Skip to content

Instantly share code, notes, and snippets.

@Atem18

Atem18/iptables.sh

Last active Apr 30, 2019
Embed
What would you like to do?
My own iptables script.
#!/bin/sh
IPT="/sbin/iptables" #Iptable's path
#Network interfaces :
interface=eth0 # Internet
start() {
### DELETE ALL ENTRIES ###
$IPT -F
$IPT -X
### BLOCK ALL BY DEFAULT ###
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
### Block needless IP
## RIPE Website https://apps.db.ripe.net/search/full-text.html
$IPT -I INPUT -s 85.116.217.200/29 -j DROP # HADOPI
$IPT -I INPUT -s 193.107.240.0/22 -j DROP # trident media guard (tmg)
$IPT -I INPUT -s 195.191.244.0/23 -j DROP # trident media guard (tmg)
$IPT -I INPUT -s 193.105.197.0/24 -j DROP # trident media guard (tmg)
$IPT -I OUTPUT -d 85.116.217.200/29 -j DROP # HADOPI
$IPT -I OUTPUT -d 193.107.240.0/22 -j DROP # trident media guard (tmg)
$IPT -I OUTPUT -d 195.191.244.0/23 -j DROP # trident media guard (tmg)
$IPT -I OUTPUT -d 193.105.197.0/24 -j DROP # trident media guard (tmg)
# Enable free use of loopback interfaces
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
###############
### INPUT ###
###############
# === anti scan ===
$IPT -N SCANS
$IPT -A SCANS -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
$IPT -A SCANS -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A SCANS -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A SCANS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
####################
echo "Anti-scan is ready"
#No spoofing
if [ -e /proc/sys/net/ipv4/conf/all/ip_filter ] ;
then
for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo > 1 $filtre
done
fi
echo "[Anti-spoofing is ready]"
#No synflood
if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ;
then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi
echo "[Anti-synflood is ready]"
# === limited TCP, UDP, ICMP Flood ! ===
# TCP Syn Flood
$IPT -A INPUT -i $interface -p tcp --syn -m limit --limit 3/s -j ACCEPT
# UDP Syn Flood
$IPT -A INPUT -i $interface -p udp -m limit --limit 10/s -j ACCEPT
# Ping Flood
$IPT -A INPUT -i $interface -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPT -A INPUT -i $interface -p icmp --icmp-type echo-reply -m limit --limit 1/s -j ACCEPT
#
echo "TCP, UDP, ICMP Flood is now limited!"
####################
# === Clean particulars paquets ===
#Make sure NEW incoming tcp connections are SYN packets
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Packets with incoming fragments
$IPT -A INPUT -f -j DROP
# incoming malformed XMAS packets
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# Incoming malformed NULL packets
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
#limit the number of connection
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name BLACKLIST --set
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name BLACKLIST --update --seconds 10 --hitcount 10 --rttl -j DROP
echo "Cleaned particulars paquets"
#Drop icmp on WAN from serveur
$IPT -A INPUT -i $interface -p icmp -j DROP
echo "Ping (ICMP) is now blocked on the interface WAN"
#Drop broadcast
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
# Accept inbound TCP packets
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp --dport 21 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -s 0.0.0.0/0 -j AC$
$IPT -A INPUT -p tcp --dport 25 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT
$IPT -A INPUT -p tcp --dport 80 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT
$IPT -A INPUT -p tcp --dport 110 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT
# Accept inbound UDP packets
$IPT -A INPUT -p udp -m udp --dport 123 -s 0.0.0.0/0 -j ACCEPT
$IPT -A INPUT -p udp -m udp --dport 67 -s 0.0.0.0/0 -j ACCEPT
$IPT -A INPUT -p udp -m udp --dport 53 -s 0.0.0.0/0 -j ACCEPT
# Allow inbound access to Samba shares
$IPT -A INPUT -p udp -m udp --dport 137 -s 0.0.0.0/0 -j ACCEPT
$IPT -A INPUT -p udp -m udp --dport 138 -s 0.0.0.0/0 -j ACCEPT
$IPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -s 0.0.0.0/0 -j ACCEPT
$IPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -s 0.0.0.0/0 -j ACCEPT
# Accept inbound ICMP messages
$IPT -A INPUT -p ICMP --icmp-type 8 -s 0.0.0.0/0 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -s 0.0.0.0/0 -j ACCEPT
####################
### OUTPUT ###
####################
# == We do accept some protocols ==
$IPT -A OUTPUT -o $interface -p UDP --dport 123 -j ACCEPT # Port 123 (Time ntp udp)
$IPT -A OUTPUT -o $interface -p TCP --dport 123 -j ACCEPT # Port 123 (Time ntp tcp)
$IPT -A OUTPUT -o $interface -p UDP --dport domain -j ACCEPT # Port 53 (DNS)
$IPT -A OUTPUT -o $interface -p TCP --dport domain -j ACCEPT # Port 53 (DNS)
$IPT -A OUTPUT -o $interface -p TCP --dport http -j ACCEPT # Port 80 (Http)
$IPT -A OUTPUT -o $interface -p TCP --dport https -j ACCEPT # Port 443 (Https)
$IPT -A OUTPUT -o $interface -p TCP --dport ssh -j ACCEPT # Port 22 (SSH)
$IPT -t filter -A OUTPUT -o $interface -m state --state NEW -s $serveur -d $UPNP_Broadcast -p udp --sport 1024: --dport $SSDP_port -j ACCEPT # broadcast UPNP for ushare
# Generic OUTPUT
$IPT -A OUTPUT -o $interface --match state --state ESTABLISHED,RELATED -j ACCEPT
echo "############ <START> ##############"
$IPT -L -n # comment to deactivate printing of the current rules
echo "############ </START> ##############"
}
stop() {
### OPEN ALL !!! ###
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
echo "############ <STOP> ##############"
$IPT -L -n # comment to deactivate printing of the current rules
echo "############ </STOP> ##############"
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
*)
N=/etc/init.d/${0##*/}
echo "Usage: $N {start|stop|restart}" >&2
exit 1
;;
esac
exit 0
@0x00dec0de

This comment has been minimized.

Copy link

@0x00dec0de 0x00dec0de commented Jan 28, 2018

I not sure about the "anti scan" sections.
I don't see that "SCANS" chain is used.

@ikarlashov

This comment has been minimized.

Copy link

@ikarlashov ikarlashov commented May 28, 2018

Line 98. You made a mistake in the most important string.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.