API tools faq
paste
Advertisement
Guest User

Untitled

a guest
May 28th, 2018
790
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.30 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/bash
  2.  
  3. #SCRIPT FIREWALL Creditos a Edresson Casanova (LUKE, RDM(SA-MP forums) )
  4.  
  5. # limpando tabelas
  6. iptables -F
  7. iptables -X
  8. iptables -t nat -F
  9. iptables -t nat -X
  10.  
  11. # Ativando algumas coisas básicas do kernel
  12. echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Abilitar o uso de syncookies (muito útil para evitar SYN flood attacks)
  13. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all # desabilita o "ping" (Mensagens ICMP) para sua máquina
  14. echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # Não aceite redirecionar pacotes ICMP
  15. echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Ative a proteção contra respostas a mensagens de erro falsas
  16. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Evita a peste do Smurf Attack e alguns outros de redes locais
  17.  
  18.  
  19. # Configurando as políticas padrões
  20. iptables -P INPUT DROP
  21. iptables -P OUTPUT DROP
  22. iptables -P FORWARD DROP
  23.  
  24. # monitorando trafego
  25. iptables -A INPUT -j LOG
  26. iptables -A FORWARD -j LOG
  27. iptables -A OUTPUT -j LOG
  28.  
  29. # Permitindo loopback
  30. iptables -A INPUT -i lo -j ACCEPT
  31. iptables -A OUTPUT -o lo -j ACCEPT
  32.  
  33. # Permite o estabelecimento de novas conexões iniciadas por você
  34. iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  35. iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED,NEW -j ACCEPT
  36.  
  37.  
  38. # Liberando portas de serviços externos (descomente e altere conforme sua necessidade)
  39. iptables -A INPUT -p tcp -m multiport --dport 22 -j ACCEPT
  40. iptables -A INPUT -p udp -m multiport --dport 7894 -j ACCEPT
  41.  
  42. #--- Criando listas de bloqueios
  43.  
  44. # Descarta pacotes reincidentes/persistentes da lista SUSPEITO (caso tenha 5 entradas ficará 1H em DROP / caso tenha 10 ficará 24H em DROP)
  45. iptables -A INPUT -m recent --update --hitcount 10 --name SUSPEITO --seconds 86400 -j DROP
  46. iptables -A INPUT -m recent --update --hitcount 5 --name SUSPEITO --seconds 3600 -j DROP
  47.  
  48. # Descarta pacotes reincidentes/persistentes da lista SYN-DROP (caso tenha 5 entradas ficará 1H em DROP / caso tenha 10 ficará 24H em DROP)
  49. iptables -A INPUT -m recent --update --hitcount 10 --name SYN-DROP --seconds 86400 -j DROP
  50. iptables -A INPUT -m recent --update --hitcount 5 --name SYN-DROP --seconds 3600 -j DROP
  51.  
  52. #--- Criando CHAIN
  53.  
  54. # Cria a CHAIN "SYN"
  55. iptables -N SYN
  56. iptables -A SYN -m limit --limit 10/min --limit-burst 3 -j LOG --log-level warning --log-prefix "[SYN: DROP]"
  57. iptables -A SYN -m limit --limit 10/min --limit-burst 3 -m recent --set --name SYN-DROP -j DROP
  58. iptables -A SYN -m limit --limit 1/min --limit-burst 1 -j LOG --log-level warning --log-prefix "[SYN: FLOOD!]"
  59. iptables -A SYN -j DROP
  60.  
  61. # Cria a CHAIN "SCANNER"
  62. iptables -N SCANNER
  63. iptables -A SCANNER -m limit --limit 10/min --limit-burst 3 -j LOG --log-level warning --log-prefix "[SCANNER: DROP]"
  64. iptables -A SCANNER -m limit --limit 10/min --limit-burst 3 -m recent --set --name SUSPEITO -j DROP
  65. iptables -A SCANNER -m limit --limit 1/min --limit-burst 1 -j LOG --log-level warning --log-prefix "[SCANNER: FLOOD!]"
  66. iptables -A SCANNER -j DROP
  67.  
  68. #--- Bloqueios
  69.  
  70. # Rejeita os restos de pacotes após fechar o torrent (subistitua 12300 pela porta do seu torrent)
  71. # iptables -A INPUT -p tcp --dport 12300 -j REJECT
  72. # iptables -A INPUT -p udp --dport 12300 -j DROP
  73.  
  74. # Manda os pacotes SYN suspeitos (não liberados acima) para a chain "SYN"
  75. iptables -A INPUT -p tcp --syn -m state --state NEW -j SYN
  76.  
  77. # Adicionando regras para CHAIN "SCANNER"
  78. iptables -A INPUT -p tcp --tcp-flags ALL NONE -j SCANNER
  79. iptables -A INPUT -p tcp --tcp-flags ALL ALL -j SCANNER
  80. iptables -A INPUT -p tcp --tcp-flags ALL ACK -j SCANNER
  81. iptables -A INPUT -p tcp --tcp-flags ALL SYN,ACK -j SCANNER
  82. iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j SCANNER
  83. iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j SCANNER
  84. iptables -A INPUT -p tcp --tcp-flags ALL PSH,URG,FIN -j SCANNER
  85. iptables -A INPUT -p tcp --tcp-flags ALL URG,PSH,FIN -j SCANNER
  86. iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -j SCANNER
  87. iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j SCANNER
  88. iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j SCANNER
  89. iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j SCANNER
  90. iptables -A INPUT -p tcp --tcp-flags ALL FIN -j SCANNER
  91. # firewall anti ddos javapipe
  92. ### 1: Drop invalid packets ###
  93. /sbin/iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
  94.  
  95. ### 2: Drop TCP packets that are new and are not SYN ###
  96. /sbin/iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
  97.  
  98. ### 3: Drop SYN packets with suspicious MSS value ###
  99. /sbin/iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
  100.  
  101. ### 4: Block packets with bogus TCP flags ###
  102. /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
  103. /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
  104. /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
  105. /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
  106. /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
  107. /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
  108. /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
  109. /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
  110. /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
  111. /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
  112. /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
  113. /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
  114. /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
  115. /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
  116.  
  117. ### 5: Block spoofed packets ###
  118. /sbin/iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
  119. /sbin/iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
  120. /sbin/iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
  121. /sbin/iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
  122. /sbin/iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
  123. /sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
  124. /sbin/iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP
  125. /sbin/iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
  126. /sbin/iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
  127.  
  128. ### 6: Drop ICMP (you usually don't need this protocol) ###
  129. /sbin/iptables -t mangle -A PREROUTING -p icmp -j DROP
  130.  
  131. ### 7: Drop fragments in all chains ###
  132. /sbin/iptables -t mangle -A PREROUTING -f -j DROP
  133.  
  134. ### 8: Limit connections per source IP ###
  135. /sbin/iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset
  136.  
  137. ### 9: Limit RST packets ###
  138. /sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
  139. /sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP
  140.  
  141. ### 10: Limit new TCP connections per second per source IP ###
  142. /sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
  143. /sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
  144.  
  145. ### 11: Use SYNPROXY on all ports (disables connection limiting rule) ###
  146. #/sbin/iptables -t raw -D PREROUTING -p tcp -m tcp --syn -j CT --notrack
  147. #/sbin/iptables -D INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
  148. #/sbin/iptables -D INPUT -m conntrack --ctstate INVALID -j DROP
  149.  
  150. # Regras extra anti- brute force
  151.  
  152. ### SSH brute-force protection ###
  153. /sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
  154. /sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
  155.  
  156. ### Protection against port scanning ###
  157. /sbin/iptables -N port-scanning
  158. /sbin/iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
  159. /sbin/iptables -A port-scanning -j DROP
  160.  
  161.  
  162. #regras Para Proteção SA-MP agradecimento a Blackaslan
  163.  
  164. echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route
  165.  
  166. echo "1" > /proc/sys/net/ipv4/tcp_syncookies
  167.  
  168. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  169.  
  170. echo "1" >/proc/sys/net/ipv4//conf/all/rp_filter
  171.  
  172. echo "1" >/proc/sys/net/ipv4/tcp_syncookies
  173.  
  174. echo "1" >/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
  175.  
  176. echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
  177.  
  178. echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
  179.  
  180.  
  181. iptables -A INPUT -p UDP -m length --length 1:1024 -m recent --set --name GetStatus
  182. iptables -A INPUT -p UDP -m string --algo bm --hex-string "|ff ff ff ff 67 65 74 73 74 61 74 75 73|" -m recent --update --seconds 1 --hitcount 5 --name GetStatus -j DROP
  183.  
  184.  
  185. iptables -A INPUT -p udp -m multiport --dport 7894 -m length --length 39 -m recent --set -j ACCEPT
  186. iptables -A INPUT -p udp -m multiport --dport 7894 -m length --length 43 -m recent --set -j ACCEPT
  187. iptables -A INPUT -p udp -m multiport --dport 7894 -m recent --rcheck -j ACCEPT
  188. iptables -A OUTPUT -p udp -m multiport --dport 7894 -j ACCEPT
  189.  
