API tools faq
paste
Advertisement
puzrin

Untitled

puzrin
Oct 27th, 2015
297
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 4.39 KB | None | 0 0
raw download clone embed print report
  1. iptables -F
  2.  
  3. #ipset -F
  4.  
  5. rmmod xt_recent
  6. modprobe ipt_recent ip_list_tot=50000 ip_pkt_list_tot=3
  7.  
  8. #ipset -N block iphash
  9. #ipset -N white iphash
  10.  
  11. iptables -N fw-input
  12. iptables -N http
  13. iptables -N nntp
  14. iptables -N icmp
  15. iptables -N existing
  16. iptables -N white
  17. iptables -N clfire
  18. iptables -N black
  19.  
  20. iptables -A INPUT -i vmbr0 -j fw-input
  21. iptables -A FORWARD -i vmbr0  -j fw-input
  22.  
  23. # enable local connects
  24. iptables -A fw-input -i lo -j ACCEPT
  25.  
  26. # bad packets
  27. iptables -A fw-input -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
  28. #iptables -A fw-input -p tcp ! --syn -m state --state NEW -m limit --limit 3/minute -j LOG --log-level debug --log-prefix NEW-NOT-SYN:
  29. iptables -A fw-input -p tcp ! --syn -m state --state NEW -j DROP
  30.  
  31.  
  32. # enable me always on ssh
  33. #iptables -A fw-input -p tcp -s MY_IP -m tcp --dport 2222 -j ACCEPT
  34.  
  35.  
  36. # Cloudfire whitelist
  37. iptables -A fw-input -p tcp -j clfire
  38. iptables -A clfire -s 204.93.240.0/24 -j ACCEPT
  39. iptables -A clfire -s 204.93.177.0/24 -j ACCEPT
  40. iptables -A clfire -s 199.27.128.0/21 -j ACCEPT
  41. iptables -A clfire -s 173.245.48.0/20 -j ACCEPT
  42. iptables -A clfire -s 103.21.244.0/22 -j ACCEPT
  43. iptables -A clfire -s 103.22.200.0/22 -j ACCEPT
  44. iptables -A clfire -s 103.31.4.0/22 -j ACCEPT
  45. iptables -A clfire -s 141.101.64.0/18 -j ACCEPT
  46. iptables -A clfire -s 108.162.192.0/18 -j ACCEPT
  47. iptables -A clfire -s 190.93.240.0/20 -j ACCEPT
  48. iptables -A clfire -s 188.114.96.0/20 -j ACCEPT
  49. iptables -A clfire -s 197.234.240.0/22 -j ACCEPT
  50. iptables -A clfire -s 198.41.128.0/17 -j ACCEPT
  51. iptables -A clfire -s 162.158.0.0/15 -j ACCEPT
  52. iptables -A clfire -j RETURN
  53.  
  54.  
  55. # whitelist (http[s] only)
  56. iptables -A fw-input -p tcp -m multiport --dports 80,443 -j white
  57. ### opera
  58. iptables -A white -s 80.239.224.0/19 -j ACCEPT
  59. iptables -A white -s 82.145.208.0/21 -j ACCEPT
  60. iptables -A white -s 217.212.230.0/23 -j ACCEPT
  61. iptables -A white -s 64.255.180.0/24 -j ACCEPT
  62. ### google
  63. iptables -A white -s 66.249.64.0/19 -j ACCEPT
  64. ### yandex
  65. iptables -A white -s 95.108.138.0/24 -j ACCEPT
  66. ### end
  67. iptables -A white -j RETURN
  68.  
  69.  
  70. # blacklist (http[s] only)
  71. iptables -A fw-input -p tcp -m multiport --dports 80,443,8006 -j black
  72. iptables -A black -j RETURN
  73.  
  74.  
  75. # lock catched
  76. iptables -A fw-input -m recent --rcheck --name BLOCK --seconds 250 --rttl -j REJECT --reject-with icmp-host-prohibited
  77. iptables -A fw-input -m recent --update --name BLOCK --seconds 300 --rttl -j REJECT --reject-with icmp-host-prohibited
  78. iptables -A fw-input -m recent --rcheck --name BLOCK_PARALLELS --seconds 120 --rttl -j REJECT --reject-with icmp-host-prohibited
  79. iptables -A fw-input -m recent --update --name BLOCK_PARALLELS --seconds 150 --rttl -j REJECT --reject-with icmp-host-prohibited
  80.  
  81. # pass established
  82. iptables -A fw-input -m state --state RELATED,ESTABLISHED -j existing
  83. iptables -A existing -p tcp -m connlimit --connlimit-above 300 -m recent --set --name BLOCK_PARALLELS -j REJECT --reject-with icmp-host-prohibited
  84. iptables -A existing -j ACCEPT
  85.  
  86. # http
  87. iptables -A fw-input -p tcp -m multiport --dports 80,443 -m state --state NEW -j http
  88. iptables -A http -p tcp -m hashlimit --hashlimit-name http --hashlimit-mode srcip --hashlimit-above 50/sec --hashlimit-burst 200 \
  89.  --hashlimit-htable-size 32768 --hashlimit-htable-max 32768 --hashlimit-htable-expire 3000000 \
  90.  -m recent --set --name BLOCK -j DROP
  91. iptables -A http -j ACCEPT
  92.  
  93. # icmp
  94. iptables -A fw-input -p icmp -j icmp
  95. iptables -A icmp -p icmp --icmp-type 0 -j ACCEPT
  96. iptables -A icmp -p icmp --icmp-type 3 -j ACCEPT
  97. iptables -A icmp -p icmp --icmp-type 8 -m limit --limit 10/second -j ACCEPT
  98. iptables -A icmp -p icmp --icmp-type 11 -j ACCEPT
  99. iptables -A icmp -j DROP
  100.  
  101.  
  102. # nntp
  103. iptables -A fw-input -p tcp -m multiport --dports 119,563,1119 -m state --state NEW -j nntp
  104. iptables -A nntp -p tcp -m hashlimit --hashlimit-name nntp --hashlimit-mode srcip --hashlimit-above 10/sec \
  105.  --hashlimit-htable-size 32768 --hashlimit-htable-max 32768 --hashlimit-htable-expire 3000000 \
  106.  -m recent --set --name BLOCK_NNTP -j DROP
  107. iptables -A nntp -j ACCEPT
  108.  
  109. # ssh
  110. iptables -A fw-input -p tcp -m tcp --dport 2222 -j ACCEPT
  111.  
  112. # finish
  113. #iptables -A fw-input -p tcp -m limit --limit 3/minute -j LOG --log-level debug --log-prefix TCP-LOST:
  114. iptables -A fw-input -p tcp -j DROP
  115. #iptables -A fw-input -m limit --limit 3/minute -j LOG --log-level debug --log-prefix NONTCP-DROP:
  116. iptables -A fw-input -j DROP
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!