Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh
- IPT="/sbin/iptables"
- # Flush old rules
- $IPT --flush
- $IPT --delete-chain
- # Allow incoming and outgoing for loopback and allow outgoing
- $IPT -A INPUT -i lo -j ACCEPT
- $IPT -A OUTPUT -o lo -j ACCEPT
- $IPT -A OUTPUT -j ACCEPT
- # Allow related and established connections
- $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- # FTP
- modprobe ip_conntrack_ftp
- $IPT -A INPUT -p tcp -m tcp --dport 50000:50030 -j ACCEPT
- $IPT -A INPUT -p tcp -m tcp --dport 20:21 -j ACCEPT
- # Allow ping
- iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
- # HTTP
- $IPT -A INPUT -p tcp --dport 80 -j ACCEPT
- $IPT -A INPUT -p tcp --dport 443 -j ACCEPT
- # Allow TeamSpeak 3
- $IPT -A INPUT -p udp --dport 9987 -j ACCEPT
- $IPT -A INPUT -p tcp --dport 10011 -j ACCEPT
- $IPT -A INPUT -p tcp --dport 30033 -j ACCEPT
- # Allow gameservers
- $IPT -A INPUT -p udp --dport 27000:27100 -j ACCEPT
- # Allow SSH
- $IPT -A INPUT -p tcp --dport ssh --jump ACCEPT
- # Allow RCON from specified addresses & GameME
- #$IPT -A INPUT -s 81.19.212.43 -p tcp --dport 27000:27100 --jump ACCEPT
- #$IPT -A INPUT -s 85.214.223.208 -p tcp --dport 27000:27100 --jump ACCEPT
- #$IPT -A INPUT -s 85.214.223.208 -p udp --dport 27000:27100 --jump ACCEPT
- #$IPT -A INPUT -s 85.214.245.206 -p tcp --dport 27000:27100 --jump ACCEPT
- #$IPT -A INPUT -s 85.214.245.206 -p udp --dport 27000:27100 --jump ACCEPT
- #$IPT -A INPUT -s 85.214.61.160 -p udp --dport 27000:27100 --jump ACCEPT
- #$IPT -A INPUT -s 94.76.240.18 -p tcp --dport 27000:27100 --jump ACCEPT
- #$IPT -A INPUT -s 94.76.240.26 -p tcp --dport 27000:27100 --jump ACCEPT
- # Allow certain IPs
- $IPT -A INPUT -s 81.19.212.43 --jump ACCEPT
- $IPT -A INPUT -s 85.214.223.208 --jump ACCEPT
- $IPT -A INPUT -s 85.214.245.206 --jump ACCEPT
- $IPT -A INPUT -s 85.214.61.160 --jump ACCEPT
- $IPT -A INPUT -s 94.76.240.18 --jump ACCEPT
- $IPT -A INPUT -s 94.76.240.26 --jump ACCEPT
- # Drop invalid packets immediately
- $IPT -A INPUT -m state --state INVALID -j DROP
- $IPT -A FORWARD -m state --state INVALID -j DROP
- $IPT -A OUTPUT -m state --state INVALID -j DROP
- # Reject packets from RFC1918 class networks (i.e., spoofed)
- $IPT -A INPUT -s 10.0.0.0/8 -j DROP
- $IPT -A INPUT -s 169.254.0.0/16 -j DROP
- $IPT -A INPUT -s 172.16.0.0/12 -j DROP
- $IPT -A INPUT -s 127.0.0.0/8 -j DROP
- $IPT -A INPUT -s 224.0.0.0/4 -j DROP
- $IPT -A INPUT -d 224.0.0.0/4 -j DROP
- $IPT -A INPUT -s 240.0.0.0/5 -j DROP
- $IPT -A INPUT -d 240.0.0.0/5 -j DROP
- $IPT -A INPUT -s 0.0.0.0/8 -j DROP
- $IPT -A INPUT -d 0.0.0.0/8 -j DROP
- $IPT -A INPUT -d 239.255.255.0/24 -j DROP
- $IPT -A INPUT -d 255.255.255.255 -j DROP
- # Drop bogus TCP packets
- $IPT -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
- $IPT -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
- # Block bad packets going to the gameservers
- $IPT -A INPUT ! --fragment -p udp -d 81.19.212.43 --dport 27000:27100 -m u32 --u32 "0 >> 22 & 0x3C @ 8 = 0x33424521 && 0 >> 22 & 0x3C @ 12 = 0x6f647936" -j DROP
- # Filter out packets with length 28
- $IPT -A INPUT -p udp -d 81.19.212.43 --dport 27015:27200 -m length --length 28 -j DROP
- # Stop smurf attacks
- iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
- iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
- iptables -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT
- # Drop excessive RST packets to avoid smurf attacks
- iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
- # Kill everything else that does not match these rules
- $IPT -P INPUT DROP
- $IPT -P FORWARD DROP
Add Comment
Please, Sign In to add comment
