Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- iptables -F
- #ipset -F
- rmmod xt_recent
- modprobe ipt_recent ip_list_tot=50000 ip_pkt_list_tot=3
- #ipset -N block iphash
- #ipset -N white iphash
- iptables -N fw-input
- iptables -N http
- iptables -N nntp
- iptables -N icmp
- iptables -N existing
- iptables -N white
- iptables -N clfire
- iptables -N black
- iptables -A INPUT -i vmbr0 -j fw-input
- iptables -A FORWARD -i vmbr0 -j fw-input
- # enable local connects
- iptables -A fw-input -i lo -j ACCEPT
- # bad packets
- iptables -A fw-input -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
- #iptables -A fw-input -p tcp ! --syn -m state --state NEW -m limit --limit 3/minute -j LOG --log-level debug --log-prefix NEW-NOT-SYN:
- iptables -A fw-input -p tcp ! --syn -m state --state NEW -j DROP
- # enable me always on ssh
- #iptables -A fw-input -p tcp -s MY_IP -m tcp --dport 2222 -j ACCEPT
- # Cloudfire whitelist
- iptables -A fw-input -p tcp -j clfire
- iptables -A clfire -s 204.93.240.0/24 -j ACCEPT
- iptables -A clfire -s 204.93.177.0/24 -j ACCEPT
- iptables -A clfire -s 199.27.128.0/21 -j ACCEPT
- iptables -A clfire -s 173.245.48.0/20 -j ACCEPT
- iptables -A clfire -s 103.21.244.0/22 -j ACCEPT
- iptables -A clfire -s 103.22.200.0/22 -j ACCEPT
- iptables -A clfire -s 103.31.4.0/22 -j ACCEPT
- iptables -A clfire -s 141.101.64.0/18 -j ACCEPT
- iptables -A clfire -s 108.162.192.0/18 -j ACCEPT
- iptables -A clfire -s 190.93.240.0/20 -j ACCEPT
- iptables -A clfire -s 188.114.96.0/20 -j ACCEPT
- iptables -A clfire -s 197.234.240.0/22 -j ACCEPT
- iptables -A clfire -s 198.41.128.0/17 -j ACCEPT
- iptables -A clfire -s 162.158.0.0/15 -j ACCEPT
- iptables -A clfire -j RETURN
- # whitelist (http[s] only)
- iptables -A fw-input -p tcp -m multiport --dports 80,443 -j white
- ### opera
- iptables -A white -s 80.239.224.0/19 -j ACCEPT
- iptables -A white -s 82.145.208.0/21 -j ACCEPT
- iptables -A white -s 217.212.230.0/23 -j ACCEPT
- iptables -A white -s 64.255.180.0/24 -j ACCEPT
- ### google
- iptables -A white -s 66.249.64.0/19 -j ACCEPT
- ### yandex
- iptables -A white -s 95.108.138.0/24 -j ACCEPT
- ### end
- iptables -A white -j RETURN
- # blacklist (http[s] only)
- iptables -A fw-input -p tcp -m multiport --dports 80,443,8006 -j black
- iptables -A black -j RETURN
- # lock catched
- iptables -A fw-input -m recent --rcheck --name BLOCK --seconds 250 --rttl -j REJECT --reject-with icmp-host-prohibited
- iptables -A fw-input -m recent --update --name BLOCK --seconds 300 --rttl -j REJECT --reject-with icmp-host-prohibited
- iptables -A fw-input -m recent --rcheck --name BLOCK_PARALLELS --seconds 120 --rttl -j REJECT --reject-with icmp-host-prohibited
- iptables -A fw-input -m recent --update --name BLOCK_PARALLELS --seconds 150 --rttl -j REJECT --reject-with icmp-host-prohibited
- # pass established
- iptables -A fw-input -m state --state RELATED,ESTABLISHED -j existing
- iptables -A existing -p tcp -m connlimit --connlimit-above 300 -m recent --set --name BLOCK_PARALLELS -j REJECT --reject-with icmp-host-prohibited
- iptables -A existing -j ACCEPT
- # http
- iptables -A fw-input -p tcp -m multiport --dports 80,443 -m state --state NEW -j http
- iptables -A http -p tcp -m hashlimit --hashlimit-name http --hashlimit-mode srcip --hashlimit-above 50/sec --hashlimit-burst 200 \
- --hashlimit-htable-size 32768 --hashlimit-htable-max 32768 --hashlimit-htable-expire 3000000 \
- -m recent --set --name BLOCK -j DROP
- iptables -A http -j ACCEPT
- # icmp
- iptables -A fw-input -p icmp -j icmp
- iptables -A icmp -p icmp --icmp-type 0 -j ACCEPT
- iptables -A icmp -p icmp --icmp-type 3 -j ACCEPT
- iptables -A icmp -p icmp --icmp-type 8 -m limit --limit 10/second -j ACCEPT
- iptables -A icmp -p icmp --icmp-type 11 -j ACCEPT
- iptables -A icmp -j DROP
- # nntp
- iptables -A fw-input -p tcp -m multiport --dports 119,563,1119 -m state --state NEW -j nntp
- iptables -A nntp -p tcp -m hashlimit --hashlimit-name nntp --hashlimit-mode srcip --hashlimit-above 10/sec \
- --hashlimit-htable-size 32768 --hashlimit-htable-max 32768 --hashlimit-htable-expire 3000000 \
- -m recent --set --name BLOCK_NNTP -j DROP
- iptables -A nntp -j ACCEPT
- # ssh
- iptables -A fw-input -p tcp -m tcp --dport 2222 -j ACCEPT
- # finish
- #iptables -A fw-input -p tcp -m limit --limit 3/minute -j LOG --log-level debug --log-prefix TCP-LOST:
- iptables -A fw-input -p tcp -j DROP
- #iptables -A fw-input -m limit --limit 3/minute -j LOG --log-level debug --log-prefix NONTCP-DROP:
- iptables -A fw-input -j DROP
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement