Advertisement
puzrin

Untitled

Oct 27th, 2015
255
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. iptables -F
  2.  
  3. #ipset -F
  4.  
  5. rmmod xt_recent
  6. modprobe ipt_recent ip_list_tot=50000 ip_pkt_list_tot=3
  7.  
  8. #ipset -N block iphash
  9. #ipset -N white iphash
  10.  
  11. iptables -N fw-input
  12. iptables -N http
  13. iptables -N nntp
  14. iptables -N icmp
  15. iptables -N existing
  16. iptables -N white
  17. iptables -N clfire
  18. iptables -N black
  19.  
  20. iptables -A INPUT -i vmbr0 -j fw-input
  21. iptables -A FORWARD -i vmbr0  -j fw-input
  22.  
  23. # enable local connects
  24. iptables -A fw-input -i lo -j ACCEPT
  25.  
  26. # bad packets
  27. iptables -A fw-input -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
  28. #iptables -A fw-input -p tcp ! --syn -m state --state NEW -m limit --limit 3/minute -j LOG --log-level debug --log-prefix NEW-NOT-SYN:
  29. iptables -A fw-input -p tcp ! --syn -m state --state NEW -j DROP
  30.  
  31.  
  32. # enable me always on ssh
  33. #iptables -A fw-input -p tcp -s MY_IP -m tcp --dport 2222 -j ACCEPT
  34.  
  35.  
  36. # Cloudfire whitelist
  37. iptables -A fw-input -p tcp -j clfire
  38. iptables -A clfire -s 204.93.240.0/24 -j ACCEPT
  39. iptables -A clfire -s 204.93.177.0/24 -j ACCEPT
  40. iptables -A clfire -s 199.27.128.0/21 -j ACCEPT
  41. iptables -A clfire -s 173.245.48.0/20 -j ACCEPT
  42. iptables -A clfire -s 103.21.244.0/22 -j ACCEPT
  43. iptables -A clfire -s 103.22.200.0/22 -j ACCEPT
  44. iptables -A clfire -s 103.31.4.0/22 -j ACCEPT
  45. iptables -A clfire -s 141.101.64.0/18 -j ACCEPT
  46. iptables -A clfire -s 108.162.192.0/18 -j ACCEPT
  47. iptables -A clfire -s 190.93.240.0/20 -j ACCEPT
  48. iptables -A clfire -s 188.114.96.0/20 -j ACCEPT
  49. iptables -A clfire -s 197.234.240.0/22 -j ACCEPT
  50. iptables -A clfire -s 198.41.128.0/17 -j ACCEPT
  51. iptables -A clfire -s 162.158.0.0/15 -j ACCEPT
  52. iptables -A clfire -j RETURN
  53.  
  54.  
  55. # whitelist (http[s] only)
  56. iptables -A fw-input -p tcp -m multiport --dports 80,443 -j white
  57. ### opera
  58. iptables -A white -s 80.239.224.0/19 -j ACCEPT
  59. iptables -A white -s 82.145.208.0/21 -j ACCEPT
  60. iptables -A white -s 217.212.230.0/23 -j ACCEPT
  61. iptables -A white -s 64.255.180.0/24 -j ACCEPT
  62. ### google
  63. iptables -A white -s 66.249.64.0/19 -j ACCEPT
  64. ### yandex
  65. iptables -A white -s 95.108.138.0/24 -j ACCEPT
  66. ### end
  67. iptables -A white -j RETURN
  68.  
  69.  
  70. # blacklist (http[s] only)
  71. iptables -A fw-input -p tcp -m multiport --dports 80,443,8006 -j black
  72. iptables -A black -j RETURN
  73.  
  74.  
  75. # lock catched
  76. iptables -A fw-input -m recent --rcheck --name BLOCK --seconds 250 --rttl -j REJECT --reject-with icmp-host-prohibited
  77. iptables -A fw-input -m recent --update --name BLOCK --seconds 300 --rttl -j REJECT --reject-with icmp-host-prohibited
  78. iptables -A fw-input -m recent --rcheck --name BLOCK_PARALLELS --seconds 120 --rttl -j REJECT --reject-with icmp-host-prohibited
  79. iptables -A fw-input -m recent --update --name BLOCK_PARALLELS --seconds 150 --rttl -j REJECT --reject-with icmp-host-prohibited
  80.  
  81. # pass established
  82. iptables -A fw-input -m state --state RELATED,ESTABLISHED -j existing
  83. iptables -A existing -p tcp -m connlimit --connlimit-above 300 -m recent --set --name BLOCK_PARALLELS -j REJECT --reject-with icmp-host-prohibited
  84. iptables -A existing -j ACCEPT
  85.  
  86. # http
  87. iptables -A fw-input -p tcp -m multiport --dports 80,443 -m state --state NEW -j http
  88. iptables -A http -p tcp -m hashlimit --hashlimit-name http --hashlimit-mode srcip --hashlimit-above 50/sec --hashlimit-burst 200 \
  89.  --hashlimit-htable-size 32768 --hashlimit-htable-max 32768 --hashlimit-htable-expire 3000000 \
  90.  -m recent --set --name BLOCK -j DROP
  91. iptables -A http -j ACCEPT
  92.  
  93. # icmp
  94. iptables -A fw-input -p icmp -j icmp
  95. iptables -A icmp -p icmp --icmp-type 0 -j ACCEPT
  96. iptables -A icmp -p icmp --icmp-type 3 -j ACCEPT
  97. iptables -A icmp -p icmp --icmp-type 8 -m limit --limit 10/second -j ACCEPT
  98. iptables -A icmp -p icmp --icmp-type 11 -j ACCEPT
  99. iptables -A icmp -j DROP
  100.  
  101.  
  102. # nntp
  103. iptables -A fw-input -p tcp -m multiport --dports 119,563,1119 -m state --state NEW -j nntp
  104. iptables -A nntp -p tcp -m hashlimit --hashlimit-name nntp --hashlimit-mode srcip --hashlimit-above 10/sec \
  105.  --hashlimit-htable-size 32768 --hashlimit-htable-max 32768 --hashlimit-htable-expire 3000000 \
  106.  -m recent --set --name BLOCK_NNTP -j DROP
  107. iptables -A nntp -j ACCEPT
  108.  
  109. # ssh
  110. iptables -A fw-input -p tcp -m tcp --dport 2222 -j ACCEPT
  111.  
  112. # finish
  113. #iptables -A fw-input -p tcp -m limit --limit 3/minute -j LOG --log-level debug --log-prefix TCP-LOST:
  114. iptables -A fw-input -p tcp -j DROP
  115. #iptables -A fw-input -m limit --limit 3/minute -j LOG --log-level debug --log-prefix NONTCP-DROP:
  116. iptables -A fw-input -j DROP
Advertisement
Advertisement
Advertisement
RAW Paste Data Copied
Advertisement