API tools faq
paste
Advertisement
Guest User

iptables ruls

a guest
Oct 4th, 2015
361
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.00 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/sh
  2. IPTABLES="/sbin/iptables"
  3.  
  4. $IPTABLES -F
  5. $IPTABLES -t nat -F
  6. $IPTABLES -t mangle -F
  7. $IPTABLES -X
  8. $IPTABLES -t nat -X
  9. $IPTABLES -t mangle -X
  10. $IPTABLES -P INPUT ACCEPT
  11. $IPTABLES -P OUTPUT ACCEPT
  12. $IPTABLES -P FORWARD ACCEPT
  13.  
  14. $IPTABLES -N droplog
  15. $IPTABLES -N dropip
  16.  
  17. $IPTABLES -I droplog -p TCP -j LOG -m limit --limit 20/min --log-prefix="DROP TCP-Packet: " --log-level crit
  18. $IPTABLES -I droplog -p UDP -j LOG -m limit --limit 20/min --log-prefix="DROP UDP-Packet: " --log-level crit
  19. $IPTABLES -I droplog -p ICMP -j LOG -m limit --limit 20/min --log-prefix="DROP ICMP-Packet: " --log-level crit
  20.  
  21. $IPTABLES -P INPUT DROP
  22. $IPTABLES -P OUTPUT DROP
  23. $IPTABLES -P FORWARD DROP
  24.  
  25. $IPTABLES -A dropip -j LOG -m limit --limit 1/min --log-prefix 'DROPIPS: ' --log-level 4
  26. $IPTABLES -A dropip -j DROP
  27.  
  28. $IPTABLES -A INPUT -m state --state INVALID -j DROP
  29. $IPTABLES -A OUTPUT -m state --state INVALID -j DROP
  30.  
  31. $IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
  32. $IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
  33. $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
  34. $IPTABLES -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
  35. $IPTABLES -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
  36. $IPTABLES -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
  37. $IPTABLES -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
  38.  
  39. $IPTABLES -A INPUT -i lo -j ACCEPT
  40. $IPTABLES -A OUTPUT -o lo -j ACCEPT
  41.  
  42. $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  43. $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  44.  
  45. $IPTABLES -I OUTPUT -o eth0 -p ICMP --icmp-type echo-reply -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  46. $IPTABLES -I INPUT -i eth0 -p ICMP --icmp-type echo-reply -m state --state ESTABLISHED,RELATED -j ACCEPT
  47.  
  48. $IPTABLES -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
  49. $IPTABLES -A INPUT -s 95.154.113.71 -j ACCEPT
  50. $IPTABLES -I INPUT -i eth0 -p ICMP --icmp-type echo-request -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  51. $IPTABLES -I OUTPUT -o eth0 -p ICMP --icmp-type echo-request -m state --state ESTABLISHED,RELATED -j ACCEPT
  52.  
  53. $IPTABLES -A INPUT -i eth0 -m state --state NEW -p tcp --dport 6000:6003 -j ACCEPT
  54. $IPTABLES -A INPUT -i eth0 -m state --state NEW -p tcp --dport 7001:7002 -j ACCEPT
  55. $IPTABLES -A INPUT -i eth0 -m state --state NEW -p udp --dport 27005 -j ACCEPT
  56. $IPTABLES -A INPUT -i eth0 -m state --state NEW -p udp --dport 27010 -j ACCEPT
  57. $IPTABLES -A INPUT -p udp -m udp --sport 27000:27030 --dport 1025:65355 -j ACCEPT
  58. $IPTABLES -A INPUT -p udp -m udp --sport 4380 --dport 1025:65355 -j ACCEPT
  59.  
  60. $IPTABLES -A INPUT -p udp --dport 27015:27540 -m length --length 0:32 -j LOG --log-prefix "SRCDSXSQUERY: " --log-ip-options -m limit --limit 1/m --limit-burst 1
  61. $IPTABLES -A INPUT -p udp --dport 27015:27540 -m length --length 0:32 -j DROP
  62. $IPTABLES -A INPUT -p udp --dport 27015:27540 -m length --length 2521:65535 -j LOG --log-prefix "SRCDSXLFRAG: " --log-ip-options -m limit --limit 1/m --limit-burst 1
  63. $IPTABLES -A INPUT -p udp --dport 27015:27540 -m length --length 2521:65535 -j DROP
  64. $IPTABLES -A INPUT -p udp --dport 27015:27540 -m state --state ESTABLISH -j ACCEPT
  65. $IPTABLES -A INPUT -p udp --dport 27015:27540 -m state --state NEW -m hashlimit --hashlimit-mode srcip --hashlimit-name StopDoS --hashlimit 8/s --hashlimit-burst 10 -j ACCEPT
  66. $IPTABLES -A INPUT -i eth0 -p tcp -m tcp --dport 27015:27540 -m hashlimit --hashlimit-upto 1/Min --hashlimit-burst 1 --hashlimit-mode srcip,dstip,dstport --hashlimit-name "RCONLIMIT" -j ACCEPT
  67.  
  68.  
  69. $IPTABLES -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
  70.  
  71. $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 2/s -j ACCEPT
  72.  
  73. $IPTABLES -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
  74.  
  75. $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  76. $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  77.  
  78.  
  79. $IPTABLES -A INPUT -m state --state INVALID -j droplog
  80.  
  81. $IPTABLES -A INPUT -j droplog
  82. $IPTABLES -A OUTPUT -j droplog
  83. $IPTABLES -A FORWARD -j droplog
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!