Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
anywebs script
#1

here it is

 

feel free to copy/play with

 

lines with a # infront of them are ignored, interesting to note that ssh is listening on port 234 and we are using iptables to limit the amount of connections to that port on a per minute basis

 

cheers

 

anyweb

 



Code:
#!/bin/bash

# Enabled packet forwarding for vpn work
#echo 1 > /proc/sys/net/ipv4/ip_forward

# Flush Old rules on reinit of rules
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING

# Set input policy
iptables -P INPUT DROP

# Accepted Hosts
iptables -A INPUT -s 100.0.0.0/8 -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -s 81.229.167.48 -j ACCEPT
iptables -A INPUT -s 217.209.122.25 -j ACCEPT

#ipv6 tunnel hosts
#iptables -I INPUT -s 213.121.24.85 -j ACCEPT
#iptables -I INPUT -s 62.75.252.206 -j ACCEPT

# Accepted Ports
#iptables -I INPUT -p icmp -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 80 -j ACCEPT
#iptables -A INPUT -p tcp -m multiport --dports 8000,9000,9001,9002 -j ACCEPT
#iptables -A INPUT -p udp -m multiport --dports 53 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# deny mysql from communicating outside the firewall
iptables -A OUTPUT -p tcp --sport 3306 -j DROP

## Accept ports with rate limit
iptables -A INPUT -p tcp --dport 234 -m limit --limit 2/minute --limit-burst 1 -j ACCEPT
iptables -A INPUT -p tcp --dport 234 -j REJECT --reject-with tcp-reset

# Dropped Hosts
#iptables -A INPUT -s 207.46.98.0/24 -j DROP # Ms search bot
#iptables -A INPUT -s 70.25.150.84 -j DROP # samurai and jo

# Redirect ports over the vpn to my home network
#iptables -t nat -A POSTROUTING -d 192.168.55.0/24 -j SNAT --to-source 10.20.1.1
[CODE]



####
######### IPV6
####

#ip6tables -F INPUT

#ip6tables -P INPUT ACCEPT
#ip6tables -A INPUT -p tcp --dport 113 -j ACCEPT
#ip6tables -A INPUT -p ipv6-icmp -j ACCEPT




Reply
#2

quick modification which will allow you to dynamically add good/bad and ports to the lists

 

 

 



Code:
#!/bin/bash
# Flush Old rules on reinit of rules
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING
iptables -X GOODHOST
iptables -X SERVPORT
iptables -X BADHOST

# Set input policy
iptables -P INPUT DROP
iptables -A INPUT -j BADHOST
iptables -A INPUT -p tcp -j GOODHOST
iptables -A INPUT -p tcp -j SERVPORT

# Accepted Hosts
iptables -N GOODHOST
iptables -A GOODHOST -s 100.0.0.0/8 -j ACCEPT
iptables -A GOODHOST -s 127.0.0.1 -j ACCEPT
iptables -A GOODHOST -s 81.229.167.48 -j ACCEPT
iptables -A GOODHOST -s 217.209.122.25 -j ACCEPT

# Accepted Ports
iptables -N SERVPORT
iptables -A SERVPORT -m multiport --dports 80 -j ACCEPT
iptables -A SERVPORT -m state --state ESTABLISHED,RELATED -j ACCEPT

## Accept ports with rate limit
iptables -A SERVPORT --dport 234 -m limit --limit 2/minute --limit-burst 1 -j ACCEPT
iptables -A SERVPORT --dport 234 -j REJECT --reject-with tcp-reset

# Dropped Hosts
iptables -N BADHOST
#iptables -A BADHOST -s 207.46.98.0/24 -j DROP # Ms search bot

iptables -P OUTPUT ACCEPT
# deny mysql from communicating outside the firewall
iptables -A OUTPUT -p tcp --sport 3306 -j DROP




 

Accept a new good host:

 



Code:
iptables -A GOODHOST -s IP -j ACCEPT




 

Deny another bad guy:

 



Code:
iptables -A BADHOST -s IP -j DROP




 

Accept another port for a new server:

 



Code:
iptables -A SERVPORT --dport PORT -j ACCEPT




 

 

This way you don't need to bring your firewall down to actually add/remove people.

Reply
#3

Add this to the Rules and you have a great SSH Brute-force blocker

 



Code:
# create properREJECT chain that does different rejects for tcp/udp
iptables -N properREJECT
iptables -A properREJECT -p tcp -j REJECT --reject-with tcp-reset
iptables -A properREJECT -j REJECT --reject-with icmp-port-unreachable
#
iptables -N blacklistdrop
iptables -A blacklistdrop -j LOG --log-prefix "adding to BLACKLIST: "
iptables -A blacklistdrop -m recent --name BLACKLIST --set -j DROP
#
#
# on external hosts, do rate limiting on incoming ssh packets, and keep a blacklist for 60 seconds
# this rule drops *any* packet if the IP is in the blacklist
# icmp 'destination-unreachable' packets should not update BLACKLIST, because
# they are generated by our own REJECT rule in the extern_out chain
iptables -A extern_in -m recent --name BLACKLIST --update --seconds 120 -j DROP
#
# all *established* ssh connections simply continue
iptables -A extern_in  -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# *new* ssh connections are all put into a list 'sshconn', and if there are 4 such packets in 60 seconds
# we send the package to chain 'blacklistdrop' which puts the IP in the blacklist
iptables -A extern_in  -p tcp --dport 22 -m state --state NEW -m recent --name sshconn --rcheck --seconds 60 --hitcount 5 -j blacklistdrop
#
# if we have seen less then 4 such packets in the last 60 seconds we accept
iptables -A extern_in  -p tcp --dport 22 -m state --state NEW -m recent --name sshconn --set -j ACCEPT
#
# if the destination address is in the blacklist, we REJECT *any* packet
iptables -A extern_out -m recent --name BLACKLIST --rdest --rcheck --seconds 30 -j properREJECT
#
# outgoing we accept all ssh traffic, with connection tracking
iptables -A extern_out -p tcp --sport 22 -m state --state ESTABLISHED,NEW,RELATED -j ACCEPT




 

And edit /etc/syslog.conf with the following line to log firewall related stuf to a different file



Code:
kern.*                          /var/log/firewall.log




Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)