AMINUL ISLAM SHAMIM

User Tools

Site Tools

Trace: iptables_shield
iptables_shield
  • cat /usr/local/bin/shield-lockdown.fw
  • # Heres a bash script I made to stop SYN and other attacks on AVLS OXL-OLX server
  • #
  • #!/bin/bash
  • #
  • #PRINT= `ifconfig ens13 | fgrep -i inet | cut -d : -f 2 | cut -d \ -f 1`
  • #echo Primary Interface: $PRINT
  • #
  • #/sbin/modprobe ip_tables
  • #/sbin/modprobe ip_conntrack
  • /bin/rm -f /root/.dyn*
  • echo “Setting kernel tcp parameters to reduct DoS effects”
  • #Reduce DoS'ing ability by reducing timeouts
  • echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout # Default value 60
  • echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time # Default value 7200
  • echo 1 > /proc/sys/net/ipv4/tcp_window_scaling # default is ON
  • echo 0 > /proc/sys/net/ipv4/tcp_sack # Default is ON
  • echo 1024 > /proc/sys/net/ipv4/tcp_max_syn_backlog # Default is 2048
  • # ANTISPOOFING
  • for a in /proc/sys/net/ipv4/conf/*/rp_filter;
  • do
  • echo 1 > $a
  • done
  • ##
  • # NO SOURCE ROUTE
  • for z in /proc/sys/net/ipv4/conf/*/accept_source_route;
  • do
  • echo 0 > $z
  • done
  • echo “SYN COOKIES Settings”
  • #SYN COOKIES
  • echo 1 > /proc/sys/net/ipv4/tcp_syncookies
  • echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  • echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
  • echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects
  • echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
  • echo 3 > /proc/sys/net/ipv4/tcp_syn_retries ###default 5
  • echo 3 > /proc/sys/net/ipv4/tcp_synack_retries ###default 5
  • echo 1 > /proc/sys/net/ipv4/tcp_tw_recycle ### default disable
  • echo 1 > /proc/sys/net/ipv4/tcp_tw_reuse ### default disable
  • # NUMBER OF CONNECTIONS TO TRACK
  • echo “1048560” > /proc/sys/net/nf_conntrack_max
  • # Set default policies
  • #
  • IPTABLES=“/sbin/iptables”
  • #
  • $IPTABLES -P INPUT ACCEPT
  • $IPTABLES -P OUTPUT ACCEPT
  • $IPTABLES -P FORWARD DROP
  • #
  • $IPTABLES -F
  • $IPTABLES -F -t mangle
  • $IPTABLES -F -t raw
  • #
  • $IPTABLES -X
  • #
  • $IPTABLES -N syn-flood
  • #
  • # SYN-FLOOD RULES
  • $IPTABLES -A syn-flood -m limit –limit 1000/second –limit-burst 1250 -j RETURN
  • $IPTABLES -A syn-flood -j LOG –log-prefix “SYN flood: ”
  • $IPTABLES -A syn-flood -j DROP
  • #
  • $IPTABLES -A INPUT -i lo -j ACCEPT
  • $IPTABLES -A INPUT -d 127.0.0.0/8 -j REJECT
  • $IPTABLES -A INPUT -p tcp –tcp-flags SYN,ACK SYN,ACK -m state –state NEW -j REJECT –reject-with tcp-reset
  • $IPTABLES -A INPUT -p tcp ! –syn -m state –state NEW -j DROP
  • $IPTABLES -A INPUT -m state –state INVALID -j DROP
  • #######################
  • # Drop all Incoming malformed NULL packets:
  • #
  • $IPTABLES -A INPUT -p tcp –tcp-flags ALL NONE -j DROP
  • $IPTABLES -A INPUT -p tcp –tcp-flags ALL ALL -j DROP
  • #
  • echo “Port Scan protection is enabling…….”
  • #
  • # NMAP (Port SCAN Protection)
  • #
  • $IPTABLES -A FORWARD -p tcp -i ens13 -m state –state NEW -m recent –set
  • $IPTABLES -A FORWARD -p tcp -i ens13 -m state –state NEW -m recent –update –seconds 30 –hitcount 10 -j DROP
  • #######################
  • # For mangle
  • $IPTABLES -t mangle -A PREROUTING -p tcp -m tcp –dport 80 -j ACCEPT
  • $IPTABLES -t mangle -A PREROUTING -p tcp -m tcp –dport 443 -j ACCEPT
  • $IPTABLES -t mangle -A PREROUTING -p tcp -m tcp –dport 135:139 -j DROP
  • $IPTABLES -t mangle -A PREROUTING -p udp -m udp –dport 135:139 -j DROP
  • $IPTABLES -t mangle -A PREROUTING -p tcp -m tcp –dport 445 -j DROP
  • $IPTABLES -t mangle -A PREROUTING -p udp -m udp –dport 445 -j DROP
  • $IPTABLES -t mangle -A PREROUTING -p tcp -m multiport –ports 445,1433,1434,2002,4156,1978,27444,10100,1812,10064,389,6346 -j DROP
  • $IPTABLES -t mangle -A PREROUTING -p udp -m multiport –ports 445,1433,1434,2002,4156,1978,27444,10100,1812,10064,389,6346 -j DROP
  • $IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags SYN,ACK SYN,ACK -m state –state NEW -j DROP
  • $IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags ALL NONE -j DROP
  • $IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
  • $IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
  • $IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
  • $IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags FIN,RST FIN,RST -j DROP
  • $IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags ACK,FIN FIN -j DROP
  • $IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags ACK,PSH PSH -j DROP
  • $IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags ACK,URG URG -j DROP
  • $IPTABLES -t mangle -A PREROUTING -s 202.96.99.0/24 -j DROP
  • #############
  • echo “ICMP Protection is Enabling”
  • #
  • # ICMP protection
  • #
  • $IPTABLES -A INPUT -p icmp -m limit –limit 10/s –limit-burst 15 -j ACCEPT
  • #$IPTABLES -A INPUT -p icmp -m limit –limit 1/s –limit-burst 1 -j LOG –log-prefix PING-DROP:
  • $IPTABLES -A INPUT -p icmp -j DROP
  • $IPTABLES -A OUTPUT -p icmp -j ACCEPT
  • #
  • ##
  • # For DNS Flooding..
  • #
  • $IPTABLES -A INPUT -p udp –dport 53 -m limit –limit 200/second –limit-burst 400 -j ACCEPT
  • $IPTABLES -A INPUT -p udp –dport 53 -j DROP
  • ####################
  • ## FIX_IP_START_SSHD
  • $IPTABLES -A INPUT -s 210.4.64.0/24 -p tcp -m tcp –dport 10222 -j ACCEPT
  • $IPTABLES -A INPUT -s 210.4.77.0/24 -p tcp -m tcp –dport 10222 -j ACCEPT
  • $IPTABLES -A INPUT -s 210.4.66.154/32 -p tcp -m tcp –dport 10222 -j ACCEPT
  • $IPTABLES -A INPUT -s 114.31.8.210/32 -p tcp -m tcp –dport 10222 -j ACCEPT
  • $IPTABLES -A INPUT -s 119.40.93.10/32 -p tcp -m tcp –dport 10222 -j ACCEPT
  • $IPTABLES -A INPUT -s 119.40.80.98/32 -p tcp -m tcp –dport 10222 -j ACCEPT
  • $IPTABLES -A INPUT -s 5.189.161.189/32 -p tcp -m tcp –dport 10222 -j ACCEPT
  • #$IPTABLES -A INPUT -s 185.246.241.193/32 -p tcp -m tcp –dport 10222 -j ACCEPT
  • #$IPTABLES -A INPUT -p tcp -m tcp –dport 10222 -j DROP
  • #### FIX_IP_END_SSHD
  • ##
  • # For SSH Connections (Brute protection)
  • #
  • $IPTABLES -A INPUT -i ens13 -p tcp -m tcp –dport 10222 -m state –state NEW -m recent –set –name ssh –rsource
  • $IPTABLES -A INPUT -i ens13 -p tcp -m tcp –dport 10222 -m state –state NEW -m recent –update –seconds 60 –hitcount 8 –rttl –name ssh –rsource -j DROP
  • ######
  • #
  • $IPTABLES -A INPUT -p tcp -m state –state NEW -m tcp –dport 443 -j ACCEPT
  • $IPTABLES -A INPUT -p tcp -m tcp –dport 10222 –syn -m state –state NEW -j ACCEPT
  • #
  • ### PORT Allow and Deny
  • $IPTABLES -A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
  • $IPTABLES -A INPUT -p tcp -m tcp –dport 443 -j ACCEPT
  • ##### End the Default PORT ##############
  • #
  • # For MySql
  • $IPTABLES -A INPUT -s 127.0.0.1 -p tcp -m tcp –dport 3306 -j ACCEPT
  • #$IPTABLES -A INPUT -s 182.16.159.130/32 -p tcp -m tcp –dport 3306 -j ACCEPT
  • $IPTABLES -A INPUT -p tcp -m tcp –dport 3306 -j DROP
  • ##
  • ## DROP Rest of Everything
  • #
  • $IPTABLES -A INPUT -p udp -m state –state NEW -m udp -j DROP
  • $IPTABLES -A INPUT -p tcp -m state –state NEW -m tcp -j DROP
  • #
  • #
  • echo “Firewall rule is implemented…”
iptables_shield.txt · Last modified: 2023/03/06 11:31 by 127.0.0.1