Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- *filter
- #A list of known website attackers
- -N WEB
- # general blacklist that can be used to block specific users on specific (or all) ports.
- -N BLACKLIST
- #ports allowed through
- -N THRU
- # logs packets to our custom log file and then drops the packet.
- -N LOGDROP
- # Accepts all established inbound connections
- -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
- # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
- -A INPUT -i lo -j ACCEPT
- -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
- #Looks for malformed packets and drops them
- -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
- #http blacklist
- -A INPUT -i eth0 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j WEB
- #main black list
- iptables -A INPUT -j BLACKLIST
- #allowed
- iptables -A INPUT -j THRU
- #logging
- iptables -A INPUT -m limit --limit 1/sec -j LOG --log-prefix "drop_packet" --log-level 7
- #### THRU ####
- #ping allow 1/sec
- -A THRU -p icmp -m limit --limit 1/sec -m icmp --icmp-type 8 -j ACCEPT
- #ssh allow
- -A THRU -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
- #allow dns
- -A INPUT -p udp -s 0/0 --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
- -A INPUT -p udp -s 0/0 --sport 53 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
- -A INPUT -p TCP --dport 53 -j ACCEPT
- #allow http/https
- -A THRU -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
- -A THRU -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
- #allows Ajenti
- -A THRU -i eth0 -p tcp -m tcp --dport 8000 -j ACCEPT
- #allows Starbound Server
- -A THRU -i eth0 -p tcp -m tcp --dport 21025 -j ACCEPT
- #Allows mumble
- -A THRU -i eth0 -p tcp -m tcp --dport 64738 -j ACCEPT
- -A THRU -i eth0 -p udp -m udp --dport 64738 -j ACCEPT
- #allows ice for mummur (mumble)
- -A THRU -i eth0 -p tcp -m udp --dport 6502 -j ACCEPT
- #drop all Input
- -A INPUT -j DROP
- -P INPUT DROP
- ### LOG ###
- -A LOGDROP -p tcp -m tcp --dport 80 -m limit --limit 1/min -j LOG --log-prefix "web_blacklist" --log-level 7
- -A LOGDROP -p tcp -m tcp --dport 22 -m limit --limit 1/min -j LOG --log-prefix "ssh_blacklist" --log-level 7
- -A LOGDROP -p tcp -m tcp --dport 8000 -m limit --limit 1/min -j LOG --log-prefix "ajenti_blacklist" --log-level 7
- -A LOGDROP -p tcp -m tcp --dport 21025 -m limit --limit 1/min -j LOG --log-prefix "starbound_blacklist" --log-level 7
- -A LOGDROP -p tcp -m tcp --dport 64738 -m limit --limit 1/min -j LOG --log-prefix "mumble_blacklist" --log-level 7
- -A LOGDROP -p udp -m udp --dport 64738 -m limit --limit 1/min -j LOG --log-prefix "mumble_blacklist" --log-level 7
- -A LOGDROP -p tcp -m tcp --dport 6502 -m limit --limit 1/min -j LOG --log-prefix "mumble_blacklist" --log-level 7
- -A LOGDROP -j REJECT --reject-with icmp-host-prohibited
- ######OUTPUT######
- #allow all outbound traffic
- -A OUTPUT -j ACCEPT
- COMMIT
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement