API tools faq
paste
Advertisement
CrazyEarner

Untitled

CrazyEarner
Nov 5th, 2013
70
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 17.04 KB | None | 0 0
raw download clone embed print report
  1. This is a UNIX style bash script, save it anywhere on your linux host machine and start it automatically with your server..
  2.  
  3.  
  4.  
  5.  
  6.  
  7.  
  8. #!/bin/sh
  9. #------------------------------------------------------------------------------
  10. #
  11. # File: SIG-antiDDoS.sh
  12. #
  13. # Compiler: Ruslan Abuzant <ruslan@abuzant.com>
  14. # PS> Collected From Lots Of Sources
  15. # PS> Credits: Real Authors (no idea)
  16. #
  17. # URL: http://www.liteforex.org/
  18. #
  19. # License: GNU GPL (version 2, or any later version).
  20. #
  21. # Configuration.
  22. #------------------------------------------------------------------------------
  23.  
  24. # For debugging use iptables -v.
  25. IPTABLES="/sbin/iptables"
  26. IP6TABLES="/sbin/ip6tables"
  27. MODPROBE="/sbin/modprobe"
  28. RMMOD="/sbin/rmmod"
  29. ARP="/usr/sbin/arp"
  30.  
  31.  
  32. # Logging options.
  33. #------------------------------------------------------------------------------
  34. LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options"
  35. LOG="$LOG --log-ip-options"
  36.  
  37.  
  38. # Defaults for rate limiting
  39. #------------------------------------------------------------------------------
  40. RLIMIT="-m limit --limit 3/s --limit-burst 8"
  41.  
  42.  
  43. # Unprivileged ports.
  44. #------------------------------------------------------------------------------
  45. PHIGH="1024:65535"
  46. PSSH="1000:1023"
  47.  
  48.  
  49. # Load required kernel modules
  50. #------------------------------------------------------------------------------
  51. $MODPROBE ip_conntrack_ftp
  52. $MODPROBE ip_conntrack_irc
  53.  
  54.  
  55. # Mitigate ARP spoofing/poisoning and similar attacks.
  56. #------------------------------------------------------------------------------
  57. # Hardcode static ARP cache entries here
  58. # $ARP -s IP-ADDRESS MAC-ADDRESS
  59.  
  60.  
  61. # Kernel configuration.
  62. #------------------------------------------------------------------------------
  63.  
  64. # Disable IP forwarding.
  65. # On => Off = (reset)
  66. echo 1 > /proc/sys/net/ipv4/ip_forward
  67. echo 0 > /proc/sys/net/ipv4/ip_forward
  68.  
  69. # Enable IP spoofing protection
  70. for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i; done
  71.  
  72. # Protect against SYN flood attacks
  73. echo 1 > /proc/sys/net/ipv4/tcp_syncookies
  74.  
  75. # Ignore all incoming ICMP echo requests
  76. echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
  77.  
  78. # Ignore ICMP echo requests to broadcast
  79. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  80.  
  81. # Log packets with impossible addresses.
  82. for i in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $i; done
  83.  
  84. # Don't log invalid responses to broadcast
  85. echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
  86.  
  87. # Don't accept or send ICMP redirects.
  88. for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done
  89. for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done
  90.  
  91. # Don't accept source routed packets.
  92. for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $i; done
  93.  
  94. # Disable multicast routing
  95. for i in /proc/sys/net/ipv4/conf/*/mc_forwarding; do echo 0 > $i; done
  96.  
  97. # Disable proxy_arp.
  98. for i in /proc/sys/net/ipv4/conf/*/proxy_arp; do echo 0 > $i; done
  99.  
  100. # Enable secure redirects, i.e. only accept ICMP redirects for gateways
  101. # Helps against MITM attacks.
  102. for i in /proc/sys/net/ipv4/conf/*/secure_redirects; do echo 1 > $i; done
  103.  
  104. # Disable bootp_relay
  105. for i in /proc/sys/net/ipv4/conf/*/bootp_relay; do echo 0 > $i; done
  106.  
  107. # Default policies.
  108. #------------------------------------------------------------------------------
  109.  
  110. # Drop everything by default.
  111. $IPTABLES -P INPUT DROP
  112. $IPTABLES -P FORWARD DROP
  113. $IPTABLES -P OUTPUT DROP
  114.  
  115. # Set the nat/mangle/raw tables' chains to ACCEPT
  116. $IPTABLES -t nat -P PREROUTING ACCEPT
  117. $IPTABLES -t nat -P OUTPUT ACCEPT
  118. $IPTABLES -t nat -P POSTROUTING ACCEPT
  119.  
  120. $IPTABLES -t mangle -P PREROUTING ACCEPT
  121. $IPTABLES -t mangle -P INPUT ACCEPT
  122. $IPTABLES -t mangle -P FORWARD ACCEPT
  123. $IPTABLES -t mangle -P OUTPUT ACCEPT
  124. $IPTABLES -t mangle -P POSTROUTING ACCEPT
  125.  
  126. # Cleanup.
  127. #------------------------------------------------------------------------------
  128.  
  129. # Delete all
  130. $IPTABLES -F
  131. $IPTABLES -t nat -F
  132. $IPTABLES -t mangle -F
  133.  
  134. # Delete all
  135. $IPTABLES -X
  136. $IPTABLES -t nat -X
  137. $IPTABLES -t mangle -X
  138.  
  139. # Zero all packets and counters.
  140. $IPTABLES -Z
  141. $IPTABLES -t nat -Z
  142. $IPTABLES -t mangle -Z
  143.  
  144. # Completely disable IPv6.
  145. #------------------------------------------------------------------------------
  146.  
  147. # Block all IPv6 traffic
  148. # If the ip6tables command is available, try to block all IPv6 traffic.
  149. if test -x $IP6TABLES; then
  150. # Set the default policies
  151. # drop everything
  152. $IP6TABLES -P INPUT DROP 2>/dev/null
  153. $IP6TABLES -P FORWARD DROP 2>/dev/null
  154. $IP6TABLES -P OUTPUT DROP 2>/dev/null
  155.  
  156. # The mangle table can pass everything
  157. $IP6TABLES -t mangle -P PREROUTING ACCEPT 2>/dev/null
  158. $IP6TABLES -t mangle -P INPUT ACCEPT 2>/dev/null
  159. $IP6TABLES -t mangle -P FORWARD ACCEPT 2>/dev/null
  160. $IP6TABLES -t mangle -P OUTPUT ACCEPT 2>/dev/null
  161. $IP6TABLES -t mangle -P POSTROUTING ACCEPT 2>/dev/null
  162.  
  163. # Delete all rules.
  164. $IP6TABLES -F 2>/dev/null
  165. $IP6TABLES -t mangle -F 2>/dev/null
  166.  
  167. # Delete all chains.
  168. $IP6TABLES -X 2>/dev/null
  169. $IP6TABLES -t mangle -X 2>/dev/null
  170.  
  171. # Zero all packets and counters.
  172. $IP6TABLES -Z 2>/dev/null
  173. $IP6TABLES -t mangle -Z 2>/dev/null
  174. fi
  175.  
  176. # Custom user-defined chains.
  177. #------------------------------------------------------------------------------
  178.  
  179. # LOG packets, then ACCEPT.
  180. $IPTABLES -N ACCEPTLOG
  181. $IPTABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "ACCEPT "
  182. $IPTABLES -A ACCEPTLOG -j ACCEPT
  183.  
  184. # LOG packets, then DROP.
  185. $IPTABLES -N DROPLOG
  186. $IPTABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "DROP "
  187. $IPTABLES -A DROPLOG -j DROP
  188.  
  189. # LOG packets, then REJECT.
  190. # TCP packets are rejected with a TCP reset.
  191. $IPTABLES -N REJECTLOG
  192. $IPTABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "REJECT "
  193. $IPTABLES -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset
  194. $IPTABLES -A REJECTLOG -j REJECT
  195.  
  196. # Only allows RELATED ICMP types
  197. # (destination-unreachable, time-exceeded, and parameter-problem).
  198. # TODO: Rate-limit this traffic?
  199. # TODO: Allow fragmentation-needed?
  200. # TODO: Test.
  201. $IPTABLES -N RELATED_ICMP
  202. $IPTABLES -A RELATED_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT
  203. $IPTABLES -A RELATED_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
  204. $IPTABLES -A RELATED_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT
  205. $IPTABLES -A RELATED_ICMP -j DROPLOG
  206.  
  207. # Make It Even Harder To Multi-PING
  208. $IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j ACCEPT
  209. $IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix PING-DROP:
  210. $IPTABLES -A INPUT -p icmp -j DROP
  211. $IPTABLES -A OUTPUT -p icmp -j ACCEPT
  212.  
  213. # Only allow the minimally required/recommended parts of ICMP. Block the rest.
  214. #------------------------------------------------------------------------------
  215.  
  216. # TODO: This section needs a lot of testing!
  217.  
  218. # First, drop all fragmented ICMP packets (almost always malicious).
  219. $IPTABLES -A INPUT -p icmp --fragment -j DROPLOG
  220. $IPTABLES -A OUTPUT -p icmp --fragment -j DROPLOG
  221. $IPTABLES -A FORWARD -p icmp --fragment -j DROPLOG
  222.  
  223. # Allow all ESTABLISHED ICMP traffic.
  224. $IPTABLES -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT
  225. $IPTABLES -A OUTPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT
  226.  
  227. # Allow some parts of the RELATED ICMP traffic, block the rest.
  228. $IPTABLES -A INPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT
  229. $IPTABLES -A OUTPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT
  230.  
  231. # Allow incoming ICMP echo requests (ping), but only rate-limited.
  232. $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT
  233.  
  234. # Allow outgoing ICMP echo requests (ping), but only rate-limited.
  235. $IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT
  236.  
  237. # Drop any other ICMP traffic.
  238. $IPTABLES -A INPUT -p icmp -j DROPLOG
  239. $IPTABLES -A OUTPUT -p icmp -j DROPLOG
  240. $IPTABLES -A FORWARD -p icmp -j DROPLOG
  241.  
  242. # Selectively allow certain special types of traffic.
  243. #------------------------------------------------------------------------------
  244.  
  245. # Allow loopback interface to do anything.
  246. $IPTABLES -A INPUT -i lo -j ACCEPT
  247. $IPTABLES -A OUTPUT -o lo -j ACCEPT
  248.  
  249. # Allow incoming connections related to existing allowed connections.
  250. $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  251.  
  252. # Allow outgoing connections EXCEPT invalid
  253. $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  254.  
  255. # Miscellaneous.
  256. #------------------------------------------------------------------------------
  257.  
  258. # We don't care about Milkosoft, Drop SMB/CIFS/etc..
  259. $IPTABLES -A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
  260. $IPTABLES -A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
  261.  
  262. # Explicitly drop invalid incoming traffic
  263. $IPTABLES -A INPUT -m state --state INVALID -j DROP
  264.  
  265. # Drop invalid outgoing traffic, too.
  266. $IPTABLES -A OUTPUT -m state --state INVALID -j DROP
  267.  
  268. # If we would use NAT, INVALID packets would pass - BLOCK them anyways
  269. $IPTABLES -A FORWARD -m state --state INVALID -j DROP
  270.  
  271. # PORT Scanners (stealth also)
  272. $IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
  273. $IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
  274.  
  275. # TODO: Some more anti-spoofing rules? For example:
  276. # $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
  277. # $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
  278. # $IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
  279. $IPTABLES -N SYN_FLOOD
  280. $IPTABLES -A INPUT -p tcp --syn -j SYN_FLOOD
  281. $IPTABLES -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
  282. $IPTABLES -A SYN_FLOOD -j DROP
  283.  
  284. # TODO: Block known-bad IPs (see http://www.dshield.org/top10.php).
  285. # $IPTABLES -A INPUT -s INSERT-BAD-IP-HERE -j DROPLOG
  286.  
  287. # Drop any traffic from IANA-reserved IPs.
  288. #------------------------------------------------------------------------------
  289.  
  290. $IPTABLES -A INPUT -s 0.0.0.0/7 -j DROP
  291. $IPTABLES -A INPUT -s 2.0.0.0/8 -j DROP
  292. $IPTABLES -A INPUT -s 5.0.0.0/8 -j DROP
  293. $IPTABLES -A INPUT -s 7.0.0.0/8 -j DROP
  294. $IPTABLES -A INPUT -s 10.0.0.0/8 -j DROP
  295. $IPTABLES -A INPUT -s 23.0.0.0/8 -j DROP
  296. $IPTABLES -A INPUT -s 27.0.0.0/8 -j DROP
  297. $IPTABLES -A INPUT -s 31.0.0.0/8 -j DROP
  298. $IPTABLES -A INPUT -s 36.0.0.0/7 -j DROP
  299. $IPTABLES -A INPUT -s 39.0.0.0/8 -j DROP
  300. $IPTABLES -A INPUT -s 42.0.0.0/8 -j DROP
  301. $IPTABLES -A INPUT -s 49.0.0.0/8 -j DROP
  302. $IPTABLES -A INPUT -s 50.0.0.0/8 -j DROP
  303. $IPTABLES -A INPUT -s 77.0.0.0/8 -j DROP
  304. $IPTABLES -A INPUT -s 78.0.0.0/7 -j DROP
  305. $IPTABLES -A INPUT -s 92.0.0.0/6 -j DROP
  306. $IPTABLES -A INPUT -s 96.0.0.0/4 -j DROP
  307. $IPTABLES -A INPUT -s 112.0.0.0/5 -j DROP
  308. $IPTABLES -A INPUT -s 120.0.0.0/8 -j DROP
  309. $IPTABLES -A INPUT -s 169.254.0.0/16 -j DROP
  310. $IPTABLES -A INPUT -s 172.16.0.0/12 -j DROP
  311. $IPTABLES -A INPUT -s 173.0.0.0/8 -j DROP
  312. $IPTABLES -A INPUT -s 174.0.0.0/7 -j DROP
  313. $IPTABLES -A INPUT -s 176.0.0.0/5 -j DROP
  314. $IPTABLES -A INPUT -s 184.0.0.0/6 -j DROP
  315. $IPTABLES -A INPUT -s 192.0.2.0/24 -j DROP
  316. $IPTABLES -A INPUT -s 197.0.0.0/8 -j DROP
  317. $IPTABLES -A INPUT -s 198.18.0.0/15 -j DROP
  318. $IPTABLES -A INPUT -s 223.0.0.0/8 -j DROP
  319. $IPTABLES -A INPUT -s 224.0.0.0/3 -j DROP
  320.  
  321. # Selectively allow certain outbound connections, block the rest.
  322. #------------------------------------------------------------------------------
  323.  
  324. # Allow outgoing DNS requests. Few things will work without this.
  325. $IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
  326. $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
  327.  
  328. # Allow outgoing HTTP requests. Unencrypted, use with care.
  329. $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
  330.  
  331. # Allow outgoing HTTPS requests.
  332. $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
  333.  
  334. # Allow outgoing SMTPS requests. Do NOT allow unencrypted SMTP!
  335. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 465 -j ACCEPT
  336.  
  337. # Allow outgoing "submission" (RFC 2476) requests.
  338. $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 587 -j ACCEPT
  339.  
  340. # Allow outgoing POP3S requests.
  341. $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT
  342.  
  343. # Allow outgoing SSH requests.
  344. $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
  345.  
  346. # Allow outgoing FTP requests. Unencrypted, use with care.
  347. $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
  348.  
  349. # Allow outgoing NNTP requests. Unencrypted, use with care.
  350. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 119 -j ACCEPT
  351.  
  352. # Allow outgoing NTP requests. Unencrypted, use with care.
  353. # $IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 123 -j ACCEPT
  354.  
  355. # Allow outgoing IRC requests. Unencrypted, use with care.
  356. # Note: This usually needs the ip_conntrack_irc kernel module.
  357. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 6667 -j ACCEPT
  358.  
  359. # Allow outgoing requests to various proxies. Unencrypted, use with care.
  360. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 8080 -j ACCEPT
  361. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 8090 -j ACCEPT
  362.  
  363. # Allow outgoing DHCP requests. Unencrypted, use with care.
  364. # TODO: This is completely untested, I have no idea whether it works!
  365. # TODO: I think this can be tightened a bit more.
  366. $IPTABLES -A OUTPUT -m state --state NEW -p udp --sport 67:68 --dport 67:68 -j ACCEPT
  367.  
  368. # Allow outgoing CVS requests. Unencrypted, use with care.
  369. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 2401 -j ACCEPT
  370.  
  371. # Allow outgoing MySQL requests. Unencrypted, use with care.
  372. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 3306 -j ACCEPT
  373.  
  374. # Allow outgoing SVN requests. Unencrypted, use with care.
  375. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 3690 -j ACCEPT
  376.  
  377. # Allow outgoing PLESK requests. Unencrypted, use with care.
  378. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 8443 -j ACCEPT
  379.  
  380. # Allow outgoing Tor (http://tor.eff.org) requests.
  381. # Note: Do _not_ use unencrypted protocols over Tor (sniffing is possible)!
  382. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9001 -j ACCEPT
  383. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9002 -j ACCEPT
  384. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9030 -j ACCEPT
  385. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9031 -j ACCEPT
  386. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9090 -j ACCEPT
  387. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9091 -j ACCEPT
  388.  
  389. # Allow outgoing OpenVPN requests.
  390. $IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 1194 -j ACCEPT
  391.  
  392. # TODO: ICQ, MSN, GTalk, Skype, Yahoo, etc...
  393.  
  394. # Selectively allow certain inbound connections, block the rest.
  395. #------------------------------------------------------------------------------
  396.  
  397. # Allow incoming DNS requests.
  398. $IPTABLES -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
  399. $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
  400.  
  401. # Allow incoming HTTP requests.
  402. $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
  403.  
  404. # Allow incoming HTTPS requests.
  405. $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
  406.  
  407. # Allow incoming POP3 requests.
  408. $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT
  409.  
  410. # Allow incoming IMAP4 requests.
  411. $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT
  412.  
  413. # Allow incoming POP3S requests.
  414. $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT
  415.  
  416. # Allow incoming SMTP requests.
  417. $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT
  418.  
  419. # Allow incoming SSH requests.
  420. $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
  421.  
  422. # Allow incoming FTP requests.
  423. $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
  424.  
  425. # Allow incoming NNTP requests.
  426. # $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 119 -j ACCEPT
  427.  
  428. # Allow incoming MySQL requests.
  429. # $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 3306 -j ACCEPT
  430.  
  431. # Allow incoming PLESK requests.
  432. # $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 8843 -j ACCEPT
  433.  
  434. # Allow incoming BitTorrent requests.
  435. # TODO: Are these already handled by ACCEPTing established/related traffic?
  436. # $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 6881 -j ACCEPT
  437. # $IPTABLES -A INPUT -m state --state NEW -p udp --dport 6881 -j ACCEPT
  438.  
  439. # Allow incoming nc requests.
  440. # $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 2030 -j ACCEPT
  441. # $IPTABLES -A INPUT -m state --state NEW -p udp --dport 2030 -j ACCEPT
  442.  
  443. # Explicitly log and reject everything else.
  444. #------------------------------------------------------------------------------
  445. # Use REJECT instead of REJECTLOG if you don't need/want logging.
  446. $IPTABLES -A INPUT -j REJECTLOG
  447. $IPTABLES -A OUTPUT -j REJECTLOG
  448. $IPTABLES -A FORWARD -j REJECTLOG
  449.  
  450.  
  451. #------------------------------------------------------------------------------
  452. # Testing the firewall.
  453. #------------------------------------------------------------------------------
  454.  
  455. # You should check/test that the firewall really works, using
  456. # iptables -vnL, nmap, ping, telnet, ...
  457.  
  458. # Exit gracefully.
  459. #------------------------------------------------------------------------------
  460.  
  461. exit 0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!