Cvar1984/chains.sh

## chains.sh
#!/usr/bin/bash

# NEW state matches a packet creating a new connection or is part of a two-way connection that has not seen packets in both directions.
# ESTABLISHED his state indicates that the packet’s linked to a connection that has seen packets in both directions.
# RELATED state means that the packet’s starting a new connection, but is associated with an existing connection.

# Reset all chains
iptables -F
iptables -X LOGGING

# Allow Loopback Connections
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow established-related connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# DNS Resolver
iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

# SSH Shell
iptables -A INPUT -p tcp --dport 40141 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 40141 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Socks proxy
iptables -A INPUT -p tcp --dport socks -s 96.9.87.183 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport socks -s 96.9.87.183  -m conntrack --ctstate ESTABLISHED -j ACCEPT


# HTTP/HTTPS
iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 8080 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Email services
iptables -A INPUT -p tcp -m multiport --dports 25,26,995,993,143,110,465 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --dports 25,26,995,993,143,110,465 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Outgoing ICMP
iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED --icmp-type echo-request -j ACCEPT

# Incoming ICMP
iptables -A INPUT -p icmp -m state --state ESTABLISHED --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp -m state --state ESTABLISHED --icmp-type echo-reply -j ACCEPT

# Github
iptables -A INPUT -p tcp --dport 9418 -m state --state ESTABLISHED -j ACCEPT # git://
iptables -A OUTPUT -p tcp --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT # git://
iptables -A INPUT -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT # ssh://
iptables -A OUTPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT # ssh://

# Minecraft server
iptables -A INPUT -p tcp --dport 25565 -j ACCEPT # java ipv4
iptables -A INPUT -p udp --dport 19132 -j ACCEPT # bedrock ipv4
iptables -A INPUT -p udp --dport 19133 -j ACCEPT # bedrock ipv6
iptables -A INPUT -p udp --dport 24454 -j ACCEPT # java VoIP chat

# Block invalid packets
iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP

# Block uncommon mss values
iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP

# Block packets with bogus TCP flags
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP

# Block packets from private subnets (spoofing)
iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP
iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP

# Logging
iptables -N LOGGING
iptables -A INPUT -j DROP # drop unwanted incoming to LOGGING
iptables -A OUTPUT -j DROP # drop unwanted outgoing to LOGGING
iptables -A FORWARD -j DROP # drop unused chain
iptables -A LOGGING -j LOG --log-prefix  "ipt denied: " --log-level 4 # /usr/include/syslog.h
iptables -A LOGGING -j DROP # close anything forwarded to logging

# Save configurations
iptables-save
	#!/usr/bin/bash

	# NEW state matches a packet creating a new connection or is part of a two-way connection that has not seen packets in both directions.
	# ESTABLISHED his state indicates that the packet’s linked to a connection that has seen packets in both directions.
	# RELATED state means that the packet’s starting a new connection, but is associated with an existing connection.

	# Reset all chains
	iptables -F
	iptables -X LOGGING

	# Allow Loopback Connections
	iptables -A INPUT -i lo -j ACCEPT
	iptables -A OUTPUT -o lo -j ACCEPT

	# Allow established-related connections
	iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
	iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
	iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

	# DNS Resolver
	iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
	iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

	# SSH Shell
	iptables -A INPUT -p tcp --dport 40141 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
	iptables -A OUTPUT -p tcp --sport 40141 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

	# Socks proxy
	iptables -A INPUT -p tcp --dport socks -s 96.9.87.183 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
	iptables -A OUTPUT -p tcp --dport socks -s 96.9.87.183 -m conntrack --ctstate ESTABLISHED -j ACCEPT


	# HTTP/HTTPS
	iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
	iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
	iptables -A INPUT -p tcp --dport 8080 -m conntrack --ctstate ESTABLISHED -j ACCEPT
	iptables -A OUTPUT -p tcp --dport 8080 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

	# Email services
	iptables -A INPUT -p tcp -m multiport --dports 25,26,995,993,143,110,465 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
	iptables -A OUTPUT -p tcp -m multiport --dports 25,26,995,993,143,110,465 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

	# Outgoing ICMP
	iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED --icmp-type echo-reply -j ACCEPT
	iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED --icmp-type echo-request -j ACCEPT

	# Incoming ICMP
	iptables -A INPUT -p icmp -m state --state ESTABLISHED --icmp-type echo-request -j ACCEPT
	iptables -A INPUT -p icmp -m state --state ESTABLISHED --icmp-type echo-reply -j ACCEPT

	# Github
	iptables -A INPUT -p tcp --dport 9418 -m state --state ESTABLISHED -j ACCEPT # git://
	iptables -A OUTPUT -p tcp --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT # git://
	iptables -A INPUT -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT # ssh://
	iptables -A OUTPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT # ssh://

	# Minecraft server
	iptables -A INPUT -p tcp --dport 25565 -j ACCEPT # java ipv4
	iptables -A INPUT -p udp --dport 19132 -j ACCEPT # bedrock ipv4
	iptables -A INPUT -p udp --dport 19133 -j ACCEPT # bedrock ipv6
	iptables -A INPUT -p udp --dport 24454 -j ACCEPT # java VoIP chat

	# Block invalid packets
	iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
	iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP

	# Block uncommon mss values
	iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP

	# Block packets with bogus TCP flags
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP

	# Block packets from private subnets (spoofing)
	iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
	iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
	iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
	iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
	iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
	iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
	iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP
	iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
	iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP

	# Logging
	iptables -N LOGGING
	iptables -A INPUT -j DROP # drop unwanted incoming to LOGGING
	iptables -A OUTPUT -j DROP # drop unwanted outgoing to LOGGING
	iptables -A FORWARD -j DROP # drop unused chain
	iptables -A LOGGING -j LOG --log-prefix "ipt denied: " --log-level 4 # /usr/include/syslog.h
	iptables -A LOGGING -j DROP # close anything forwarded to logging

	# Save configurations
	iptables-save