cat /usr/local/bin/shield-lockdown.fw
# Heres a bash script I made to stop SYN and other attacks on AVLS OXL-OLX server
#
#!/bin/bash
#
#PRINT= `ifconfig ens13 | fgrep -i inet | cut -d : -f 2 | cut -d \ -f 1`
#echo Primary Interface: $PRINT
#
#/sbin/modprobe ip_tables
#/sbin/modprobe ip_conntrack
/bin/rm -f /root/.dyn*
echo “Setting kernel tcp parameters to reduct DoS effects”
#Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout # Default value 60
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time # Default value 7200
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling # default is ON
echo 0 > /proc/sys/net/ipv4/tcp_sack # Default is ON
echo 1024 > /proc/sys/net/ipv4/tcp_max_syn_backlog # Default is 2048
# ANTISPOOFING
for a in /proc/sys/net/ipv4/conf/*/rp_filter;
do
echo 1 > $a
done
##
# NO SOURCE ROUTE
for z in /proc/sys/net/ipv4/conf/*/accept_source_route;
do
echo 0 > $z
done
echo “SYN COOKIES Settings”
#SYN COOKIES
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 3 > /proc/sys/net/ipv4/tcp_syn_retries ###default 5
echo 3 > /proc/sys/net/ipv4/tcp_synack_retries ###default 5
echo 1 > /proc/sys/net/ipv4/tcp_tw_recycle ### default disable
echo 1 > /proc/sys/net/ipv4/tcp_tw_reuse ### default disable
# NUMBER OF CONNECTIONS TO TRACK
echo “1048560” > /proc/sys/net/nf_conntrack_max
# Set default policies
#
IPTABLES=“/sbin/iptables”
#
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
#
$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -F -t raw
#
$IPTABLES -X
#
$IPTABLES -N syn-flood
#
# SYN-FLOOD RULES
$IPTABLES -A syn-flood -m limit –limit 1000/second –limit-burst 1250 -j RETURN
$IPTABLES -A syn-flood -j LOG –log-prefix “SYN flood: ”
$IPTABLES -A syn-flood -j DROP
#
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -d 127.0.0.0/8 -j REJECT
$IPTABLES -A INPUT -p tcp –tcp-flags SYN,ACK SYN,ACK -m state –state NEW -j REJECT –reject-with tcp-reset
$IPTABLES -A INPUT -p tcp ! –syn -m state –state NEW -j DROP
$IPTABLES -A INPUT -m state –state INVALID -j DROP
#######################
# Drop all Incoming malformed NULL packets:
#
$IPTABLES -A INPUT -p tcp –tcp-flags ALL NONE -j DROP
$IPTABLES -A INPUT -p tcp –tcp-flags ALL ALL -j DROP
#
echo “Port Scan protection is enabling…….”
#
# NMAP (Port SCAN Protection)
#
$IPTABLES -A FORWARD -p tcp -i ens13 -m state –state NEW -m recent –set
$IPTABLES -A FORWARD -p tcp -i ens13 -m state –state NEW -m recent –update –seconds 30 –hitcount 10 -j DROP
#######################
# For mangle
$IPTABLES -t mangle -A PREROUTING -p tcp -m tcp –dport 80 -j ACCEPT
$IPTABLES -t mangle -A PREROUTING -p tcp -m tcp –dport 443 -j ACCEPT
$IPTABLES -t mangle -A PREROUTING -p tcp -m tcp –dport 135:139 -j DROP
$IPTABLES -t mangle -A PREROUTING -p udp -m udp –dport 135:139 -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp -m tcp –dport 445 -j DROP
$IPTABLES -t mangle -A PREROUTING -p udp -m udp –dport 445 -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp -m multiport –ports 445,1433,1434,2002,4156,1978,27444,10100,1812,10064,389,6346 -j DROP
$IPTABLES -t mangle -A PREROUTING -p udp -m multiport –ports 445,1433,1434,2002,4156,1978,27444,10100,1812,10064,389,6346 -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags SYN,ACK SYN,ACK -m state –state NEW -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags ALL NONE -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags FIN,RST FIN,RST -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags ACK,FIN FIN -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags ACK,PSH PSH -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags ACK,URG URG -j DROP
$IPTABLES -t mangle -A PREROUTING -s 202.96.99.0/24 -j DROP
#############
echo “ICMP Protection is Enabling”
#
# ICMP protection
#
$IPTABLES -A INPUT -p icmp -m limit –limit 10/s –limit-burst 15 -j ACCEPT
#$IPTABLES -A INPUT -p icmp -m limit –limit 1/s –limit-burst 1 -j LOG –log-prefix PING-DROP:
$IPTABLES -A INPUT -p icmp -j DROP
$IPTABLES -A OUTPUT -p icmp -j ACCEPT
#
##
-
#
$IPTABLES -A INPUT -p udp –dport 53 -m limit –limit 200/second –limit-burst 400 -j ACCEPT
$IPTABLES -A INPUT -p udp –dport 53 -j DROP
####################
## FIX_IP_START_SSHD
$IPTABLES -A INPUT -s 210.4.64.0/24 -p tcp -m tcp –dport 10222 -j ACCEPT
$IPTABLES -A INPUT -s 210.4.77.0/24 -p tcp -m tcp –dport 10222 -j ACCEPT
$IPTABLES -A INPUT -s 210.4.66.154/32 -p tcp -m tcp –dport 10222 -j ACCEPT
$IPTABLES -A INPUT -s 114.31.8.210/32 -p tcp -m tcp –dport 10222 -j ACCEPT
$IPTABLES -A INPUT -s 119.40.93.10/32 -p tcp -m tcp –dport 10222 -j ACCEPT
$IPTABLES -A INPUT -s 119.40.80.98/32 -p tcp -m tcp –dport 10222 -j ACCEPT
$IPTABLES -A INPUT -s 5.189.161.189/32 -p tcp -m tcp –dport 10222 -j ACCEPT
#$IPTABLES -A INPUT -s 185.246.241.193/32 -p tcp -m tcp –dport 10222 -j ACCEPT
#$IPTABLES -A INPUT -p tcp -m tcp –dport 10222 -j DROP
#### FIX_IP_END_SSHD
##
# For SSH Connections (Brute protection)
#
$IPTABLES -A INPUT -i ens13 -p tcp -m tcp –dport 10222 -m state –state NEW -m recent –set –name ssh –rsource
$IPTABLES -A INPUT -i ens13 -p tcp -m tcp –dport 10222 -m state –state NEW -m recent –update –seconds 60 –hitcount 8 –rttl –name ssh –rsource -j DROP
######
#
$IPTABLES -A INPUT -p tcp -m state –state NEW -m tcp –dport 443 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp –dport 10222 –syn -m state –state NEW -j ACCEPT
#
### PORT Allow and Deny
$IPTABLES -A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp –dport 443 -j ACCEPT
##### End the Default PORT ##############
#
# For MySql
$IPTABLES -A INPUT -s 127.0.0.1 -p tcp -m tcp –dport 3306 -j ACCEPT
#$IPTABLES -A INPUT -s 182.16.159.130/32 -p tcp -m tcp –dport 3306 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp –dport 3306 -j DROP
##
## DROP Rest of Everything
#
$IPTABLES -A INPUT -p udp -m state –state NEW -m udp -j DROP
$IPTABLES -A INPUT -p tcp -m state –state NEW -m tcp -j DROP
#
#
echo “Firewall rule is implemented…”