  190.  
  191. iptables -N SAMP-DDOS
  192. iptables -A INPUT -p udp -m multiport --dport 7894 -m ttl --ttl-eq=128 -j SAMP-DDOS
  193. iptables -A SAMP-DDOS -p udp -m multiport --dport 7894 -m length --length 17:604 -j DROP
  194.  
  195.  
  196. iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
  197. iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
  198. iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
  199. iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
  200. iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
  201. iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
  202. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
  203. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
  204. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
  205. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
  206. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
  207. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
  208. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
  209. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
  210.  
  211.  
  212.  
  213. iptables -N syn-flood
  214. iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
  215. iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
  216. iptables -A syn-flood -j DROP
  217.  
  218.  
  219. iptables -A INPUT -p udp -m limit --limit 5/s -j RETURN
  220. iptables -A INPUT -p udp -m limit --limit 5/s -j LOG
  221.  
  222. iptables -A INPUT -p udp -m udp --sport 19 -j DROP
  223.  
  224. iptables -I INPUT -p udp -m multiport --dport 7894 -i eth0 -m state --state NEW -m recent \
  225. --update --seconds 30 --hitcount 10 -j DROP
  226.  
  227. iptables -A INPUT -p udp -m udp -m multiport --dport 7894 -m state --state NEW -m recent --update --seconds 30 --hitcount 10 --name DEFAULT --rsource -j DROP
  228. iptables -A INPUT -p udp -m udp -m multiport --dport 7894 -m state --state NEW -m recent --set --name DEFAULT --rsource
  229.  
  230. iptables -A INPUT -p udp -m multiport --dport 7894 -m limit --limit 1/s --limit-burst 2 -j DROP
  231.  
  232. iptables -N LIMITSTAT
  233. iptables -A LIMITSTAT -p udp -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
  234. iptables -A LIMITSTAT -p udp -j DROP
  235.  
  236. iptables -N LIMITINFO
  237. iptables -A LIMITINFO -p udp -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
  238. iptables -A LIMITINFO -p udp -j DROP
  239.  
  240. iptables -N LIMITCHLG
  241. iptables -A LIMITCHLG -p udp -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
  242. iptables -A LIMITCHLG -p udp -j DROP
  243.  
  244. iptables -N LIMITCONN
  245. iptables -A LIMITCONN -p udp -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
  246. iptables -A LIMITCONN -p udp -j DROP
  247.  
  248. iptables -N LIMITPLRS
  249. iptables -A LIMITPLRS -p udp -m hashlimit --hashlimit-name PLAYERS --hashlimit-above 70/sec --hashlimit-burst 100 --hashlimit-mode srcip,srcport --hashlimit-htable-size 300 --hashlimit-htable-max 300 --hashlimit-htable-gcinterval 1000 --hashlimit-htable-expire 10000 -j DROP
  250. iptables -A LIMITPLRS -p udp -j ACCEPT
  251.  
  252. iptables -A INPUT -p udp -m multiport --dport 7894 -j LIMITPLRS
  253.  
  254. iptables -N thyl-icmp-flood
  255.  
  256. iptables -A INPUT -p icmp -j thyl-icmp-flood
  257.  
  258. iptables -A thyl-icmp-flood -m limit --limit 4/s --limit-burst 8 -m comment --comment "Limit ICMP rate" -j RETURN
  259.  
  260. iptables -A thyl-icmp-flood -m limit --limit 6/h --limit-burst 1 -j LOG --log-prefix "Firewall>Probable icmp flood "
  261.  
  262. iptables -A thyl-icmp-flood -m recent --name blacklist_180 --set -m comment --comment "Blacklist source IP" -j DROP
  263.  
  264.  
  265.  
  266.  
  267. # Descarta pacotes inválidos
  268. iptables -A INPUT -m state --state INVALID -j DROP
  269.  
  270. # Loga/Adiciona/Descarta hosts da lista "SUSPEITO" (cuja conexão não cumpre nenhuma das regras acima) {deixe como última regra!}
  271. iptables -A INPUT -m recent --update --name SUSPEITO -m limit --limit 10/min --limit-burst 3 -j LOG --log-level warning --log-prefix "[SUSPEITO]"
  272. iptables -A INPUT -m limit --limit 10/min --limit-burst 3 -m recent --set --name SUSPEITO -j DROP
  273. iptables -A INPUT -j DROP
  274.  
  275. #termina
  276. echo -n "Connect Host FIREWALL: Nossas Regras de Firewal Iptables Foram aplicadas! "
  277. echo
  278. sleep 1
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!