SHARE
TWEET

Untitled

a guest Feb 27th, 2020 101 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/bin/bash
  2. while true
  3. do
  4. echo "
  5. ______ ___________ _____ _    _  ___  _     _
  6. |  ___|_   _| ___ |  ___| |  | |/ _ \| |   | |
  7. | |_    | | | |_/ | |__ | |  | / /_\ | |   | |
  8. |  _|   | | |    /|  __|| |/\| |  _  | |   | |
  9. | |    _| |_| |\ \| |___\  /\  | | | | |___| |____
  10. \_|    \___/\_| \_\____/ \/  \/\_| |_\_____\_____/
  11. "
  12.  
  13. # Deny all access
  14. sudo iptables -t filter -P INPUT DROP
  15. sudo iptables -t filter -P FORWARD DROP
  16. sudo iptables -t filter -P OUTPUT DROP
  17.  
  18. # Ready accept
  19. sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  20. sudo iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  21.  
  22. # loop-back (localhost)
  23. sudo iptables -t filter -A INPUT -i lo -j ACCEPT
  24. sudo iptables -t filter -A OUTPUT -o lo -j ACCEPT
  25.  
  26. # Anti DDoS.
  27. sudo iptables -A FORWARD -p tcp --syn -m limit --limit 1/second -j ACCEPT
  28. sudo iptables -A FORWARD -p udp -m limit --limit 1/second -j ACCEPT
  29. sudo iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT
  30. sudo iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
  31. sudo iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
  32.  
  33. # Anti DDoS Config 2.
  34. sudo iptables -A INPUT -p tcp --syn -m limit --limit 2/s --limit-burst 30 -j ACCEPT
  35. sudo iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
  36. sudo iptables -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 1/h -j ACCEPT
  37. sudo iptables -A INPUT -p tcp --tcp-flags ALL ALL -m limit --limit 1/h -j ACCEPT
  38.  
  39. # Reject spoofed packets.
  40. sudo iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
  41. sudo iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
  42. sudo iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
  43. sudo iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
  44. sudo iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
  45. sudo iptables -t mangle -A PREROUTING -s 100.64.0.0/10 -j DROP
  46. sudo iptables -t mangle -A PREROUTING -s 239.0.0.0/8 -j DROP
  47. sudo iptables -t mangle -A PREROUTING -s 192.168.2.0/24 -j DROP
  48. sudo iptables -t mangle -A PREROUTING -s 192.168.10.0/24 -j DROP
  49. sudo iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
  50. sudo iptables -t mangle -A PREROUTING -s 192.0.0.0/16 -j DROP
  51. sudo iptables -t mangle -A PREROUTING -s 192.88.99.0/24 -j DROP
  52. sudo iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
  53. sudo iptables -t mangle -A PREROUTING -s 127.0.0.0/8 -j DROP
  54. sudo iptables -t mangle -A PREROUTING -s 203.0.113.0/24 -j DROP
  55. sudo iptables -t mangle -A PREROUTING -s 198.51.100.0/24 -j DROP
  56. sudo iptables -t mangle -A PREROUTING -s 198.18.0.0/15 -j DROP
  57. sudo iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP
  58. sudo iptables -t mangle -A PREROUTING -s 239.255.255.0/24 -j DROP
  59. sudo iptables -t mangle -A PREROUTING -s 255.0.0.0/8 -j DROP
  60. sudo iptables -t mangle -A PREROUTING -d 255.255.255.255 -j DROP
  61.  
  62. # Block packets with bogus TCP flags.
  63. sudo iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
  64. sudo iptables -t mangle -A PREROUTING -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
  65. sudo iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
  66. sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
  67. sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
  68. sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
  69. sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
  70. sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
  71. sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
  72. sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
  73. sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
  74. sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
  75. sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
  76. sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
  77. sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
  78. sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
  79.  
  80. # Drop TCP packets that are new and are not SYN.
  81. sudo iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
  82.  
  83. # Limit connections per source IP.
  84. sudo iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset  
  85.  
  86. # Drop SYN packets with suspicious MSS value.
  87. sudo iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
  88.  
  89. # Drop fragments in all chains.
  90. sudo iptables -t mangle -A PREROUTING -f -j DROP  
  91.  
  92. # Drop all invalid packets.
  93. sudo iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
  94. sudo iptables -A INPUT -m state --state INVALID -j DROP
  95. sudo iptables -A FORWARD -m state --state INVALID -j DROP
  96. sudo iptables -A OUTPUT -m state --state INVALID -j DROP
  97.  
  98. # Drop excessive RST packets to avoid smurf attacks.
  99. sudo iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
  100.  
  101. # Limit new TCP connections per second per source IP.
  102. sudo iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
  103. sudo iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP  
  104.  
  105. #Port protection
  106. sudo iptables -A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 10 --connlimit-mask 32 -j REJECT --reject-with icmp-port-unreachable
  107. sudo iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --set
  108. sudo iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 20 --hitcount 10 -j DROP
  109. sudo iptables -A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 10 --connlimit-mask 32 -j REJECT --reject-with icmp-port-unreachable
  110. sudo iptables -A INPUT -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 10 --connlimit-mask 32 -j REJECT --reject-with icmp-port-unreachable
  111. sudo iptables -A INPUT -p tcp -m tcp --dport 25565 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 3 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with icmp-port-unreachable
  112.  
  113. #Anti DDoS Server Web.
  114. sudo iptables -t filter -N syn-flood
  115. sudo iptables -t filter -A INPUT -i eth0 -p tcp --syn -j syn-flood
  116. sudo iptables -t filter -A syn-flood -m limit --limit 1/sec --limit-burst 4 -j RETURN
  117. sudo iptables -t filter -A syn-flood -j LOG --log-prefix "IPTABLES SYN-FLOOD:"
  118. sudo iptables -t filter -A syn-flood -j DROP
  119. sudo iptables -A INPUT -p tcp -m connlimit --connlimit-above 80 -j REJECT --reject-with tcp-reset
  120. sudo iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
  121. sudo iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
  122. sudo iptables -t mangle -A PREROUTING -f -j DROP
  123. sudo iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
  124. sudo iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP
  125. #
  126. sleep 1
  127. done
  128. echo "Firewall was successfully installed!"
  129. done
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top