API tools faq
paste
Guest User

Untitled

a guest
Jan 19th, 2017
1,301
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.88 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/sh
  2.  
  3. if [ "$1" = "start" ]; then
  4. echo '::: Uruchamianie blokadu'
  5.  
  6.  
  7. ##################################################################
  8. ##################################################################
  9. # ping_bloc
  10. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
  11. # Ochrona przed atakiem typu Smurf
  12. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  13. # Nie aktceptujemy pakietow "source route"
  14. echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
  15. # Nie przyjmujemy pakietow ICMP rediect, ktore moga zmienic tablice routingu
  16. echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
  17. # Wlaczamy ochrone przed blednymi komunikatami ICMP error
  18. echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
  19. # Wlaczenie mechanizmu wykrywania oczywistych falszerstw
  20. # (pakiety znajdujace sie tylko tablicy routingu)
  21. echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
  22. echo 1 > /proc/sys/net/ipv4/tcp_timestamps
  23. echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
  24. echo 10 > /proc/sys/net/ipv4/ipfrag_time
  25. echo 36024 > /proc/sys/net/ipv4/tcp_max_syn_backlog
  26. # zwiekszenie rozmaru tablicy ARP
  27. echo 1024 > /proc/sys/net/ipv4/neigh/default/gc_thresh1
  28. echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh2
  29. echo 8192 > /proc/sys/net/ipv4/neigh/default/gc_thresh3
  30. echo 1 > /proc/sys/net/ipv4/tcp_rfc1337
  31. echo 1 > /proc/sys/net/ipv4/ip_no_pmtu_disc
  32. echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
  33. echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
  34. echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
  35. echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
  36. echo 0 > /proc/sys/net/ipv4/tcp_sack
  37. echo 20 > /proc/sys/net/ipv4/ipfrag_time
  38. echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog
  39. # Blokada przed atakami typu SYN FLOODING
  40. echo 1 > /proc/sys/net/ipv4/tcp_syncookies
  41. # Właczenie proxy arp - dzieki temu serwer nie zdycha po kilku
  42. #echo 1 > /proc/sys/net/ipv4/conf/all/arp_filter
  43. # Zwiekszenie rozmiarutablic routingu
  44. echo "18192" > /proc/sys/net/ipv4/route/max_size
  45. ##################################################################
  46. ##################################################################
  47. # czyszczenie starych regul
  48. iptables -F
  49. iptables -X
  50. iptables -t nat -X
  51. iptables -t nat -F
  52. iptables -t mangle -F
  53. iptables -t mangle -X
  54.  
  55. # ustawienie domyslnej polityki
  56. iptables -P INPUT ACCEPT
  57. iptables -P FORWARD ACCEPT
  58. iptables -P OUTPUT ACCEPT
  59.  
  60. iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH ACK -j DROP
  61. iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH FIN -j DROP
  62. iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH FIN,URG,PSH -j DROP
  63.  
  64. # wykrywanie skanowania NULL
  65. iptables -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 10/s --limit-burst 4 #-j LOG --log-level debug --log-prefix "SKAN_NULL: "
  66. iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
  67.  
  68. # wszystkie pakiety uznane za NEW bez flagi SYN sa podejrzane
  69. iptables -N skany
  70. iptables -A INPUT -p tcp ! --syn -m state --state NEW -j skany
  71. iptables -A skany -p tcp --tcp-flags ALL RST -m limit --limit 10/s --limit-burst 4 #-j LOG --log-level debug --log-prefix "SKAN_INVERSE: "
  72. iptables -A skany -p tcp --tcp-flags ALL RST -j DROP
  73. iptables -A skany -p tcp --tcp-flags ALL ACK -m limit --limit 10/s --limit-burst 4 #-j LOG --log-level debug --log-prefix "SKAN_TCP_PING: "
  74. iptables -A skany -p tcp --tcp-flags ALL ACK -j DROP
  75. iptables -A skany -p tcp --tcp-flags ALL FIN -m limit --limit 10/s --limit-burst 4 #-j LOG --log-level debug --log-prefix "SKAN_FIN: "
  76. iptables -A skany -p tcp --tcp-flags ALL FIN -j DROP
  77. iptables -A skany -p tcp --tcp-flags ALL FIN,PSH,URG -m limit --limit 10/s --limit-burst 4 #-j LOG --log-level debug --log-prefix "SKAN_XMAS-NMAP: "
  78. iptables -A skany -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
  79. iptables -A skany -p tcp -m limit --limit 10/s --limit-burst 4 #-j LOG --log-level debug --log-prefix "SKAN_INNE: "
  80. iptables -A skany -j DROP
  81.  
  82. # Lancuch syn-flood (obrona przed DoS)
  83. iptables -N syn-flood
  84. iptables -A INPUT -p tcp --syn -j syn-flood
  85. iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
  86. iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 #-j LOG --log-level debug --log-prefix "SYN-FLOOD: "
  87. iptables -A syn-flood -j DROP
  88. iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
  89. iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  90.  
  91. # ping
  92. iptables -A INPUT -p icmp -s 0/0 -m limit --limit 1/s --limit-burst 4 -j ACCEPT
  93.  
  94. # utrzymanie polaczen nawiazanych
  95. iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
  96. iptables -A FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED
  97. iptables -A OUTPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
  98.  
  99.  
  100. elif [ "$1" = "stop" ]; then
  101. echo "::: Zatrzymanie blokady"
  102. iptables -F
  103. iptables -X
  104. iptables -t nat -X
  105. iptables -t nat -F
  106. iptables -t mangle -F
  107. iptables -t mangle -X
  108.  
  109. fi
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!