anywebs script - anyweb - 2005-07-04
here it is
feel free to copy/play with
lines with a # infront of them are ignored, interesting to note that ssh is listening on port 234 and we are using iptables to limit the amount of connections to that port on a per minute basis
cheers
anyweb
Code: #!/bin/bash
# Enabled packet forwarding for vpn work
#echo 1 > /proc/sys/net/ipv4/ip_forward
# Flush Old rules on reinit of rules
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING
# Set input policy
iptables -P INPUT DROP
# Accepted Hosts
iptables -A INPUT -s 100.0.0.0/8 -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -s 81.229.167.48 -j ACCEPT
iptables -A INPUT -s 217.209.122.25 -j ACCEPT
#ipv6 tunnel hosts
#iptables -I INPUT -s 213.121.24.85 -j ACCEPT
#iptables -I INPUT -s 62.75.252.206 -j ACCEPT
# Accepted Ports
#iptables -I INPUT -p icmp -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 80 -j ACCEPT
#iptables -A INPUT -p tcp -m multiport --dports 8000,9000,9001,9002 -j ACCEPT
#iptables -A INPUT -p udp -m multiport --dports 53 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# deny mysql from communicating outside the firewall
iptables -A OUTPUT -p tcp --sport 3306 -j DROP
## Accept ports with rate limit
iptables -A INPUT -p tcp --dport 234 -m limit --limit 2/minute --limit-burst 1 -j ACCEPT
iptables -A INPUT -p tcp --dport 234 -j REJECT --reject-with tcp-reset
# Dropped Hosts
#iptables -A INPUT -s 207.46.98.0/24 -j DROP # Ms search bot
#iptables -A INPUT -s 70.25.150.84 -j DROP # samurai and jo
# Redirect ports over the vpn to my home network
#iptables -t nat -A POSTROUTING -d 192.168.55.0/24 -j SNAT --to-source 10.20.1.1
[CODE]
####
######### IPV6
####
#ip6tables -F INPUT
#ip6tables -P INPUT ACCEPT
#ip6tables -A INPUT -p tcp --dport 113 -j ACCEPT
#ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
anywebs script - znx - 2005-07-04
quick modification which will allow you to dynamically add good/bad and ports to the lists
Code: #!/bin/bash
# Flush Old rules on reinit of rules
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING
iptables -X GOODHOST
iptables -X SERVPORT
iptables -X BADHOST
# Set input policy
iptables -P INPUT DROP
iptables -A INPUT -j BADHOST
iptables -A INPUT -p tcp -j GOODHOST
iptables -A INPUT -p tcp -j SERVPORT
# Accepted Hosts
iptables -N GOODHOST
iptables -A GOODHOST -s 100.0.0.0/8 -j ACCEPT
iptables -A GOODHOST -s 127.0.0.1 -j ACCEPT
iptables -A GOODHOST -s 81.229.167.48 -j ACCEPT
iptables -A GOODHOST -s 217.209.122.25 -j ACCEPT
# Accepted Ports
iptables -N SERVPORT
iptables -A SERVPORT -m multiport --dports 80 -j ACCEPT
iptables -A SERVPORT -m state --state ESTABLISHED,RELATED -j ACCEPT
## Accept ports with rate limit
iptables -A SERVPORT --dport 234 -m limit --limit 2/minute --limit-burst 1 -j ACCEPT
iptables -A SERVPORT --dport 234 -j REJECT --reject-with tcp-reset
# Dropped Hosts
iptables -N BADHOST
#iptables -A BADHOST -s 207.46.98.0/24 -j DROP # Ms search bot
iptables -P OUTPUT ACCEPT
# deny mysql from communicating outside the firewall
iptables -A OUTPUT -p tcp --sport 3306 -j DROP
Accept a new good host:
Code: iptables -A GOODHOST -s IP -j ACCEPT
Deny another bad guy:
Code: iptables -A BADHOST -s IP -j DROP
Accept another port for a new server:
Code: iptables -A SERVPORT --dport PORT -j ACCEPT
This way you don't need to bring your firewall down to actually add/remove people.
anywebs script - Zypher - 2009-07-01
Add this to the Rules and you have a great SSH Brute-force blocker
Code: # create properREJECT chain that does different rejects for tcp/udp
iptables -N properREJECT
iptables -A properREJECT -p tcp -j REJECT --reject-with tcp-reset
iptables -A properREJECT -j REJECT --reject-with icmp-port-unreachable
#
iptables -N blacklistdrop
iptables -A blacklistdrop -j LOG --log-prefix "adding to BLACKLIST: "
iptables -A blacklistdrop -m recent --name BLACKLIST --set -j DROP
#
#
# on external hosts, do rate limiting on incoming ssh packets, and keep a blacklist for 60 seconds
# this rule drops *any* packet if the IP is in the blacklist
# icmp 'destination-unreachable' packets should not update BLACKLIST, because
# they are generated by our own REJECT rule in the extern_out chain
iptables -A extern_in -m recent --name BLACKLIST --update --seconds 120 -j DROP
#
# all *established* ssh connections simply continue
iptables -A extern_in -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# *new* ssh connections are all put into a list 'sshconn', and if there are 4 such packets in 60 seconds
# we send the package to chain 'blacklistdrop' which puts the IP in the blacklist
iptables -A extern_in -p tcp --dport 22 -m state --state NEW -m recent --name sshconn --rcheck --seconds 60 --hitcount 5 -j blacklistdrop
#
# if we have seen less then 4 such packets in the last 60 seconds we accept
iptables -A extern_in -p tcp --dport 22 -m state --state NEW -m recent --name sshconn --set -j ACCEPT
#
# if the destination address is in the blacklist, we REJECT *any* packet
iptables -A extern_out -m recent --name BLACKLIST --rdest --rcheck --seconds 30 -j properREJECT
#
# outgoing we accept all ssh traffic, with connection tracking
iptables -A extern_out -p tcp --sport 22 -m state --state ESTABLISHED,NEW,RELATED -j ACCEPT
And edit /etc/syslog.conf with the following line to log firewall related stuf to a different file
Code: kern.* /var/log/firewall.log
|