Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- #GTAXLnet Firewall Configuration for Excession, and no their is nothing secret about this :p
- #Last modified: April 20, 2016
- iptables -F
- iptables -X
- # Prevent ourselves from getting firewalled/dropped whilst the script executes
- iptables -P INPUT ACCEPT
- iptables -P OUTPUT ACCEPT
- iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- iptables -A INPUT -i lo -j ACCEPT
- iptables -A OUTPUT -o lo -j ACCEPT
- # Drop Invalid Type Packets
- iptables -A INPUT -m state --state INVALID -j DROP
- iptables -A FORWARD -m state --state INVALID -j DROP
- iptables -A OUTPUT -m state --state INVALID -j DROP
- iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
- iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
- # Prevent SYN Floods and piss of nmapers
- iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
- iptables -N syn_flood
- iptables -A INPUT -p tcp --syn -j syn_flood
- iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
- iptables -A syn_flood -j DROP
- # Prevent SSH brute force
- iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
- iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
- # Allow ICMP Ping and Traceroute
- iptables -A INPUT -m icmp -p icmp --icmp-type echo-request -m state --state NEW -m limit --limit 1/s --limit-burst 5 -j ACCEPT
- iptables -A INPUT -p icmp -m state --state NEW --icmp-type 11 -j ACCEPT
- # Allow UDP Traceroute
- iptables -A INPUT -p udp --dport 33434:33524 -m state --state NEW -m limit --limit 3/s --limit-burst 10 -j ACCEPT
- # Setup the ipset tables
- ipset destroy uptimerobot
- ipset destroy tor
- ipset destroy ddos
- ipset create uptimerobot iphash
- ipset create tor iphash
- ipset create ddos iphash
- cat /root/firewall/uptimerobot.txt |sed '/^#/d' |while read IP; do ipset add uptimerobot $IP; done
- cat /root/firewall/tor.txt |sed '/^#/d' |while read IP; do ipset add tor $IP; done
- cat /root/firewall/ddos.txt |sed '/^#/d' |while read IP; do ipset add ddos $IP; done
- iptables -A INPUT -i eth0 -d 66.175.209.14 -m set --match-set ddos src -j DROP
- # Allow the ports now
- iptables -A INPUT -i eth0 -d 66.175.209.14 -p tcp --dport 80 -m state --state NEW -j ACCEPT
- iptables -A INPUT -i eth0 -d 66.175.209.14 -p tcp --dport 443 -m state --state NEW -j ACCEPT
- iptables -A INPUT -i eth0 -d 66.175.209.14 -s 74.5.16.0/21 -p tcp --dport 57714 -m state --state NEW -j ACCEPT
- iptables -A INPUT -i eth0 -d 66.175.209.14 -s 23.226.237.5 -p tcp --dport 57714 -m state --state NEW -j ACCEPT
- iptables -A INPUT -i eth0 -d 66.175.209.14 -s 107.170.201.81 -p tcp --dport 57714 -m state --state NEW -j ACCEPT
- iptables -A INPUT -i eth0 -d 66.175.209.14 -s 46.101.56.25 -p tcp --dport 57714 -m state --state NEW -j ACCEPT
- iptables -A INPUT -i eth0 -d 66.175.209.14 -s 80.85.86.129 -p tcp --dport 57714 -m state --state NEW -j ACCEPT
- iptables -A INPUT -i eth0 -d 66.175.209.14 -p tcp --dport 4563 -m state --state NEW -j ACCEPT
- iptables -A INPUT -i eth0 -d 66.175.209.14 -s 74.5.16.0/21 -p tcp --dport 8080 -m state --state NEW -j ACCEPT
- iptables -A INPUT -i eth0 -d 66.175.209.14 -p tcp --dport 8080 -m set --match-set uptimerobot src -j ACCEPT
- iptables -A INPUT -i eth0 -d 66.175.209.14 -s 74.5.16.0/21 -p tcp --dport 62269 -m state --state NEW -j ACCEPT
- iptables -A INPUT -i eth0 -d 66.175.209.14 -s 46.101.56.25 -p tcp --dport 62269 -m state --state NEW -j ACCEPT
- iptables -A INPUT -i eth0 -d 66.175.209.14 -s 107.170.201.81 -p tcp --dport 62269 -m state --state NEW -j ACCEPT
- iptables -A INPUT -i eth0 -d 66.175.209.14 -s 23.226.237.5 -p tcp --dport 62269 -m state --state NEW -j ACCEPT
- iptables -A INPUT -i eth0 -d 66.175.209.14 -s 80.85.86.129 -p tcp --dport 62269 -m state --state NEW -j ACCEPT
- iptables -A INPUT -i eth0 -d 66.175.209.14 -p tcp --dport 6667 -m state --state NEW -j ACCEPT
- iptables -A INPUT -i eth0 -d 66.175.209.14 -p tcp --dport 6697 -m state --state NEW -j ACCEPT
- iptables -A INPUT -i eth0 -d 192.168.176.23 -p tcp --dport 6667 -m state --state NEW -j ACCEPT
- iptables -A INPUT -i eth0 -d 192.168.176.23 -p tcp --dport 6697 -m state --state NEW -j ACCEPT
- # Drop everything else now..
- iptables -P INPUT DROP
- iptables -P FORWARD DROP
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement