
## output chains
##
-N dh-whitelist-out
-N dh-syn-flood
-N dh-udp-flood

##
## this is used to handle drops and accepts via dh/bin/firewall.pl
## so no rules are defined for these chain, but we can build it here
## to have a note of where its placed in the INPUT chain
##
-N dh-ephemeral-in
-N dh-ephemeral-out

###################
## ingress rules ##
###################

##
## negative security model without connection tracking
## note that we only handle traffic on public interfaces because private traffic is trusted
## on most systems, eth1 is the public interface; some special snowflakes use a different nic
##

## Whitelist Cloudflare
## https://www.cloudflare.com/ips-v4
-A INPUT -i eth1 -s 173.245.48.0/20 -j ACCEPT
-A INPUT -i eth1 -s 103.21.244.0/22 -j ACCEPT
-A INPUT -i eth1 -s 103.22.200.0/22 -j ACCEPT
-A INPUT -i eth1 -s 103.31.4.0/22 -j ACCEPT
-A INPUT -i eth1 -s 141.101.64.0/18 -j ACCEPT
-A INPUT -i eth1 -s 108.162.192.0/18 -j ACCEPT
-A INPUT -i eth1 -s 190.93.240.0/20 -j ACCEPT
-A INPUT -i eth1 -s 188.114.96.0/20 -j ACCEPT
-A INPUT -i eth1 -s 197.234.240.0/22 -j ACCEPT
-A INPUT -i eth1 -s 198.41.128.0/17 -j ACCEPT
-A INPUT -i eth1 -s 162.158.0.0/15 -j ACCEPT
-A INPUT -i eth1 -s 104.16.0.0/13 -j ACCEPT
-A INPUT -i eth1 -s 104.24.0.0/14 -j ACCEPT
-A INPUT -i eth1 -s 172.64.0.0/13 -j ACCEPT
-A INPUT -i eth1 -s 131.0.72.0/22 -j ACCEPT

## Whitelist Jetpack
## https://jetpack.com/support/hosting-faq/
-A INPUT -i eth1 -s 122.248.245.244 -j ACCEPT
-A INPUT -i eth1 -s 54.217.201.243 -j ACCEPT
-A INPUT -i eth1 -s 54.232.116.4 -j ACCEPT
-A INPUT -i eth1 -s 192.0.80.0/20 -j ACCEPT
-A INPUT -i eth1 -s 192.0.96.0/20 -j ACCEPT
-A INPUT -i eth1 -s 192.0.112.0/20 -j ACCEPT
-A INPUT -i eth1 -s 195.234.108.0/22 -j ACCEPT
-A INPUT -i eth1 -s 192.0.96.202 -j ACCEPT
-A INPUT -i eth1 -s 192.0.98.138 -j ACCEPT
-A INPUT -i eth1 -s 192.0.102.71 -j ACCEPT
-A INPUT -i eth1 -s 192.0.102.95 -j ACCEPT

## Whitelist SEMRush
## https://www.semrush.com/kb/681-site-audit-troubleshooting
-A INPUT -i eth1 -s 46.229.173.66 -j ACCEPT
-A INPUT -i eth1 -s 46.229.173.67 -j ACCEPT
-A INPUT -i eth1 -s 46.229.173.68 -j ACCEPT

## Whitelist Sucuri
## https://docs.sucuri.net/website-firewall/sucuri-firewall-troubleshooting-guide/
-A INPUT -i eth1 -s 192.88.134.0/23 -j ACCEPT
-A INPUT -i eth1 -s 185.93.228.0/22 -j ACCEPT
-A INPUT -i eth1 -s 66.248.200.0/22 -j ACCEPT
-A INPUT -i eth1 -s 208.109.0.0/22 -j ACCEPT

## Whitelist NitroPack
## https://support.nitropack.io/hc/en-us/articles/360062911873-IP-Allowlisting
-A INPUT -i eth1 -s 178.62.81.205 -j ACCEPT
-A INPUT -i eth1 -s 46.101.77.196 -j ACCEPT
-A INPUT -i eth1 -s 178.62.71.222 -j ACCEPT

## Whitelist ManageWP
## https://managewp.com/troubleshooting/general/managewp-ips-can-white-list
-A INPUT -i eth1 -s 34.211.180.66 -j ACCEPT
-A INPUT -i eth1 -s 54.70.65.107 -j ACCEPT
-A INPUT -i eth1 -s 34.210.224.7 -j ACCEPT
-A INPUT -i eth1 -s 52.41.5.108 -j ACCEPT
-A INPUT -i eth1 -s 54.191.137.17 -j ACCEPT

