Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- while true
- do
- echo "
- ______ ___________ _____ _ _ ___ _ _
- | ___|_ _| ___ | ___| | | |/ _ \| | | |
- | |_ | | | |_/ | |__ | | | / /_\ | | | |
- | _| | | | /| __|| |/\| | _ | | | |
- | | _| |_| |\ \| |___\ /\ | | | | |___| |____
- \_| \___/\_| \_\____/ \/ \/\_| |_\_____\_____/
- "
- # Deny all access
- sudo iptables -t filter -P INPUT DROP
- sudo iptables -t filter -P FORWARD DROP
- sudo iptables -t filter -P OUTPUT DROP
- # Ready accept
- sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- sudo iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- # loop-back (localhost)
- sudo iptables -t filter -A INPUT -i lo -j ACCEPT
- sudo iptables -t filter -A OUTPUT -o lo -j ACCEPT
- # Anti DDoS.
- sudo iptables -A FORWARD -p tcp --syn -m limit --limit 1/second -j ACCEPT
- sudo iptables -A FORWARD -p udp -m limit --limit 1/second -j ACCEPT
- sudo iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT
- sudo iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
- sudo iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
- # Anti DDoS Config 2.
- sudo iptables -A INPUT -p tcp --syn -m limit --limit 2/s --limit-burst 30 -j ACCEPT
- sudo iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
- sudo iptables -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 1/h -j ACCEPT
- sudo iptables -A INPUT -p tcp --tcp-flags ALL ALL -m limit --limit 1/h -j ACCEPT
- # Reject spoofed packets.
- sudo iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
- sudo iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
- sudo iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
- sudo iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
- sudo iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
- sudo iptables -t mangle -A PREROUTING -s 100.64.0.0/10 -j DROP
- sudo iptables -t mangle -A PREROUTING -s 239.0.0.0/8 -j DROP
- sudo iptables -t mangle -A PREROUTING -s 192.168.2.0/24 -j DROP
- sudo iptables -t mangle -A PREROUTING -s 192.168.10.0/24 -j DROP
- sudo iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
- sudo iptables -t mangle -A PREROUTING -s 192.0.0.0/16 -j DROP
- sudo iptables -t mangle -A PREROUTING -s 192.88.99.0/24 -j DROP
- sudo iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
- sudo iptables -t mangle -A PREROUTING -s 127.0.0.0/8 -j DROP
- sudo iptables -t mangle -A PREROUTING -s 203.0.113.0/24 -j DROP
- sudo iptables -t mangle -A PREROUTING -s 198.51.100.0/24 -j DROP
- sudo iptables -t mangle -A PREROUTING -s 198.18.0.0/15 -j DROP
- sudo iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP
- sudo iptables -t mangle -A PREROUTING -s 239.255.255.0/24 -j DROP
- sudo iptables -t mangle -A PREROUTING -s 255.0.0.0/8 -j DROP
- sudo iptables -t mangle -A PREROUTING -d 255.255.255.255 -j DROP
- # Block packets with bogus TCP flags.
- sudo iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
- sudo iptables -t mangle -A PREROUTING -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
- sudo iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
- sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
- sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
- sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
- sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
- sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
- sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
- sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
- sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
- sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
- sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
- sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
- sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
- sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
- # Drop TCP packets that are new and are not SYN.
- sudo iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
- # Limit connections per source IP.
- sudo iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset
- # Drop SYN packets with suspicious MSS value.
- sudo iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
- # Drop fragments in all chains.
- sudo iptables -t mangle -A PREROUTING -f -j DROP
- # Drop all invalid packets.
- sudo iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
- sudo iptables -A INPUT -m state --state INVALID -j DROP
- sudo iptables -A FORWARD -m state --state INVALID -j DROP
- sudo iptables -A OUTPUT -m state --state INVALID -j DROP
- # Drop excessive RST packets to avoid smurf attacks.
- sudo iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
- # Limit new TCP connections per second per source IP.
- sudo iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
- sudo iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
- #Port protection
- sudo iptables -A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 10 --connlimit-mask 32 -j REJECT --reject-with icmp-port-unreachable
- sudo iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --set
- sudo iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 20 --hitcount 10 -j DROP
- sudo iptables -A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 10 --connlimit-mask 32 -j REJECT --reject-with icmp-port-unreachable
- sudo iptables -A INPUT -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 10 --connlimit-mask 32 -j REJECT --reject-with icmp-port-unreachable
- sudo iptables -A INPUT -p tcp -m tcp --dport 25565 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 3 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with icmp-port-unreachable
- #Anti DDoS Server Web.
- sudo iptables -t filter -N syn-flood
- sudo iptables -t filter -A INPUT -i eth0 -p tcp --syn -j syn-flood
- sudo iptables -t filter -A syn-flood -m limit --limit 1/sec --limit-burst 4 -j RETURN
- sudo iptables -t filter -A syn-flood -j LOG --log-prefix "IPTABLES SYN-FLOOD:"
- sudo iptables -t filter -A syn-flood -j DROP
- sudo iptables -A INPUT -p tcp -m connlimit --connlimit-above 80 -j REJECT --reject-with tcp-reset
- sudo iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
- sudo iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
- sudo iptables -t mangle -A PREROUTING -f -j DROP
- sudo iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
- sudo iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP
- #
- sleep 1
- done
- echo "Firewall was successfully installed!"
- done
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
