Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh
- # Originally by Friends Land and edited by Kaiser
- # find iptables binary
- ipt=`/usr/bin/whereis iptables | awk '{print $2}'`
- # configure kernel
- conf_kernel() {
- # Smurf protection
- # echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
- # drop "source route" packets (change routing tables)
- echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
- # drop ICMP redirect packets that can change routing tables
- echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
- # protection from wrong ICMP error packets
- # echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
- # spoofing protection - network interfaces will only accept packets
- # from routing tables
- echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
- # logs weird (spoofed, source routed, redirects) packets
- echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
- # ignores ICMP at all
- # disables by default
- # echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
- }
- # deconfigure kernel
- deconf_kernel() {
- # echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
- echo "1" > /proc/sys/net/ipv4/conf/all/accept_source_route
- echo "1" > /proc/sys/net/ipv4/conf/all/accept_redirects
- # echo "0" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
- echo "0" > /proc/sys/net/ipv4/conf/all/rp_filter
- echo "0" > /proc/sys/net/ipv4/conf/all/log_martians
- # echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
- }
- clean_rules() {
- $ipt -F
- $ipt -X
- $ipt -t nat -F
- $ipt -t nat -X
- $ipt -P FORWARD ACCEPT
- $ipt -P INPUT ACCEPT
- $ipt -P OUTPUT ACCEPT
- }
- start_rules() {
- # Default rules
- $ipt -P INPUT DROP
- $ipt -P FORWARD DROP
- $ipt -P OUTPUT ACCEPT
- # Block NEW connection with flag other than SYN
- $ipt -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
- $ipt -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
- # Drop fragmented packets
- $ipt -A INPUT -f -j DROP
- $ipt -A FORWARD -f -j DROP
- # Drop connections in INVALID state
- $ipt -A INPUT -m state --state INVALID -j DROP
- $ipt -A FORWARD -m state --state INVALID -j DROP
- # Allow loopback interface connections
- # IMPORTANT !
- $ipt -A INPUT -i lo -j ACCEPT
- # Allow estabilished connections
- $ipt -A INPUT -p tcp -j ACCEPT -m state --state ESTABLISHED,RELATED
- $ipt -A INPUT -p udp -j ACCEPT -m state --state ESTABLISHED
- # NULL scanning detection
- $ipt -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 10/s --limit-burst 4 -j LOG --log-level debug --log-prefix "firewall: SKAN_NULL: "
- $ipt -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
- # NEW packets without SYN flah are always suspicious
- $ipt -N scans
- $ipt -A INPUT -p tcp ! --syn -m state --state NEW -j scans
- $ipt -A scans -p tcp --tcp-flags ALL RST -m limit --limit 10/s --limit-burst 4 -j LOG --log-level debug --log-prefix "firewall: SKAN_INVERSE: "
- $ipt -A scans -p tcp --tcp-flags ALL RST -j DROP
- $ipt -A scans -p tcp --tcp-flags ALL ACK -m limit --limit 10/s --limit-burst 4 -j LOG --log-level debug --log-prefix "firewall: SKAN_TCP_PING: "
- $ipt -A scans -p tcp --tcp-flags ALL ACK -j DROP
- $ipt -A scans -p tcp --tcp-flags ALL FIN -m limit --limit 10/s --limit-burst 4 -j LOG --log-level debug --log-prefix "firewall: SKAN_FIN: "
- $ipt -A scans -p tcp --tcp-flags ALL FIN -j DROP
- $ipt -A scans -p tcp --tcp-flags ALL FIN,PSH,URG -m limit --limit 10/s --limit-burst 4 -j LOG --log-level debug --log-prefix "firewall: SKAN_XMAS-NMAP: "
- $ipt -A scans -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
- $ipt -A scans -p tcp -m limit --limit 10/s --limit-burst 4 -j LOG --log-level debug --log-prefix "firewall: SKAN_INNE: "
- $ipt -A scans -j DROP
- # packets from unwanted sources
- $ipt -A INPUT -s 178.217.184.190 -j DROP # Land attack
- $ipt -A INPUT -s 10.0.0.0/8 -j DROP # A class
- $ipt -A INPUT -s 172.16.0.0/12 -j DROP # B class
- $ipt -A INPUT -s 192.168.0.0/16 -j DROP # C class
- $ipt -A INPUT -s 224.0.0.0/4 -j DROP # multicast
- $ipt -A INPUT -d 224.0.0.0/4 -j DROP # multicast
- $ipt -A INPUT -s 240.0.0.0/5 -j DROP # reserved
- # OTS - limit concurrent connections
- $ipt -A INPUT -p tcp -m recent --rcheck --seconds 60 -j DROP
- $ipt -A INPUT -p tcp --dport 7171 -m connlimit --connlimit-above 10 -m recent --set -j DROP
- $ipt -A INPUT -p tcp --dport 7172 -m connlimit --connlimit-above 10 -m recent --set -j DROP
- # OTS - Iptable rules for common floods attacks
- $ipt -N conn-flood
- $ipt -I INPUT 1 -p tcp .syn -j conn-flood
- $ipt -A conn-flood -m limit .limit 7/s .limit-burst 20 -j RETURN
- $ipt -A conn-flood -j DROP
- $ipt -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
- $ipt -A INPUT -p icmp -j DROP
- $ipt -I INPUT -p tcp -m state --state NEW,ESTABLISHED -m recent --set -j ACCEPT
- $ipt -I INPUT -p tcp -m state --state NEW -m recent --update --seconds 3 --hitcount 20 -j DROP
- # What we allow
- # ICMP
- $ipt -A INPUT -p icmp -m limit --limit 15/s -j ACCEPT
- # SSH
- $ipt -A INPUT -p tcp --dport 22 -j ACCEPT
- # FTP
- $ipt -A INPUT -p tcp --dport 21 -j ACCEPT
- # http
- $ipt -A INPUT -p tcp --dport 80 -j ACCEPT
- # Tibia ( Otserv )
- $ipt -A INPUT -p tcp --dport 7171 -j ACCEPT
- $ipt -A INPUT -p tcp --dport 7172 -j ACCEPT
- }
- case $1 in
- start)
- echo "Firewall: Loading..."
- conf_kernel
- clean_rules
- start_rules
- echo "Firewall: Loaded."
- exit 1
- ;;
- stop)
- echo "Firewall: Unloading..."
- deconf_kernel
- clean_rules
- echo "Firewall: Unloaded."
- ;;
- *)
- echo "Usage: $NAME {start|stop}" >&2
- exit 1
- ;;
- esac
- exit 0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement