iptables permite apenas determinados serviços

Tente com isso.

Crie iptables.sh e coloque em /root/

Conceder x permissão

chmod +x /root/iptables.sh

Edite o /etc/rc.local para acionar o script na reinicialização

sudo nano /etc/rc.local

adicione no final do arquivo

 sh /root/iptables.sh

Script

#!/bin/bash

#echo service iptables stop | at now + 3 min

#################################################
# clear existing chains
#################################################

/etc/init.d/iptables stop

iptables --flush
iptables --delete-chain

#################################################
# allow loopback
#################################################

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#################################################
# drop all ICMP
#################################################

iptables -A INPUT -p icmp --icmp-type any -j DROP
iptables -A OUTPUT -p icmp -j DROP

#################################################
# allow established connections
#################################################

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#################################################
# allow public
#################################################

# 33332 
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 33332 -j ACCEPT

# 35060
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 35060 -j ACCEPT

# RTP 10000 up to 200000
iptables -A INPUT -p udp --match multiport --dports 10000:20000 -j ACCEPT

#################################################
# ssh
#################################################

iptables -N ATTACKED 
iptables -N ATTK_CHECK 
iptables -A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 86400 --name BANNED --rsource -j DROP
iptables -A ATTACKED -m recent --update --seconds 600 --hitcount 3 -j LOG --log-prefix "IPTABLES (Rule ATTACKED): " --log-level 7
iptables -A ATTACKED -m recent --set --name BANNED --rsource -j DROP
iptables -A ATTK_CHECK -m recent --set --name ATTK –-rsource
iptables -A ATTK_CHECK -m recent --update --seconds 600 --hitcount 3 --name ATTK --rsource -j ATTACKED
iptables -A ATTK_CHECK -j ACCEPT


#################################################
# default policies
#################################################

iptables -P INPUT DROP

Eu acredito que essas regras ajudarão

# Drop everything
iptables -P INPUT DROP

# Allow certain ports
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 33332 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 35060 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT

# Disable ICMP
iptables  -I  INPUT  -i  eth0  -p   icmp  -s  0/0  -d  0/0   -j  DROP

E claro, é necessário salvar as regras. Iptables-persistent é uma boa ferramenta para isso:

sudo apt-get install iptables-persistent

Depois de instalado, você pode salvar / recarregar as regras do iptables a qualquer momento:

sudo /etc/init.d/iptables-persistent save 
sudo /etc/init.d/iptables-persistent reload

O bloqueio de SSH é feito em /etc/fail2ban/jail.conf ou /etc/fail2ban/jail.local

bantime  = 86400
findtime = 600
maxretry = 3

Boa sorte!

Sugiro instalar um construtor de firewall como shorewall ou ufw . Permitir apenas tráfego de entrada nas portas necessárias para os serviços que você deseja fornecer. Essas ferramentas ajudarão a garantir o tráfego crítico, como o DNS e certos tipos de ICMP, enquanto bloqueiam os itens que precisam ser bloqueados. Eles também devem registrar o tráfego apropriado.

fail2ban funciona com o Shorewall. Você também pode ratelimitar conexões com relativa facilidade. Não usei com êxito o UFW, mas espero que também funcione com o 'fail2ban.