# nrpe traffic is not explicitly trusted on any interface
-A INPUT -j dh-nrpe
-A INPUT -j dh-metrics
-A INPUT -i eth1 -j dh-whitelist-in
-A INPUT -i eth1 -j dh-portblock-in
-A INPUT -i eth1 -j dh-ephemeral-in

-A INPUT -i eth1 -j dh-explicit-drop
-A INPUT -i eth1 -j dh-invalid-packets
-A INPUT -i eth1 -p tcp --dport 22 -j dh-ssh-limit


## DROP rules for ipset lists
-A dh-ephemeral-in -m set --match-set dh-drop-set src -j DROP
-A dh-ephemeral-out -m set --match-set dh-drop-out-set dst -j DROP

## add Fail2ban centralized service ipset to dh-ephemeral-in
-A dh-ephemeral-in -m set --match-set dh-failcentral-set src -j DROP


##
## be very explict about allowing traffic for NRPE ports
##

-A dh-nrpe -s 66.33.200.4 -p tcp --dport 5666 -j ACCEPT

-A dh-nrpe -s 208.113.156.25 -p tcp --dport 5666 -j ACCEPT

-A dh-nrpe -s 10.5.23.122 -p tcp --dport 5666 -j ACCEPT

-A dh-nrpe -p tcp --dport 5666 -j DROP

##
## metric endpoint access for monitoring
##
-A dh-metrics -s 10.0.0.0/8 -j ACCEPT
-A dh-metrics -s 66.33.200.0/25 -j ACCEPT
-A dh-metrics -s 66.33.205.224/27 -j ACCEPT
-A dh-metrics -s 64.90.62.192/27 -j ACCEPT
-A dh-metrics -s 64.90.62.224/27 -j ACCEPT

# cadvisor
#-A dh-metrics -p tcp --dport 9280 -j DROP
# script exporter
-A dh-metrics -p tcp --dport 9469 -j DROP
# node exporter
-A dh-metrics -p tcp --dport 9100 -j DROP
# smartctl exporter
-A dh-metrics -p tcp --dport 9633 -j DROP
# vector metrics
-A dh-metrics -p tcp --dport 9598 -j DROP



#
# Whitelist data EKS
# EKS EAST

-A dh-whitelist-in -s 44.193.25.197 -j ACCEPT
-A dh-whitelist-in -s 34.237.222.172 -j ACCEPT
-A dh-whitelist-in -s 18.207.133.154 -j ACCEPT
-A dh-whitelist-in -s 3.238.179.3 -j ACCEPT
-A dh-whitelist-in -s 18.207.130.237 -j ACCEPT
-A dh-whitelist-in -s 3.235.250.83 -j ACCEPT
-A dh-whitelist-in -s 34.206.152.150 -j ACCEPT
-A dh-whitelist-in -s 3.239.113.214 -j ACCEPT
-A dh-whitelist-in -s 107.20.105.74 -j ACCEPT

# EKS WEST
-A dh-whitelist-in -s 54.212.104.5 -j ACCEPT
-A dh-whitelist-in -s 54.213.192.116 -j ACCEPT
-A dh-whitelist-in -s 35.165.188.89 -j ACCEPT

# EKS DH-INTERNAL NAT
-A dh-whitelist-in -s 44.229.156.44 -j ACCEPT
-A dh-whitelist-in -s 44.238.188.181 -j ACCEPT

##
## dh-portblock-in. reject incoming traffic after dh-whitelist-in and before dh-explicit-drop chains
##
-A dh-portblock-in -i eth1 -p tcp --dport 25 -j REJECT

##
## services that the world doesn't need to talk to (ingress & egress)
##
-A dh-explicit-drop -p tcp --dport 111 -j DROP
-A dh-explicit-drop -p udp --dport 111 -j DROP
-A dh-explicit-drop -p tcp --dport 1030 -j DROP
-A dh-explicit-drop -p udp --dport 1030 -j DROP

##
## mitigation rules for vulnerabilities and compliance
##
## Mitigation for CVE-2019-11477 tcp_sack kernel crash.

-A dh-explicit-drop -p tcp -m tcpmss --mss 1:500 -j DROP

## PCI fails on timestamp request/response


##
## invalid packets
##
-A dh-invalid-packets -m tcp -p tcp --tcp-flags SYN,RST,ACK,FIN SYN,FIN -j DROP
-A dh-invalid-packets -m tcp -p tcp --tcp-flags SYN,RST,ACK,FIN SYN,RST -j DROP


