Login

***anyweb*** · (This post was last modified: 2005-07-26, 12:46 PM by anyweb.)

here it is

feel free to copy/play with

lines with a # infront of them are ignored, interesting to note that ssh is listening on port 234 and we are using iptables to limit the amount of connections to that port on a per minute basis

cheers

anyweb

Code:
#!/bin/bash

# Enabled packet forwarding for vpn work

#echo 1 > /proc/sys/net/ipv4/ip_forward

# Flush Old rules on reinit of rules

iptables -F INPUT

iptables -F OUTPUT

iptables -F FORWARD

iptables -t nat -F PREROUTING

iptables -t nat -F POSTROUTING

# Set input policy

iptables -P INPUT DROP

# Accepted Hosts

iptables -A INPUT -s 100.0.0.0/8 -j ACCEPT

iptables -A INPUT -s 127.0.0.1 -j ACCEPT

iptables -A INPUT -s 81.229.167.48 -j ACCEPT

iptables -A INPUT -s 217.209.122.25 -j ACCEPT

#ipv6 tunnel hosts

#iptables -I INPUT -s 213.121.24.85 -j ACCEPT

#iptables -I INPUT -s 62.75.252.206 -j ACCEPT

# Accepted Ports

#iptables -I INPUT -p icmp -j ACCEPT

iptables -A INPUT -p tcp -m multiport --dports 80 -j ACCEPT

#iptables -A INPUT -p tcp -m multiport --dports 8000,9000,9001,9002 -j ACCEPT

#iptables -A INPUT -p udp -m multiport --dports 53 -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# deny mysql from communicating outside the firewall

iptables -A OUTPUT -p tcp --sport 3306 -j DROP

## Accept ports with rate limit 

iptables -A INPUT -p tcp --dport 234 -m limit --limit 2/minute --limit-burst 1 -j ACCEPT

iptables -A INPUT -p tcp --dport 234 -j REJECT --reject-with tcp-reset

# Dropped Hosts

#iptables -A INPUT -s 207.46.98.0/24 -j DROP # Ms search bot

#iptables -A INPUT -s 70.25.150.84 -j DROP # samurai and jo

# Redirect ports over the vpn to my home network

#iptables -t nat -A POSTROUTING -d 192.168.55.0/24 -j SNAT --to-source 10.20.1.1

[CODE]

####

######### IPV6

####

#ip6tables -F INPUT

#ip6tables -P INPUT ACCEPT

#ip6tables -A INPUT -p tcp --dport 113 -j ACCEPT

#ip6tables -A INPUT -p ipv6-icmp -j ACCEPT

znx · (This post was last modified: 2009-07-01, 10:01 AM by anyweb.)

quick modification which will allow you to dynamically add good/bad and ports to the lists

Code:
#!/bin/bash

# Flush Old rules on reinit of rules

iptables -F INPUT

iptables -F OUTPUT

iptables -F FORWARD

iptables -t nat -F PREROUTING

iptables -t nat -F POSTROUTING

iptables -X GOODHOST

iptables -X SERVPORT

iptables -X BADHOST

# Set input policy

iptables -P INPUT DROP

iptables -A INPUT -j BADHOST

iptables -A INPUT -p tcp -j GOODHOST

iptables -A INPUT -p tcp -j SERVPORT

# Accepted Hosts

iptables -N GOODHOST

iptables -A GOODHOST -s 100.0.0.0/8 -j ACCEPT

iptables -A GOODHOST -s 127.0.0.1 -j ACCEPT

iptables -A GOODHOST -s 81.229.167.48 -j ACCEPT

iptables -A GOODHOST -s 217.209.122.25 -j ACCEPT

# Accepted Ports

iptables -N SERVPORT

iptables -A SERVPORT -m multiport --dports 80 -j ACCEPT

iptables -A SERVPORT -m state --state ESTABLISHED,RELATED -j ACCEPT

## Accept ports with rate limit 

iptables -A SERVPORT --dport 234 -m limit --limit 2/minute --limit-burst 1 -j ACCEPT

iptables -A SERVPORT --dport 234 -j REJECT --reject-with tcp-reset

# Dropped Hosts

iptables -N BADHOST

#iptables -A BADHOST -s 207.46.98.0/24 -j DROP # Ms search bot

iptables -P OUTPUT ACCEPT

# deny mysql from communicating outside the firewall

iptables -A OUTPUT -p tcp --sport 3306 -j DROP

Accept a new good host:

Code:
iptables -A GOODHOST -s IP -j ACCEPT

Deny another bad guy:

Code:
iptables -A BADHOST -s IP -j DROP

Accept another port for a new server:

Code:
iptables -A SERVPORT --dport PORT -j ACCEPT

This way you don't need to bring your firewall down to actually add/remove people.

Zypher · (This post was last modified: 2009-07-01, 10:13 AM by Zypher.)

Add this to the Rules and you have a great SSH Brute-force blocker

Code:
# create properREJECT chain that does different rejects for tcp/udp

iptables -N properREJECT

iptables -A properREJECT -p tcp -j REJECT --reject-with tcp-reset

iptables -A properREJECT -j REJECT --reject-with icmp-port-unreachable

#

iptables -N blacklistdrop

iptables -A blacklistdrop -j LOG --log-prefix "adding to BLACKLIST: "

iptables -A blacklistdrop -m recent --name BLACKLIST --set -j DROP

#

#

# on external hosts, do rate limiting on incoming ssh packets, and keep a blacklist for 60 seconds

# this rule drops *any* packet if the IP is in the blacklist

# icmp 'destination-unreachable' packets should not update BLACKLIST, because

# they are generated by our own REJECT rule in the extern_out chain

iptables -A extern_in -m recent --name BLACKLIST --update --seconds 120 -j DROP

#

# all *established* ssh connections simply continue

iptables -A extern_in  -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT

#

# *new* ssh connections are all put into a list 'sshconn', and if there are 4 such packets in 60 seconds

# we send the package to chain 'blacklistdrop' which puts the IP in the blacklist

iptables -A extern_in  -p tcp --dport 22 -m state --state NEW -m recent --name sshconn --rcheck --seconds 60 --hitcount 5 -j blacklistdrop

#

# if we have seen less then 4 such packets in the last 60 seconds we accept

iptables -A extern_in  -p tcp --dport 22 -m state --state NEW -m recent --name sshconn --set -j ACCEPT

#

# if the destination address is in the blacklist, we REJECT *any* packet

iptables -A extern_out -m recent --name BLACKLIST --rdest --rcheck --seconds 30 -j properREJECT

#

# outgoing we accept all ssh traffic, with connection tracking

iptables -A extern_out -p tcp --sport 22 -m state --state ESTABLISHED,NEW,RELATED -j ACCEPT

And edit /etc/syslog.conf with the following line to log firewall related stuf to a different file

Code:
kern.*                          /var/log/firewall.log

Login
Username/Email:
Password:	Lost Password?
	Remember me