iptables_shield
- cat /usr/local/bin/shield-lockdown.fw
- # Heres a bash script I made to stop SYN and other attacks on AVLS OXL-OLX server
- #
- #!/bin/bash
- #
- #PRINT= `ifconfig ens13 | fgrep -i inet | cut -d : -f 2 | cut -d \ -f 1`
- #echo Primary Interface: $PRINT
- #
- #/sbin/modprobe ip_tables
- #/sbin/modprobe ip_conntrack
- /bin/rm -f /root/.dyn*
- echo “Setting kernel tcp parameters to reduct DoS effects”
- #Reduce DoS'ing ability by reducing timeouts
- echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout # Default value 60
- echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time # Default value 7200
- echo 1 > /proc/sys/net/ipv4/tcp_window_scaling # default is ON
- echo 0 > /proc/sys/net/ipv4/tcp_sack # Default is ON
- echo 1024 > /proc/sys/net/ipv4/tcp_max_syn_backlog # Default is 2048
- # ANTISPOOFING
- for a in /proc/sys/net/ipv4/conf/*/rp_filter;
- do
- echo 1 > $a
- done
- ##
- # NO SOURCE ROUTE
- for z in /proc/sys/net/ipv4/conf/*/accept_source_route;
- do
- echo 0 > $z
- done
- echo “SYN COOKIES Settings”
- #SYN COOKIES
- echo 1 > /proc/sys/net/ipv4/tcp_syncookies
- echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
- echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
- echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects
- echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
- echo 3 > /proc/sys/net/ipv4/tcp_syn_retries ###default 5
- echo 3 > /proc/sys/net/ipv4/tcp_synack_retries ###default 5
- echo 1 > /proc/sys/net/ipv4/tcp_tw_recycle ### default disable
- echo 1 > /proc/sys/net/ipv4/tcp_tw_reuse ### default disable
- # NUMBER OF CONNECTIONS TO TRACK
- echo “1048560” > /proc/sys/net/nf_conntrack_max
- # Set default policies
- #
- IPTABLES=“/sbin/iptables”
- #
- $IPTABLES -P INPUT ACCEPT
- $IPTABLES -P OUTPUT ACCEPT
- $IPTABLES -P FORWARD DROP
- #
- $IPTABLES -F
- $IPTABLES -F -t mangle
- $IPTABLES -F -t raw
- #
- $IPTABLES -X
- #
- $IPTABLES -N syn-flood
- #
- # SYN-FLOOD RULES
- $IPTABLES -A syn-flood -m limit –limit 1000/second –limit-burst 1250 -j RETURN
- $IPTABLES -A syn-flood -j LOG –log-prefix “SYN flood: ”
- $IPTABLES -A syn-flood -j DROP
- #
- $IPTABLES -A INPUT -i lo -j ACCEPT
- $IPTABLES -A INPUT -d 127.0.0.0/8 -j REJECT
- $IPTABLES -A INPUT -p tcp –tcp-flags SYN,ACK SYN,ACK -m state –state NEW -j REJECT –reject-with tcp-reset
- $IPTABLES -A INPUT -p tcp ! –syn -m state –state NEW -j DROP
- $IPTABLES -A INPUT -m state –state INVALID -j DROP
- #######################
- # Drop all Incoming malformed NULL packets:
- #
- $IPTABLES -A INPUT -p tcp –tcp-flags ALL NONE -j DROP
- $IPTABLES -A INPUT -p tcp –tcp-flags ALL ALL -j DROP
- #
- echo “Port Scan protection is enabling…….”
- #
- # NMAP (Port SCAN Protection)
- #
- $IPTABLES -A FORWARD -p tcp -i ens13 -m state –state NEW -m recent –set
- $IPTABLES -A FORWARD -p tcp -i ens13 -m state –state NEW -m recent –update –seconds 30 –hitcount 10 -j DROP
- #######################
- # For mangle
- $IPTABLES -t mangle -A PREROUTING -p tcp -m tcp –dport 80 -j ACCEPT
- $IPTABLES -t mangle -A PREROUTING -p tcp -m tcp –dport 443 -j ACCEPT
- $IPTABLES -t mangle -A PREROUTING -p tcp -m tcp –dport 135:139 -j DROP
- $IPTABLES -t mangle -A PREROUTING -p udp -m udp –dport 135:139 -j DROP
- $IPTABLES -t mangle -A PREROUTING -p tcp -m tcp –dport 445 -j DROP
- $IPTABLES -t mangle -A PREROUTING -p udp -m udp –dport 445 -j DROP
- $IPTABLES -t mangle -A PREROUTING -p tcp -m multiport –ports 445,1433,1434,2002,4156,1978,27444,10100,1812,10064,389,6346 -j DROP
- $IPTABLES -t mangle -A PREROUTING -p udp -m multiport –ports 445,1433,1434,2002,4156,1978,27444,10100,1812,10064,389,6346 -j DROP
- $IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags SYN,ACK SYN,ACK -m state –state NEW -j DROP
- $IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags ALL NONE -j DROP
- $IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
- $IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
- $IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
- $IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags FIN,RST FIN,RST -j DROP
- $IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags ACK,FIN FIN -j DROP
- $IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags ACK,PSH PSH -j DROP
- $IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags ACK,URG URG -j DROP
- $IPTABLES -t mangle -A PREROUTING -s 202.96.99.0/24 -j DROP
- #############
- echo “ICMP Protection is Enabling”
- #
- # ICMP protection
- #
- $IPTABLES -A INPUT -p icmp -m limit –limit 10/s –limit-burst 15 -j ACCEPT
- #$IPTABLES -A INPUT -p icmp -m limit –limit 1/s –limit-burst 1 -j LOG –log-prefix PING-DROP:
- $IPTABLES -A INPUT -p icmp -j DROP
- $IPTABLES -A OUTPUT -p icmp -j ACCEPT
- #
- ##
- # For DNS Flooding..
- #
- $IPTABLES -A INPUT -p udp –dport 53 -m limit –limit 200/second –limit-burst 400 -j ACCEPT
- $IPTABLES -A INPUT -p udp –dport 53 -j DROP
- ####################
- ## FIX_IP_START_SSHD
- $IPTABLES -A INPUT -s 210.4.64.0/24 -p tcp -m tcp –dport 10222 -j ACCEPT
- $IPTABLES -A INPUT -s 210.4.77.0/24 -p tcp -m tcp –dport 10222 -j ACCEPT
- $IPTABLES -A INPUT -s 210.4.66.154/32 -p tcp -m tcp –dport 10222 -j ACCEPT
- $IPTABLES -A INPUT -s 114.31.8.210/32 -p tcp -m tcp –dport 10222 -j ACCEPT
- $IPTABLES -A INPUT -s 119.40.93.10/32 -p tcp -m tcp –dport 10222 -j ACCEPT
- $IPTABLES -A INPUT -s 119.40.80.98/32 -p tcp -m tcp –dport 10222 -j ACCEPT
- $IPTABLES -A INPUT -s 5.189.161.189/32 -p tcp -m tcp –dport 10222 -j ACCEPT
- #$IPTABLES -A INPUT -s 185.246.241.193/32 -p tcp -m tcp –dport 10222 -j ACCEPT
- #$IPTABLES -A INPUT -p tcp -m tcp –dport 10222 -j DROP
- #### FIX_IP_END_SSHD
- ##
- # For SSH Connections (Brute protection)
- #
- $IPTABLES -A INPUT -i ens13 -p tcp -m tcp –dport 10222 -m state –state NEW -m recent –set –name ssh –rsource
- $IPTABLES -A INPUT -i ens13 -p tcp -m tcp –dport 10222 -m state –state NEW -m recent –update –seconds 60 –hitcount 8 –rttl –name ssh –rsource -j DROP
- ######
- #
- $IPTABLES -A INPUT -p tcp -m state –state NEW -m tcp –dport 443 -j ACCEPT
- $IPTABLES -A INPUT -p tcp -m tcp –dport 10222 –syn -m state –state NEW -j ACCEPT
- #
- ### PORT Allow and Deny
- $IPTABLES -A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
- $IPTABLES -A INPUT -p tcp -m tcp –dport 443 -j ACCEPT
- ##### End the Default PORT ##############
- #
- # For MySql
- $IPTABLES -A INPUT -s 127.0.0.1 -p tcp -m tcp –dport 3306 -j ACCEPT
- #$IPTABLES -A INPUT -s 182.16.159.130/32 -p tcp -m tcp –dport 3306 -j ACCEPT
- $IPTABLES -A INPUT -p tcp -m tcp –dport 3306 -j DROP
- ##
- ## DROP Rest of Everything
- #
- $IPTABLES -A INPUT -p udp -m state –state NEW -m udp -j DROP
- $IPTABLES -A INPUT -p tcp -m state –state NEW -m tcp -j DROP
- #
- #
- echo “Firewall rule is implemented…”
iptables_shield.txt · Last modified: 2023/03/06 11:31 by 127.0.0.1