#!/bin/bash#GTAXLnet Firewall Configuration for Excession, and no their is not

1. #!/bin/bash
2. #GTAXLnet Firewall Configuration for Excession, and no their is nothing secret about this :p
3. #Last modified: April 20, 2016
4. iptables -F
5. iptables -X
6. # Prevent ourselves from getting firewalled/dropped whilst the script executes
7. iptables -P INPUT ACCEPT
8. iptables -P OUTPUT ACCEPT
9. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
10. iptables -A INPUT -i lo -j ACCEPT
11. iptables -A OUTPUT -o lo -j ACCEPT
12. # Drop Invalid Type Packets
13. iptables -A INPUT -m state --state INVALID -j DROP
14. iptables -A FORWARD -m state --state INVALID -j DROP
15. iptables -A OUTPUT -m state --state INVALID -j DROP
16. iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
17. iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
18. # Prevent SYN Floods and piss of nmapers
19. iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
20. iptables -N syn_flood
21. iptables -A INPUT -p tcp --syn -j syn_flood
22. iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
23. iptables -A syn_flood -j DROP
24. # Prevent SSH brute force
25. iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
26. iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
27. # Allow ICMP Ping and Traceroute
28. iptables -A INPUT -m icmp -p icmp --icmp-type echo-request -m state --state NEW -m limit --limit 1/s --limit-burst 5 -j ACCEPT
29. iptables -A INPUT -p icmp -m state --state NEW --icmp-type 11 -j ACCEPT
30. # Allow UDP Traceroute
31. iptables -A INPUT -p udp --dport 33434:33524 -m state --state NEW -m limit --limit 3/s --limit-burst 10 -j ACCEPT
32. # Setup the ipset tables
33. ipset destroy uptimerobot
34. ipset destroy tor
35. ipset destroy ddos
36. ipset create uptimerobot iphash
37. ipset create tor iphash
38. ipset create ddos iphash
39. cat /root/firewall/uptimerobot.txt |sed '/^#/d' |while read IP; do ipset add uptimerobot $IP; done
40. cat /root/firewall/tor.txt |sed '/^#/d' |while read IP; do ipset add tor $IP; done
41. cat /root/firewall/ddos.txt |sed '/^#/d' |while read IP; do ipset add ddos $IP; done
42. iptables -A INPUT -i eth0 -d 66.175.209.14 -m set --match-set ddos src -j DROP
43. # Allow the ports now
44. iptables -A INPUT -i eth0 -d 66.175.209.14 -p tcp --dport 80 -m state --state NEW -j ACCEPT
45. iptables -A INPUT -i eth0 -d 66.175.209.14 -p tcp --dport 443 -m state --state NEW -j ACCEPT
46. iptables -A INPUT -i eth0 -d 66.175.209.14 -s 74.5.16.0/21 -p tcp --dport 57714 -m state --state NEW -j ACCEPT
47. iptables -A INPUT -i eth0 -d 66.175.209.14 -s 23.226.237.5 -p tcp --dport 57714 -m state --state NEW -j ACCEPT
48. iptables -A INPUT -i eth0 -d 66.175.209.14 -s 107.170.201.81 -p tcp --dport 57714 -m state --state NEW -j ACCEPT
49. iptables -A INPUT -i eth0 -d 66.175.209.14 -s 46.101.56.25 -p tcp --dport 57714 -m state --state NEW -j ACCEPT
50. iptables -A INPUT -i eth0 -d 66.175.209.14 -s 80.85.86.129 -p tcp --dport 57714 -m state --state NEW -j ACCEPT
51. iptables -A INPUT -i eth0 -d 66.175.209.14 -p tcp --dport 4563 -m state --state NEW -j ACCEPT
52. iptables -A INPUT -i eth0 -d 66.175.209.14 -s 74.5.16.0/21 -p tcp --dport 8080 -m state --state NEW -j ACCEPT
53. iptables -A INPUT -i eth0 -d 66.175.209.14 -p tcp --dport 8080 -m set --match-set uptimerobot src -j ACCEPT
54. iptables -A INPUT -i eth0 -d 66.175.209.14 -s 74.5.16.0/21 -p tcp --dport 62269 -m state --state NEW -j ACCEPT
55. iptables -A INPUT -i eth0 -d 66.175.209.14 -s 46.101.56.25 -p tcp --dport 62269 -m state --state NEW -j ACCEPT
56. iptables -A INPUT -i eth0 -d 66.175.209.14 -s 107.170.201.81 -p tcp --dport 62269 -m state --state NEW -j ACCEPT
57. iptables -A INPUT -i eth0 -d 66.175.209.14 -s 23.226.237.5 -p tcp --dport 62269 -m state --state NEW -j ACCEPT
58. iptables -A INPUT -i eth0 -d 66.175.209.14 -s 80.85.86.129 -p tcp --dport 62269 -m state --state NEW -j ACCEPT
59. iptables -A INPUT -i eth0 -d 66.175.209.14 -p tcp --dport 6667 -m state --state NEW -j ACCEPT
60. iptables -A INPUT -i eth0 -d 66.175.209.14 -p tcp --dport 6697 -m state --state NEW -j ACCEPT
61. iptables -A INPUT -i eth0 -d 192.168.176.23 -p tcp --dport 6667 -m state --state NEW -j ACCEPT
62. iptables -A INPUT -i eth0 -d 192.168.176.23 -p tcp --dport 6697 -m state --state NEW -j ACCEPT
63. # Drop everything else now..
64. iptables -P INPUT DROP
65. iptables -P FORWARD DROP