Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- #SCRIPT FIREWALL Creditos a Edresson Casanova (LUKE, RDM(SA-MP forums) )
- # limpando tabelas
- iptables -F
- iptables -X
- iptables -t nat -F
- iptables -t nat -X
- # Ativando algumas coisas básicas do kernel
- echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Abilitar o uso de syncookies (muito útil para evitar SYN flood attacks)
- echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all # desabilita o "ping" (Mensagens ICMP) para sua máquina
- echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # Não aceite redirecionar pacotes ICMP
- echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Ative a proteção contra respostas a mensagens de erro falsas
- echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Evita a peste do Smurf Attack e alguns outros de redes locais
- # Configurando as políticas padrões
- iptables -P INPUT DROP
- iptables -P OUTPUT DROP
- iptables -P FORWARD DROP
- # monitorando trafego
- iptables -A INPUT -j LOG
- iptables -A FORWARD -j LOG
- iptables -A OUTPUT -j LOG
- # Permitindo loopback
- iptables -A INPUT -i lo -j ACCEPT
- iptables -A OUTPUT -o lo -j ACCEPT
- # Permite o estabelecimento de novas conexões iniciadas por você
- iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED,NEW -j ACCEPT
- # Liberando portas de serviços externos (descomente e altere conforme sua necessidade)
- iptables -A INPUT -p tcp -m multiport --dport 22 -j ACCEPT
- iptables -A INPUT -p udp -m multiport --dport 7894 -j ACCEPT
- #--- Criando listas de bloqueios
- # Descarta pacotes reincidentes/persistentes da lista SUSPEITO (caso tenha 5 entradas ficará 1H em DROP / caso tenha 10 ficará 24H em DROP)
- iptables -A INPUT -m recent --update --hitcount 10 --name SUSPEITO --seconds 86400 -j DROP
- iptables -A INPUT -m recent --update --hitcount 5 --name SUSPEITO --seconds 3600 -j DROP
- # Descarta pacotes reincidentes/persistentes da lista SYN-DROP (caso tenha 5 entradas ficará 1H em DROP / caso tenha 10 ficará 24H em DROP)
- iptables -A INPUT -m recent --update --hitcount 10 --name SYN-DROP --seconds 86400 -j DROP
- iptables -A INPUT -m recent --update --hitcount 5 --name SYN-DROP --seconds 3600 -j DROP
- #--- Criando CHAIN
- # Cria a CHAIN "SYN"
- iptables -N SYN
- iptables -A SYN -m limit --limit 10/min --limit-burst 3 -j LOG --log-level warning --log-prefix "[SYN: DROP]"
- iptables -A SYN -m limit --limit 10/min --limit-burst 3 -m recent --set --name SYN-DROP -j DROP
- iptables -A SYN -m limit --limit 1/min --limit-burst 1 -j LOG --log-level warning --log-prefix "[SYN: FLOOD!]"
- iptables -A SYN -j DROP
- # Cria a CHAIN "SCANNER"
- iptables -N SCANNER
- iptables -A SCANNER -m limit --limit 10/min --limit-burst 3 -j LOG --log-level warning --log-prefix "[SCANNER: DROP]"
- iptables -A SCANNER -m limit --limit 10/min --limit-burst 3 -m recent --set --name SUSPEITO -j DROP
- iptables -A SCANNER -m limit --limit 1/min --limit-burst 1 -j LOG --log-level warning --log-prefix "[SCANNER: FLOOD!]"
- iptables -A SCANNER -j DROP
- #--- Bloqueios
- # Rejeita os restos de pacotes após fechar o torrent (subistitua 12300 pela porta do seu torrent)
- # iptables -A INPUT -p tcp --dport 12300 -j REJECT
- # iptables -A INPUT -p udp --dport 12300 -j DROP
- # Manda os pacotes SYN suspeitos (não liberados acima) para a chain "SYN"
- iptables -A INPUT -p tcp --syn -m state --state NEW -j SYN
- # Adicionando regras para CHAIN "SCANNER"
- iptables -A INPUT -p tcp --tcp-flags ALL NONE -j SCANNER
- iptables -A INPUT -p tcp --tcp-flags ALL ALL -j SCANNER
- iptables -A INPUT -p tcp --tcp-flags ALL ACK -j SCANNER
- iptables -A INPUT -p tcp --tcp-flags ALL SYN,ACK -j SCANNER
- iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j SCANNER
- iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j SCANNER
- iptables -A INPUT -p tcp --tcp-flags ALL PSH,URG,FIN -j SCANNER
- iptables -A INPUT -p tcp --tcp-flags ALL URG,PSH,FIN -j SCANNER
- iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -j SCANNER
- iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j SCANNER
- iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j SCANNER
- iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j SCANNER
- iptables -A INPUT -p tcp --tcp-flags ALL FIN -j SCANNER
- # firewall anti ddos javapipe
- ### 1: Drop invalid packets ###
- /sbin/iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
- ### 2: Drop TCP packets that are new and are not SYN ###
- /sbin/iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
- ### 3: Drop SYN packets with suspicious MSS value ###
- /sbin/iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
- ### 4: Block packets with bogus TCP flags ###
- /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
- /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
- /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
- /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
- /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
- /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
- /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
- /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
- /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
- /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
- /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
- /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
- /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
- /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
- ### 5: Block spoofed packets ###
- /sbin/iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
- /sbin/iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
- /sbin/iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
- /sbin/iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
- /sbin/iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
- /sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
- /sbin/iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP
- /sbin/iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
- /sbin/iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
- ### 6: Drop ICMP (you usually don't need this protocol) ###
- /sbin/iptables -t mangle -A PREROUTING -p icmp -j DROP
- ### 7: Drop fragments in all chains ###
- /sbin/iptables -t mangle -A PREROUTING -f -j DROP
- ### 8: Limit connections per source IP ###
- /sbin/iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset
- ### 9: Limit RST packets ###
- /sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
- /sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP
- ### 10: Limit new TCP connections per second per source IP ###
- /sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
- /sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
- ### 11: Use SYNPROXY on all ports (disables connection limiting rule) ###
- #/sbin/iptables -t raw -D PREROUTING -p tcp -m tcp --syn -j CT --notrack
- #/sbin/iptables -D INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
- #/sbin/iptables -D INPUT -m conntrack --ctstate INVALID -j DROP
- # Regras extra anti- brute force
- ### SSH brute-force protection ###
- /sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
- /sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
- ### Protection against port scanning ###
- /sbin/iptables -N port-scanning
- /sbin/iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
- /sbin/iptables -A port-scanning -j DROP
- #regras Para Proteção SA-MP agradecimento a Blackaslan
- echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route
- echo "1" > /proc/sys/net/ipv4/tcp_syncookies
- echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
- echo "1" >/proc/sys/net/ipv4//conf/all/rp_filter
- echo "1" >/proc/sys/net/ipv4/tcp_syncookies
- echo "1" >/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
- echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
- echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
- iptables -A INPUT -p UDP -m length --length 1:1024 -m recent --set --name GetStatus
- iptables -A INPUT -p UDP -m string --algo bm --hex-string "|ff ff ff ff 67 65 74 73 74 61 74 75 73|" -m recent --update --seconds 1 --hitcount 5 --name GetStatus -j DROP
- iptables -A INPUT -p udp -m multiport --dport 7894 -m length --length 39 -m recent --set -j ACCEPT
- iptables -A INPUT -p udp -m multiport --dport 7894 -m length --length 43 -m recent --set -j ACCEPT
- iptables -A INPUT -p udp -m multiport --dport 7894 -m recent --rcheck -j ACCEPT
- iptables -A OUTPUT -p udp -m multiport --dport 7894 -j ACCEPT
- iptables -N SAMP-DDOS
- iptables -A INPUT -p udp -m multiport --dport 7894 -m ttl --ttl-eq=128 -j SAMP-DDOS
- iptables -A SAMP-DDOS -p udp -m multiport --dport 7894 -m length --length 17:604 -j DROP
- iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
- iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
- iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
- iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
- iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
- iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
- iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
- iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
- iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
- iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
- iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
- iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
- iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
- iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
- iptables -N syn-flood
- iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
- iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
- iptables -A syn-flood -j DROP
- iptables -A INPUT -p udp -m limit --limit 5/s -j RETURN
- iptables -A INPUT -p udp -m limit --limit 5/s -j LOG
- iptables -A INPUT -p udp -m udp --sport 19 -j DROP
- iptables -I INPUT -p udp -m multiport --dport 7894 -i eth0 -m state --state NEW -m recent \
- --update --seconds 30 --hitcount 10 -j DROP
- iptables -A INPUT -p udp -m udp -m multiport --dport 7894 -m state --state NEW -m recent --update --seconds 30 --hitcount 10 --name DEFAULT --rsource -j DROP
- iptables -A INPUT -p udp -m udp -m multiport --dport 7894 -m state --state NEW -m recent --set --name DEFAULT --rsource
- iptables -A INPUT -p udp -m multiport --dport 7894 -m limit --limit 1/s --limit-burst 2 -j DROP
- iptables -N LIMITSTAT
- iptables -A LIMITSTAT -p udp -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
- iptables -A LIMITSTAT -p udp -j DROP
- iptables -N LIMITINFO
- iptables -A LIMITINFO -p udp -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
- iptables -A LIMITINFO -p udp -j DROP
- iptables -N LIMITCHLG
- iptables -A LIMITCHLG -p udp -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
- iptables -A LIMITCHLG -p udp -j DROP
- iptables -N LIMITCONN
- iptables -A LIMITCONN -p udp -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
- iptables -A LIMITCONN -p udp -j DROP
- iptables -N LIMITPLRS
- iptables -A LIMITPLRS -p udp -m hashlimit --hashlimit-name PLAYERS --hashlimit-above 70/sec --hashlimit-burst 100 --hashlimit-mode srcip,srcport --hashlimit-htable-size 300 --hashlimit-htable-max 300 --hashlimit-htable-gcinterval 1000 --hashlimit-htable-expire 10000 -j DROP
- iptables -A LIMITPLRS -p udp -j ACCEPT
- iptables -A INPUT -p udp -m multiport --dport 7894 -j LIMITPLRS
- iptables -N thyl-icmp-flood
- iptables -A INPUT -p icmp -j thyl-icmp-flood
- iptables -A thyl-icmp-flood -m limit --limit 4/s --limit-burst 8 -m comment --comment "Limit ICMP rate" -j RETURN
- iptables -A thyl-icmp-flood -m limit --limit 6/h --limit-burst 1 -j LOG --log-prefix "Firewall>Probable icmp flood "
- iptables -A thyl-icmp-flood -m recent --name blacklist_180 --set -m comment --comment "Blacklist source IP" -j DROP
- # Descarta pacotes inválidos
- iptables -A INPUT -m state --state INVALID -j DROP
- # Loga/Adiciona/Descarta hosts da lista "SUSPEITO" (cuja conexão não cumpre nenhuma das regras acima) {deixe como última regra!}
- iptables -A INPUT -m recent --update --name SUSPEITO -m limit --limit 10/min --limit-burst 3 -j LOG --log-level warning --log-prefix "[SUSPEITO]"
- iptables -A INPUT -m limit --limit 10/min --limit-burst 3 -m recent --set --name SUSPEITO -j DROP
- iptables -A INPUT -j DROP
- #termina
- echo -n "Connect Host FIREWALL: Nossas Regras de Firewal Iptables Foram aplicadas! "
- echo
- sleep 1
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement