API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Oct 22nd, 2014
141
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 5.86 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/sh
  2.  
  3. # VARS
  4. SERVER_IP="37.59.67.100"
  5. NET_DEV="eth0"
  6. IPT="/sbin/iptables"
  7. MAX_NEW_PER_SECOND="20"                 # MAX NEUE Verbindungen je Sekunde. 5 dürfte hier Gesund sein. Alles unter 100 sollte der Server Verkraften. (Antihammer)
  8.  
  9. HTTP_PORT="21 80 90 100"
  10. OPENVPN_PORTS_UDP="28931 30399 31479 32197 34791 36113"         # Frei udp Ports für Openvpn. Falls ohne Openvpn hier einfach leer lassen.
  11. OPENVPN_PORTS_TCP=""                    # Freo tcp Ports für Openvpn.      -- " --
  12. OPENVPN_TUN_NICE="tun0 tun1 tun2 tun3 tun4 tun10"
  13. OPENVPN_TUN_JAIL="tun5"
  14.  
  15. OSCAM_WEBIF="8888 8889"                 # Oscam Webif darf rein, mehrere ports möglich BEISPIEL ="8888 12000"
  16. OSCAM_PORTS_TCP="61618 1024 1026 24024 24025"           # Oscam CS Ports. Wähle weise! Hier ist kein Ratelimit / Connection Limit drauf. Je weniger desto gut!
  17. OSCAM_PORTS_UDP=""                      #
  18.  
  19. basement () {
  20.     # meister propper
  21.     $IPT -F
  22.     $IPT -X
  23.     # Du kommst hier net rein
  24.     $IPT -P INPUT DROP
  25.     $IPT -P OUTPUT DROP
  26.     $IPT -P FORWARD DROP
  27.     # lo darf natürlich alles
  28.     $IPT -A INPUT -i lo -j ACCEPT
  29.     $IPT -A OUTPUT -o lo -j ACCEPT
  30.     # Ausgehenden Verkehr gestatten
  31.     $IPT -A OUTPUT -o $NET_DEV -j ACCEPT
  32. }
  33.  
  34. ratelimit_all () {
  35.     # Alle Verbindungen unterliegen dem festgelegten Limit von XXX Verbindungen je Sekunde
  36.     $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  37.     $IPT -A INPUT -p udp -m udp --dport 0:65535 -m state --state NEW -m recent --set --name UDP --rsource
  38.     $IPT -A INPUT -p udp -m udp --dport 0:65535 -m state --state NEW -m recent --update --seconds 1 --hitcount $MAX_NEW_PER_SECOND --name UDP --rsource -j DROP
  39.     $IPT -A INPUT -p tcp -m tcp --dport 0:65535 -m state --state NEW -m recent --set --name TCP --rsource
  40.     $IPT -A INPUT -p tcp -m tcp --dport 0:65535 -m state --state NEW -m recent --update --seconds 1 --hitcount $MAX_NEW_PER_SECOND --rttl --name TCP --rsource -j DROP
  41. }
  42.  
  43. allow_all_tun () {
  44.     for tun in $OPENVPN_TUN_NICE;do
  45.         $IPT -A INPUT -i $tun -j ACCEPT
  46.         $IPT -A OUTPUT -o $tun -j ACCEPT
  47.         $IPT -A FORWARD -i $tun -o tun+ -j ACCEPT
  48.     done
  49.     for tun in $OPENVPN_TUN_JAIL;do
  50.         $IPT -A INPUT -i $tun -j ACCEPT
  51.         $IPT -A OUTPUT -o $tun -j ACCEPT
  52.         $IPT -A FORWARD -i $tun -o tun+ -j DROP
  53.     done
  54. }
  55.  
  56. limited_ssh () {
  57.     # ssh darf rein aber nur 5 Verbindungen gleichzeitig
  58.     #$IPT -A INPUT -p tcp --syn --dport 443 -m connlimit --connlimit-above 2 -j DROP
  59.     /sbin/iptables  -A INPUT -p tcp --syn --dport 443 -m connlimit --connlimit-above 5 -j REJECT
  60.     $IPT -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
  61.     $IPT -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 443 --dport 513:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
  62. }
  63.  
  64. limited_http () {
  65.     # http geöffnet limit ist 20 Verbindungen gleichzeitig
  66.     if [ -n "$HTTP_PORT" ];then
  67.     for port in $HTTP_PORT;do
  68.         $IPT -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport $port -m state --state NEW,ESTABLISHED -j ACCEPT
  69.         $IPT -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport $port --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
  70.         $IPT -A INPUT -p tcp --syn --dport $port -m connlimit --connlimit-above 5 -j DROP
  71.     done
  72.     fi
  73. }
  74.  
  75. everything_oscam () {
  76.     # Oscam Wbif 5con/ip
  77.     if [ -n "$OSCAM_WEBIF" ];then
  78.         for port in $OSCAM_WEBIF;do
  79.             $IPT -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport $port -m state --state NEW,ESTABLISHED -j ACCEPT
  80.             $IPT -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport $port --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
  81.         done
  82.     fi
  83.     # Oscam CS Ports TCP
  84.     if [ -n "$OSCAM_PORTS_TCP" ];then
  85.         for port in $OSCAM_PORTS_TCP;do
  86.             $IPT -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport $port -m state --state NEW,ESTABLISHED -j ACCEPT
  87.             $IPT -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport $port --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
  88.         done
  89.     fi
  90.     # Oscam CS PORTS UDP
  91.     if [ -n "$OSCAM_PORTS_UDP" ];then
  92.         for port in $OSCAM_PORTS_UDP;do
  93.             $IPT -A INPUT -p udp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport $port -m state --state NEW,ESTABLISHED -j ACCEPT
  94.             $IPT -A OUTPUT -p udp -s $SERVER_IP -d 0/0 --sport $port --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
  95.         done
  96.     fi
  97. }
  98.  
  99. limited_openvpn () {
  100.     # Eingehende Openvpn Verbindungen sind erlaubt
  101.     if [ -n "$OPENVPN_PORTS_UDP" ];then
  102.         for port in $OPENVPN_PORTS_UDP;do
  103.             $IPT -A INPUT -p udp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport $port -m state --state NEW,ESTABLISHED -j ACCEPT
  104.             $IPT -A OUTPUT -p udp -s $SERVER_IP -d 0/0 --sport $port --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
  105.         done
  106.     fi
  107.     if [ -n "$OPENVPN_PORTS_TCP" ];then
  108.         for port in $OPENVPN_PORTS_TCP;do
  109.             $IPT -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport $port -m state --state NEW,ESTABLISHED -j ACCEPT
  110.             $IPT -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport $port --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
  111.         done
  112.     fi
  113. }
  114.  
  115. gw_vpn () {
  116.     $IPT -A INPUT -i tun4 -j ACCEPT
  117.     $IPT -A FORWARD -i tun4 -j ACCEPT
  118.     $IPT -A FORWARD -i tun4 -o $NET_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
  119.     $IPT -A FORWARD -i $NET_DEV -o tun4 -m state --state RELATED,ESTABLISHED -j ACCEPT
  120.     $IPT -t nat -A POSTROUTING -s 10.8.5.0/24 -o $NET_DEV -j MASQUERADE
  121. }
  122.  
  123. fw_off () {
  124.     # meister propper
  125.     $IPT -F
  126.     $IPT -X
  127.     # Du kommst hier net rein
  128.     $IPT -P INPUT ACCEPT
  129.     $IPT -P OUTPUT ACCEPT
  130.     $IPT -P FORWARD ACCEPT
  131.     # lo darf natürlich alles
  132.     $IPT -A INPUT -i lo -j ACCEPT
  133.     $IPT -A OUTPUT -o lo -j ACCEPT
  134. }
  135.  
  136. [ "$1" = "off" ] && fw_off && echo jo
  137. [ "$1" = "off" ] && gw_vpn
  138.  
  139. basement                # DROPALL / REENABLE OUT & LO
  140. ratelimit_all           # ANTI SYN
  141.  
  142. limited_ssh             # SSH 5/par/ip
  143. limited_http            # http 20/par/ip
  144. everything_oscam        # oscam darf alles
  145.  
  146. limited_openvpn         # Einwahl per openvpn erlauben                  OPENVPN
  147. allow_all_tun           # Weiterleitungen und ein- / ausgänge für         OPENVPN
  148. gw_vpn
  149.  
  150. # STFU - allway the last block
  151. $IPT -A INPUT -j DROP
  152. $IPT -A OUTPUT -j DROP
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!