Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ##Good rules to help you mitigate Layer protection, by ShieldCommunity community
- #Please remember to ask us for other if you use panels (https://discord.gg/HhFxScZWAT) or xIsm4#9127
- #1 > Block invalid packets
- iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
- #2 > Packets that are not SYN (Only new=
- iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
- #3 > Block trash MSS Values (Good)
- iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
- #4 > Block Bogus Packets with TCP flags
- iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
- iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
- iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
- iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
- iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
- iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
- iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
- #5 (NOT GOOD SOMETIMES!!) > Block most of subnets
- iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
- iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
- iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
- iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
- iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
- iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
- iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP
- iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
- iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
- 6# > Drop ICMPv4 protocol ping (Not v6) - (Good for ping-spam)
- iptables -t mangle -A PREROUTING -p icmp -j DROP
- iptables -A INPUT -p tcp -m connlimit --connlimit-above 80 -j REJECT --reject-with tcp-reset
- 7# > Limit connections (If you're large network increase it)
- iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
- iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
- 8# > Limit TCP connections per/s
- iptables -t mangle -A PREROUTING -f -j DROP
- 9# > Limit fragmentation UDP flood
- iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
- iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP
- 10# > SYNPROXY RULES:
- iptables -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack
- iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
- iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
- 11# > Avoid port scanning (Forwarding exploit)
- iptables -N port-scanning
- iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
- iptables -A port-scanning -j DROP
- 12# > Avoid Linux connections (OPTIONALL!!)
- iptables -A INPUT -p tcp -m tcp --dport 25565 --tcp-option 8 --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable
- ##Just install iptables-persistant for RedHat/CentOS based systems
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement