API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jan 11th, 2014
66
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.81 KB | None | 0 0
raw download clone embed print report
  1. *filter
  2. #A list of known website attackers
  3. -N WEB
  4.  
  5. # general blacklist that can be used to block specific users on specific (or all) ports.
  6. -N BLACKLIST
  7.  
  8. #ports allowed through
  9. -N THRU
  10.  
  11. # logs packets to our custom log file and then drops the packet.
  12. -N LOGDROP
  13.  
  14. # Accepts all established inbound connections
  15. -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
  16.  
  17. # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
  18. -A INPUT -i lo -j ACCEPT
  19. -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
  20. #Looks for malformed packets and drops them
  21. -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
  22.  
  23. #http blacklist
  24. -A INPUT -i eth0 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j WEB
  25. #main black list
  26. iptables -A INPUT -j BLACKLIST
  27. #allowed
  28. iptables -A INPUT -j THRU
  29. #logging
  30. iptables -A INPUT -m limit --limit 1/sec -j LOG --log-prefix "drop_packet" --log-level 7
  31.  
  32. #### THRU ####
  33. #ping allow 1/sec
  34. -A THRU -p icmp -m limit --limit 1/sec -m icmp --icmp-type 8 -j ACCEPT
  35.  
  36. #ssh allow
  37. -A THRU -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
  38.  
  39. #allow dns
  40. -A INPUT -p udp -s 0/0 --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
  41. -A INPUT -p udp -s 0/0 --sport 53 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
  42. -A INPUT -p TCP --dport 53 -j ACCEPT
  43.  
  44. #allow http/https
  45. -A THRU -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
  46. -A THRU -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
  47.  
  48. #allows Ajenti
  49. -A THRU -i eth0 -p tcp -m tcp --dport 8000 -j ACCEPT
  50.  
  51. #allows Starbound Server
  52. -A THRU -i eth0 -p tcp -m tcp --dport 21025 -j ACCEPT
  53.  
  54. #Allows mumble
  55. -A THRU -i eth0 -p tcp -m tcp --dport 64738 -j ACCEPT
  56. -A THRU -i eth0 -p udp -m udp --dport 64738 -j ACCEPT
  57.  
  58. #allows ice for mummur (mumble)
  59. -A THRU -i eth0 -p tcp -m udp --dport 6502 -j ACCEPT
  60.  
  61. #drop all Input
  62. -A INPUT -j DROP
  63. -P INPUT DROP
  64.  
  65. ### LOG ###
  66. -A LOGDROP -p tcp -m tcp --dport 80 -m limit --limit 1/min -j LOG --log-prefix "web_blacklist" --log-level 7
  67. -A LOGDROP -p tcp -m tcp --dport 22 -m limit --limit 1/min -j LOG --log-prefix "ssh_blacklist" --log-level 7
  68. -A LOGDROP -p tcp -m tcp --dport 8000 -m limit --limit 1/min -j LOG --log-prefix "ajenti_blacklist" --log-level 7
  69. -A LOGDROP -p tcp -m tcp --dport 21025 -m limit --limit 1/min -j LOG --log-prefix "starbound_blacklist" --log-level 7
  70. -A LOGDROP -p tcp -m tcp --dport 64738 -m limit --limit 1/min -j LOG --log-prefix "mumble_blacklist" --log-level 7
  71. -A LOGDROP -p udp -m udp --dport 64738 -m limit --limit 1/min -j LOG --log-prefix "mumble_blacklist" --log-level 7
  72. -A LOGDROP -p tcp -m tcp --dport 6502 -m limit --limit 1/min -j LOG --log-prefix "mumble_blacklist" --log-level 7
  73. -A LOGDROP -j REJECT --reject-with icmp-host-prohibited
  74.  
  75. ######OUTPUT######
  76. #allow all outbound traffic
  77. -A OUTPUT -j ACCEPT
  78.  
  79. COMMIT
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!