anywebs script

here it is


feel free to copy/play with


lines with a # infront of them are ignored, interesting to note that ssh is listening on port 234 and we are using iptables to limit the amount of connections to that port on a per minute basis







# Enabled packet forwarding for vpn work
#echo 1 > /proc/sys/net/ipv4/ip_forward

# Flush Old rules on reinit of rules
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING

# Set input policy
iptables -P INPUT DROP

# Accepted Hosts
iptables -A INPUT -s -j ACCEPT
iptables -A INPUT -s -j ACCEPT
iptables -A INPUT -s -j ACCEPT
iptables -A INPUT -s -j ACCEPT

#ipv6 tunnel hosts
#iptables -I INPUT -s -j ACCEPT
#iptables -I INPUT -s -j ACCEPT

# Accepted Ports
#iptables -I INPUT -p icmp -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 80 -j ACCEPT
#iptables -A INPUT -p tcp -m multiport --dports 8000,9000,9001,9002 -j ACCEPT
#iptables -A INPUT -p udp -m multiport --dports 53 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# deny mysql from communicating outside the firewall
iptables -A OUTPUT -p tcp --sport 3306 -j DROP

## Accept ports with rate limit
iptables -A INPUT -p tcp --dport 234 -m limit --limit 2/minute --limit-burst 1 -j ACCEPT
iptables -A INPUT -p tcp --dport 234 -j REJECT --reject-with tcp-reset

# Dropped Hosts
#iptables -A INPUT -s -j DROP # Ms search bot
#iptables -A INPUT -s -j DROP # samurai and jo

# Redirect ports over the vpn to my home network
#iptables -t nat -A POSTROUTING -d -j SNAT --to-source

######### IPV6

#ip6tables -F INPUT

#ip6tables -P INPUT ACCEPT
#ip6tables -A INPUT -p tcp --dport 113 -j ACCEPT
#ip6tables -A INPUT -p ipv6-icmp -j ACCEPT


quick modification which will allow you to dynamically add good/bad and ports to the lists




# Flush Old rules on reinit of rules
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING
iptables -X GOODHOST
iptables -X SERVPORT
iptables -X BADHOST

# Set input policy
iptables -P INPUT DROP
iptables -A INPUT -j BADHOST
iptables -A INPUT -p tcp -j GOODHOST
iptables -A INPUT -p tcp -j SERVPORT

# Accepted Hosts
iptables -N GOODHOST
iptables -A GOODHOST -s -j ACCEPT
iptables -A GOODHOST -s -j ACCEPT
iptables -A GOODHOST -s -j ACCEPT
iptables -A GOODHOST -s -j ACCEPT

# Accepted Ports
iptables -N SERVPORT
iptables -A SERVPORT -m multiport --dports 80 -j ACCEPT
iptables -A SERVPORT -m state --state ESTABLISHED,RELATED -j ACCEPT

## Accept ports with rate limit
iptables -A SERVPORT --dport 234 -m limit --limit 2/minute --limit-burst 1 -j ACCEPT
iptables -A SERVPORT --dport 234 -j REJECT --reject-with tcp-reset

# Dropped Hosts
iptables -N BADHOST
#iptables -A BADHOST -s -j DROP # Ms search bot

# deny mysql from communicating outside the firewall
iptables -A OUTPUT -p tcp --sport 3306 -j DROP


Accept a new good host:


iptables -A GOODHOST -s IP -j ACCEPT


Deny another bad guy:


iptables -A BADHOST -s IP -j DROP


Accept another port for a new server:


iptables -A SERVPORT --dport PORT -j ACCEPT



This way you don't need to bring your firewall down to actually add/remove people.


Add this to the Rules and you have a great SSH Brute-force blocker


# create properREJECT chain that does different rejects for tcp/udp
iptables -N properREJECT
iptables -A properREJECT -p tcp -j REJECT --reject-with tcp-reset
iptables -A properREJECT -j REJECT --reject-with icmp-port-unreachable
iptables -N blacklistdrop
iptables -A blacklistdrop -j LOG --log-prefix "adding to BLACKLIST: "
iptables -A blacklistdrop -m recent --name BLACKLIST --set -j DROP
# on external hosts, do rate limiting on incoming ssh packets, and keep a blacklist for 60 seconds
# this rule drops *any* packet if the IP is in the blacklist
# icmp 'destination-unreachable' packets should not update BLACKLIST, because
# they are generated by our own REJECT rule in the extern_out chain
iptables -A extern_in -m recent --name BLACKLIST --update --seconds 120 -j DROP
# all *established* ssh connections simply continue
iptables -A extern_in  -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
# *new* ssh connections are all put into a list 'sshconn', and if there are 4 such packets in 60 seconds
# we send the package to chain 'blacklistdrop' which puts the IP in the blacklist
iptables -A extern_in  -p tcp --dport 22 -m state --state NEW -m recent --name sshconn --rcheck --seconds 60 --hitcount 5 -j blacklistdrop
# if we have seen less then 4 such packets in the last 60 seconds we accept
iptables -A extern_in  -p tcp --dport 22 -m state --state NEW -m recent --name sshconn --set -j ACCEPT
# if the destination address is in the blacklist, we REJECT *any* packet
iptables -A extern_out -m recent --name BLACKLIST --rdest --rcheck --seconds 30 -j properREJECT
# outgoing we accept all ssh traffic, with connection tracking
iptables -A extern_out -p tcp --sport 22 -m state --state ESTABLISHED,NEW,RELATED -j ACCEPT


And edit /etc/syslog.conf with the following line to log firewall related stuf to a different file

kern.*                          /var/log/firewall.log


