← Back to all products

Network Security Toolkit

$39

Firewall rules, IDS/IPS configs, network segmentation patterns, VPN setup, and traffic analysis scripts.

📁 27 files
MarkdownShellPythonYAMLNginx

📄 Product Preview

Try the interactive reader and demo tools below, or get the full product with all content unlocked.

📖 Interactive Reader (Free Preview) ⚙ Try Demo Tools 📦 Download Free Sample

📁 File Structure 27 files

network-security-toolkit/ ├── LICENSE ├── README.md ├── docs/ │ └── network-hardening-guide.md ├── examples/ │ └── suricata-alert-sample.txt ├── firewall/ │ ├── iptables-rules.sh │ ├── nftables.conf │ └── segmentation-zones.md ├── free-sample.zip ├── guide/ │ ├── 01-network-security-fundamentals.md │ ├── 02-host-firewall-and-segmentation.md │ ├── 03-ids-ips-with-suricata.md │ ├── 04-vpn-and-remote-access-hardening.md │ └── 05-verification-and-monitoring.md ├── ids/ │ ├── rules/ │ │ ├── emerging-threats-sample.rules │ │ └── local.rules │ └── suricata.yaml ├── index.html ├── scripts/ │ ├── firewall_verify.sh │ └── port_audit.py ├── ssh/ │ ├── ssh-hardening.md │ └── sshd_config ├── tls/ │ ├── nginx-tls.conf │ └── tls-config-guide.md └── vpn/ ├── openvpn/ │ ├── hardening-notes.md │ └── server.conf └── wireguard/ ├── setup-wireguard.sh └── wg0.conf

📖 Documentation Preview README excerpt

Network Security Toolkit

A code- and config-forward kit for hardening a Linux network estate end to end:

default-deny host firewalls (iptables and nftables), network segmentation

patterns, Suricata IDS/IPS rules, hardened WireGuard and OpenVPN, locked-down

SSH and TLS, plus a dependency-free port auditor and firewall verifier to prove

it all works.

Every file is annotated with the why, not just the what. All addresses use

RFC1918 internal ranges and RFC5737 documentation ranges for public examples; no

real keys, hosts, or infrastructure appear anywhere.


Who this is for

Platform/DevOps engineers, SREs, and security engineers responsible for the

network posture of Linux servers — on-prem, cloud VMs, or hybrid. You should be

comfortable on the shell and with basic TCP/IP. The guides start from first

principles; the configs are ready to adapt.

What you get

  • Host firewalls, two ways: a fully-commented stateful iptables script

and an equivalent atomic nftables ruleset — both default-deny, with SSH

rate-limiting, anti-spoofing, and parallel IPv6 lockdown.

  • Segmentation patterns: a reference zone model (DMZ/App/Data/Mgmt) with a

concrete inter-zone allow matrix and the nftables rules to enforce it.

  • IDS/IPS: an annotated Suricata config plus two rule files — tuned

local rules and an Emerging-Threats-style sample set — covering recon, web

attacks, C2, exfil, and lateral movement, mapped to MITRE ATT&CK.

  • Hardened VPNs: a WireGuard server config + provisioning script and a

defensively-configured OpenVPN server, with a hardening rationale for each.

  • SSH + TLS hardening: a production sshd_config (key-only, modern crypto)

and a Mozilla-Intermediate nginx TLS config (HSTS, OCSP stapling, security

headers), each with a verification guide.

  • Verification tooling: a stdlib port auditor (open/closed/filtered, with

high-risk-exposure flags) and a firewall verifier that asserts the

default-deny invariants.


Prerequisites

ToolWhyNotes
Linux + rootapply firewall/SSH/VPN configstested against modern distros
iptables or nftableshost firewallpick one; both rulesets provided
Suricata ≥ 6IDS/IPSsuricata -T validates the bundled rules
WireGuard or OpenVPNremote accesschoose per vpn/openvpn/hardening-notes.md
nginxTLS terminationconfig is portable to other terminators
Python ≥ 3.10the auditor scriptsstdlib only, no pip install

The Python tools (port_audit.py) need no external packages — they run on a

locked-down jump host where you can't install nmap.


Quick start

... continues with setup instructions, usage examples, and more.

📄 Code Sample .py preview

scripts/port_audit.py #!/usr/bin/env python3 """port_audit.py — a dependency-free TCP/UDP port auditor. Audits which ports are reachable on a host (or a small range of hosts) so you can verify firewall rules and network segmentation actually do what the config claims. Pure Python standard library — no nmap, no pip install — so it runs on a locked-down jump host where you can't install tooling. It distinguishes three states the way a real scanner does: * open — the TCP handshake completed (or the UDP service replied) * closed — the host actively refused (RST / ICMP port-unreachable) * filtered — no response before timeout (a firewall is silently dropping) The open/closed/filtered distinction is the whole point: a *filtered* admin port is your firewall working; an *open* one from the wrong zone is a finding. Usage: python3 port_audit.py 10.30.2.10 # common ports python3 port_audit.py 10.30.2.10 --ports 22,80,443,5432 python3 port_audit.py 10.30.2.10 --ports 1-1024 # a range python3 port_audit.py 10.30.1.0/29 --ports 22,443 # a small CIDR python3 port_audit.py 10.30.2.10 --udp --ports 53,123 # UDP probe python3 port_audit.py 10.30.2.10 --json # machine-readable Exit code: 0 always (it's an auditor); parse the output/JSON for results. Only scan hosts you are authorized to test. """ from __future__ import annotations import argparse import ipaddress import json import socket import sys from concurrent.futures import ThreadPoolExecutor, as_completed # A compact, high-signal default port list (well-known services worth checking). DEFAULT_PORTS = [ 21, 22, 23, 25, 53, 80, 110, 111, 135, 139, 143, 161, 389, 443, 445, 465, 587, 631, 993, 995, 1433, 1521, 1723, 2049, 2375, 3306, 3389, 5432, 5601, 5900, 5985, 5986, 6379, 8080, 8443, 9000, 9090, 9200, 11211, 27017, ] # Best-effort service names for the report (informational only). SERVICE_NAMES = { 21: "ftp", 22: "ssh", 23: "telnet", 25: "smtp", 53: "dns", 80: "http", 110: "pop3", 135: "msrpc", 139: "netbios", 143: "imap", 161: "snmp", 389: "ldap", 443: "https", 445: "smb", 465: "smtps", 587: "submission", 993: "imaps", 995: "pop3s", 1433: "mssql", 1521: "oracle", 2049: "nfs", 2375: "docker-api", 3306: "mysql", 3389: "rdp", 5432: "postgres", # ... 145 more lines ...
Buy Now — $39 Back to Products