##
## ssh rate limiting. allow no more than 10 SYNs on TCP dpt:22 in 60 seconds
## if this threshold is met, block all TCP dpt:22 packets for 60 seconds
##
-A dh-ssh-limit -m recent --update --seconds 60 --hitcount 10 --name dh-ssh-limit --rsource -j DROP
-A dh-ssh-limit -m recent ! --rcheck --seconds 60 --reap --name dh-ssh-limit --rsource
-A dh-ssh-limit -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m recent --set --name dh-ssh-limit --rsource







##################
## egress rules ##
##################

##
## since we allow arbitrary outbound connections we need to take a negative model with this chain
##
-A OUTPUT -o eth1 -j dh-whitelist-out
-A OUTPUT -o eth1 -j dh-ephemeral-out
-A OUTPUT -o eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j dh-syn-flood
-A OUTPUT -o eth1 -p udp -j dh-udp-flood



##
## outbound SYN flood mitigation, logs to /var/log/synflood.log
##
-A dh-syn-flood -m hashlimit --hashlimit-upto 1000/s --hashlimit-burst 1000 --hashlimit-mode srcip,dstip --hashlimit-name dh-syn-flood -j RETURN
-A dh-syn-flood -m limit --limit 5/s -j NFLOG --nflog-prefix "dh-syn-flood "
-A dh-syn-flood -j DROP


##
## outbound UDP flood mitigation, logs to /var/log/udpflood.log
##
-A dh-udp-flood -m hashlimit --hashlimit-upto 1000/s --hashlimit-burst 1000 --hashlimit-mode srcip,dstip --hashlimit-name dh-udp-flood -j RETURN
-A dh-udp-flood -m limit --limit 5/s -j NFLOG --nflog-prefix "dh-udp-flood "
-A dh-udp-flood -j DROP


##
## DH-wide whitelists
## inbound whitelists on public interface are necessary largely to handle Machine->Rsync calls
## (our current implementation uses rsync in daemon mode listening on a random high port, on the public interface)
##
-A dh-whitelist-out -d 127.0.0.1 -j ACCEPT
-A dh-whitelist-out -m set --match-set dh-ext-whitelist-out src -j ACCEPT
-A dh-whitelist-out -d 66.33.192.0/19 -j ACCEPT
-A dh-whitelist-out -d 205.196.208.0/20 -j ACCEPT
-A dh-whitelist-out -d 64.111.96.0/19 -j ACCEPT
-A dh-whitelist-out -d 67.205.0.0/18 -j ACCEPT
-A dh-whitelist-out -d 75.119.192.0/19 -j ACCEPT
-A dh-whitelist-out -d 69.163.128.0/17 -j ACCEPT
-A dh-whitelist-out -d 208.113.160.0/19 -j ACCEPT
-A dh-whitelist-out -d 208.113.192.0/19 -j ACCEPT
-A dh-whitelist-out -d 208.97.128.0/18 -j ACCEPT
-A dh-whitelist-out -d 208.113.128.0/19 -j ACCEPT
-A dh-whitelist-out -d 173.236.128.0/17 -j ACCEPT
-A dh-whitelist-out -d 64.90.32.0/19 -j ACCEPT
-A dh-whitelist-out -d 107.180.224.0/19 -j ACCEPT

-A dh-whitelist-in -s 127.0.0.1 -j ACCEPT
-A dh-whitelist-in -m set --match-set dh-ext-whitelist-in src -j ACCEPT
-A dh-whitelist-in -s 66.33.192.0/19 -j ACCEPT
-A dh-whitelist-in -s 205.196.208.0/20 -j ACCEPT
-A dh-whitelist-in -s 64.111.96.0/19 -j ACCEPT
-A dh-whitelist-in -s 67.205.0.0/18 -j ACCEPT
-A dh-whitelist-in -s 75.119.192.0/19 -j ACCEPT
-A dh-whitelist-in -s 69.163.128.0/17 -j ACCEPT
-A dh-whitelist-in -s 208.113.160.0/19 -j ACCEPT
-A dh-whitelist-in -s 208.113.192.0/19 -j ACCEPT
-A dh-whitelist-in -s 208.97.128.0/18 -j ACCEPT
-A dh-whitelist-in -s 208.113.128.0/19 -j ACCEPT
-A dh-whitelist-in -s 173.236.128.0/17 -j ACCEPT
-A dh-whitelist-in -s 64.90.32.0/19 -j ACCEPT
-A dh-whitelist-in -s 107.180.224.0/19 -j ACCEPT