Network Security Toolkit
Firewall rules, IDS/IPS configs, network segmentation patterns, VPN setup, and traffic analysis scripts.
📄 Product Preview
Try the interactive reader and demo tools below, or get the full product with all content unlocked.
📖 Interactive Reader (Free Preview) ⚙ Try Demo Tools 📦 Download Free Sample📁 File Structure 27 files
📖 Documentation Preview README excerpt
Network Security Toolkit
A code- and config-forward kit for hardening a Linux network estate end to end:
default-deny host firewalls (iptables and nftables), network segmentation
patterns, Suricata IDS/IPS rules, hardened WireGuard and OpenVPN, locked-down
SSH and TLS, plus a dependency-free port auditor and firewall verifier to prove
it all works.
Every file is annotated with the why, not just the what. All addresses use
RFC1918 internal ranges and RFC5737 documentation ranges for public examples; no
real keys, hosts, or infrastructure appear anywhere.
Who this is for
Platform/DevOps engineers, SREs, and security engineers responsible for the
network posture of Linux servers — on-prem, cloud VMs, or hybrid. You should be
comfortable on the shell and with basic TCP/IP. The guides start from first
principles; the configs are ready to adapt.
What you get
- Host firewalls, two ways: a fully-commented stateful iptables script
and an equivalent atomic nftables ruleset — both default-deny, with SSH
rate-limiting, anti-spoofing, and parallel IPv6 lockdown.
- Segmentation patterns: a reference zone model (DMZ/App/Data/Mgmt) with a
concrete inter-zone allow matrix and the nftables rules to enforce it.
- IDS/IPS: an annotated Suricata config plus two rule files — tuned
local rules and an Emerging-Threats-style sample set — covering recon, web
attacks, C2, exfil, and lateral movement, mapped to MITRE ATT&CK.
- Hardened VPNs: a WireGuard server config + provisioning script and a
defensively-configured OpenVPN server, with a hardening rationale for each.
- SSH + TLS hardening: a production
sshd_config(key-only, modern crypto)
and a Mozilla-Intermediate nginx TLS config (HSTS, OCSP stapling, security
headers), each with a verification guide.
- Verification tooling: a stdlib port auditor (open/closed/filtered, with
high-risk-exposure flags) and a firewall verifier that asserts the
default-deny invariants.
Prerequisites
| Tool | Why | Notes |
|---|---|---|
| Linux + root | apply firewall/SSH/VPN configs | tested against modern distros |
| iptables or nftables | host firewall | pick one; both rulesets provided |
| Suricata ≥ 6 | IDS/IPS | suricata -T validates the bundled rules |
| WireGuard or OpenVPN | remote access | choose per vpn/openvpn/hardening-notes.md |
| nginx | TLS termination | config is portable to other terminators |
| Python ≥ 3.10 | the auditor scripts | stdlib only, no pip install |
The Python tools (port_audit.py) need no external packages — they run on a
locked-down jump host where you can't install nmap.
Quick start
... continues with setup instructions, usage examples, and more.