anywebs script

[anyweb]

here it is

 

feel free to copy/play with

 

lines with a # infront of them are ignored, interesting to note that ssh is listening on port 234 and we are using iptables to limit the amount of connections to that port on a per minute basis

 

cheers

 

anyweb

 

Code:

#!/bin/bash # Enabled packet forwarding for vpn work #echo 1 > /proc/sys/net/ipv4/ip_forward # Flush Old rules on reinit of rules iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -t nat -F PREROUTING iptables -t nat -F POSTROUTING # Set input policy iptables -P INPUT DROP # Accepted Hosts iptables -A INPUT -s 100.0.0.0/8 -j ACCEPT iptables -A INPUT -s 127.0.0.1 -j ACCEPT iptables -A INPUT -s 81.229.167.48 -j ACCEPT iptables -A INPUT -s 217.209.122.25 -j ACCEPT #ipv6 tunnel hosts #iptables -I INPUT -s 213.121.24.85 -j ACCEPT #iptables -I INPUT -s 62.75.252.206 -j ACCEPT # Accepted Ports #iptables -I INPUT -p icmp -j ACCEPT iptables -A INPUT -p tcp -m multiport --dports 80 -j ACCEPT #iptables -A INPUT -p tcp -m multiport --dports 8000,9000,9001,9002 -j ACCEPT #iptables -A INPUT -p udp -m multiport --dports 53 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # deny mysql from communicating outside the firewall iptables -A OUTPUT -p tcp --sport 3306 -j DROP ## Accept ports with rate limit iptables -A INPUT -p tcp --dport 234 -m limit --limit 2/minute --limit-burst 1 -j ACCEPT iptables -A INPUT -p tcp --dport 234 -j REJECT --reject-with tcp-reset # Dropped Hosts #iptables -A INPUT -s 207.46.98.0/24 -j DROP # Ms search bot #iptables -A INPUT -s 70.25.150.84 -j DROP # samurai and jo # Redirect ports over the vpn to my home network #iptables -t nat -A POSTROUTING -d 192.168.55.0/24 -j SNAT --to-source 10.20.1.1 [CODE] #### ######### IPV6 #### #ip6tables -F INPUT #ip6tables -P INPUT ACCEPT #ip6tables -A INPUT -p tcp --dport 113 -j ACCEPT #ip6tables -A INPUT -p ipv6-icmp -j ACCEPT

[znx]

quick modification which will allow you to dynamically add good/bad and ports to the lists

 

 

 

Code:

#!/bin/bash # Flush Old rules on reinit of rules iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -t nat -F PREROUTING iptables -t nat -F POSTROUTING iptables -X GOODHOST iptables -X SERVPORT iptables -X BADHOST # Set input policy iptables -P INPUT DROP iptables -A INPUT -j BADHOST iptables -A INPUT -p tcp -j GOODHOST iptables -A INPUT -p tcp -j SERVPORT # Accepted Hosts iptables -N GOODHOST iptables -A GOODHOST -s 100.0.0.0/8 -j ACCEPT iptables -A GOODHOST -s 127.0.0.1 -j ACCEPT iptables -A GOODHOST -s 81.229.167.48 -j ACCEPT iptables -A GOODHOST -s 217.209.122.25 -j ACCEPT # Accepted Ports iptables -N SERVPORT iptables -A SERVPORT -m multiport --dports 80 -j ACCEPT iptables -A SERVPORT -m state --state ESTABLISHED,RELATED -j ACCEPT ## Accept ports with rate limit iptables -A SERVPORT --dport 234 -m limit --limit 2/minute --limit-burst 1 -j ACCEPT iptables -A SERVPORT --dport 234 -j REJECT --reject-with tcp-reset # Dropped Hosts iptables -N BADHOST #iptables -A BADHOST -s 207.46.98.0/24 -j DROP # Ms search bot iptables -P OUTPUT ACCEPT # deny mysql from communicating outside the firewall iptables -A OUTPUT -p tcp --sport 3306 -j DROP

 

Accept a new good host:

 

Code:

iptables -A GOODHOST -s IP -j ACCEPT

 

Deny another bad guy:

 

Code:

iptables -A BADHOST -s IP -j DROP

 

Accept another port for a new server:

 

Code:

iptables -A SERVPORT --dport PORT -j ACCEPT

 

 

This way you don't need to bring your firewall down to actually add/remove people.

[Zypher]

Add this to the Rules and you have a great SSH Brute-force blocker

 

Code:

# create properREJECT chain that does different rejects for tcp/udp iptables -N properREJECT iptables -A properREJECT -p tcp -j REJECT --reject-with tcp-reset iptables -A properREJECT -j REJECT --reject-with icmp-port-unreachable # iptables -N blacklistdrop iptables -A blacklistdrop -j LOG --log-prefix "adding to BLACKLIST: " iptables -A blacklistdrop -m recent --name BLACKLIST --set -j DROP # # # on external hosts, do rate limiting on incoming ssh packets, and keep a blacklist for 60 seconds # this rule drops *any* packet if the IP is in the blacklist # icmp 'destination-unreachable' packets should not update BLACKLIST, because # they are generated by our own REJECT rule in the extern_out chain iptables -A extern_in -m recent --name BLACKLIST --update --seconds 120 -j DROP # # all *established* ssh connections simply continue iptables -A extern_in -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT # # *new* ssh connections are all put into a list 'sshconn', and if there are 4 such packets in 60 seconds # we send the package to chain 'blacklistdrop' which puts the IP in the blacklist iptables -A extern_in -p tcp --dport 22 -m state --state NEW -m recent --name sshconn --rcheck --seconds 60 --hitcount 5 -j blacklistdrop # # if we have seen less then 4 such packets in the last 60 seconds we accept iptables -A extern_in -p tcp --dport 22 -m state --state NEW -m recent --name sshconn --set -j ACCEPT # # if the destination address is in the blacklist, we REJECT *any* packet iptables -A extern_out -m recent --name BLACKLIST --rdest --rcheck --seconds 30 -j properREJECT # # outgoing we accept all ssh traffic, with connection tracking iptables -A extern_out -p tcp --sport 22 -m state --state ESTABLISHED,NEW,RELATED -j ACCEPT

 

And edit /etc/syslog.conf with the following line to log firewall related stuf to a different file

Code:

kern.* /var/log/firewall.log