Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- SERVICES_UDP=""
- SERVICES_TCP="80"
- iptables -F
- iptables -t nat -F
- iptables -t mangle -F
- iptables -X
- iptables -t nat -X
- iptables -t mangle -X
- iptables -P OUTPUT ACCEPT
- iptables -P INPUT DROP
- iptables -P FORWARD DROP
- iptables -N other_packets
- iptables -A other_packets -p ALL -m state --state INVALID -j DROP
- iptables -A other_packets -p icmp -m limit --limit 1/s -j ACCEPT
- iptables -A other_packets -p ALL -j RETURN
- iptables -N service_sec
- iptables -A service_sec -p tcp --syn -m limit --limit 2/s -j ACCEPT
- iptables -A service_sec -p tcp ! --syn -m state --state NEW -j DROP
- iptables -A service_sec -p tcp --tcp-flags ALL NONE -m limit --limit 1/h -j ACCEPT
- iptables -A service_sec -p tcp --tcp-flags ALL ALL -m limit --limit 1/h -j ACCEPT
- iptables -A service_sec -p tcp --tcp-flags ALL ALL -j DROP
- iptables -A service_sec -p tcp --tcp-flags ALL NONE -j DROP
- iptables -I service_sec -i eth0 -s 10.0.0.0/8 -j DROP
- iptables -I service_sec -i eth0 -s 172.16.0.0/12 -j DROP
- iptables -I service_sec -i eth0 -s 192.168.0.0/16 -j DROP
- iptables -I service_sec -i eth0 -s 127.0.0.0/8 -j DROP
- iptables -A service_sec -p icmp --icmp-type echo-request -i eth0 -j DROP
- iptables -I service_sec -p icmp --icmp-type redirect -j DROP
- iptables -I service_sec -p icmp --icmp-type router-advertisement -j DROP
- iptables -I service_sec -p icmp --icmp-type router-solicitation -j DROP
- iptables -I service_sec -p icmp --icmp-type address-mask-request -j DROP
- iptables -I service_sec -p icmp --icmp-type address-mask-reply -j DROP
- iptables -A service_sec -p ALL -j RETURN
- iptables -N reject_packets
- iptables -A reject_packets -p tcp -j REJECT --reject-with tcp-reset
- iptables -A reject_packets -p udp -j REJECT --reject-with icmp-port-unreachable
- iptables -A reject_packets -p icmp -j REJECT --reject-with icmp-host-unreachable
- iptables -A reject_packets -j REJECT --reject-with icmp-proto-unreachable
- iptables -A reject_packets -p ALL -j RETURN
- iptables -N services
- for port in $SERVICES_TCP ; do
- iptables -A services -p tcp --dport $port -j service_sec
- iptables -A services -p tcp --dport $port -j ACCEPT
- done
- for port in $SERVICES_UDP ; do
- iptables -A services -p udp --dport $port -j service_sec
- iptables -A services -p udp --dport $port -j ACCEPT
- done
- iptables -A services -p ALL -j RETURN
- iptables -A INPUT -p ALL -i lo -j ACCEPT
- iptables -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
- iptables -A INPUT -p ALL -j other_packets
- iptables -A INPUT -p ALL -j services
- iptables -A INPUT -p ALL -m limit --limit 10/s -j reject_packets
- iptables -A INPUT -p tcp --dport 22 -j DROP
- iptables -A INPUT -p tcp --dport 98 -j DROP
- iptables -A INPUT -p tcp --dport 113 -j DROP
- iptables -A INPUT -p tcp --dport 135 -j DROP
- iptables -A INPUT -p tcp --dport 135 -j DROP
- iptables -A INPUT -p tcp --dport 445 -j DROP
- iptables -A INPUT -p tcp --dport 901 -j DROP
- iptables -A INPUT -p tcp --dport 4662 -j DROP
- iptables -A INPUT -p tcp --dport 3389 -j DROP
- iptables -A INPUT -p tcp --dport 6000 -j DROP
- iptables -A INPUT -p tcp --dport 10000 -j DROP
- iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
- iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
- iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
- iptables -A INPUT -m state --state NEW -p tcp -m tcp --syn \
- -m recent --name synflood --set
- iptables -A INPUT -m state --state NEW -p tcp -m tcp --syn \
- -m recent --name synflood --update --seconds 1 --hitcount 60 -j DROP
- iptables -A INPUT -s 10.0.0.0/8 -j DROP
- iptables -A INPUT -s 169.254.0.0/16 -j DROP
- iptables -A INPUT -s 172.16.0.0/12 -j DROP
- iptables -A INPUT -s 127.0.0.0/8 -j DROP
- iptables -A INPUT -s 224.0.0.0/4 -j DROP
- iptables -A INPUT -d 224.0.0.0/4 -j DROP
- iptables -A INPUT -s 240.0.0.0/5 -j DROP
- iptables -A INPUT -d 240.0.0.0/5 -j DROP
- iptables -A INPUT -s 0.0.0.0/8 -j DROP
- iptables -A INPUT -d 0.0.0.0/8 -j DROP
- iptables -A INPUT -d 239.255.255.0/24 -j DROP
- iptables -A INPUT -d 255.255.255.255 -j DROP
- iptables -A OUTPUT -p ALL -j ACCEPT
- #Portscans
- # Anyone who tried to portscan us is locked out for an entire day.
- iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
- iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
- # Once the day has passed, remove them from the portscan list
- iptables -A INPUT -m recent --name portscan --remove
- iptables -A FORWARD -m recent --name portscan --remove
- # Add scanners to the portscan list and log the attempt
- iptables -A INPUT -p tcp -m tcp --dport 139 \
- -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
- iptables -A INPUT -p tcp -m tcp --dport 139 \
- -m recent --name portscan --set -j DROP
- iptables -A FORWARD -p tcp -m tcp --dport 139 \
- -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
- iptables -A FORWARD -p tcp -m tcp --dport 139 \
- -m recent --name portscan --set -j DROP
- /etc/rc.d/iptables save
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement