Last active
April 3, 2024 14:39
-
-
Save NotYusta/d1e227f6dbd27323b8c475586fe6d43d to your computer and use it in GitHub Desktop.
Firewall Cloudflare & SSH
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
dnf update -y | |
dnf install iptables ipset -y | |
ipset create cloudflare-v4 hash:net family inet | |
ipset add cloudflare-v4 173.245.48.0/20 | |
ipset add cloudflare-v4 103.21.244.0/22 | |
ipset add cloudflare-v4 103.22.200.0/22 | |
ipset add cloudflare-v4 103.31.4.0/22 | |
ipset add cloudflare-v4 141.101.64.0/18 | |
ipset add cloudflare-v4 108.162.192.0/18 | |
ipset add cloudflare-v4 190.93.240.0/20 | |
ipset add cloudflare-v4 188.114.96.0/20 | |
ipset add cloudflare-v4 197.234.240.0/22 | |
ipset add cloudflare-v4 198.41.128.0/17 | |
ipset add cloudflare-v4 162.158.0.0/15 | |
ipset add cloudflare-v4 104.16.0.0/13 | |
ipset add cloudflare-v4 104.24.0.0/14 | |
ipset add cloudflare-v4 172.64.0.0/13 | |
ipset add cloudflare-v4 131.0.72.0/22 | |
ipset create origin hash:net family inet | |
#ipset add origin ADMIN-IP | |
iptables -F WEBSITE | |
iptables -N WEBSITE | |
iptables -A WEBSITE -m set --match-set cloudflare-v4 src -j ACCEPT | |
iptables -A WEBSITE -j DROP | |
iptables -D INPUT -p tcp --dport 443 -j WEBSITE | |
iptables -D INPUT -p tcp --dport 8443 -j WEBSITE | |
iptables -A INPUT -p tcp --dport 443 -j WEBSITE | |
iptables -A INPUT -p tcp --dport 8443 -j WEBSITE | |
iptables -t mangle -D PREROUTING -p icmp -j DROP | |
iptables -t mangle -A PREROUTING -p icmp -j DROP | |
#iptables -D INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set | |
#iptables -D INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP | |
#iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set | |
#iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP | |
## 1: Drop invalid packets ### | |
iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP | |
### 2: Drop TCP packets that are new and are not SYN ### | |
iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP | |
### 3: Drop SYN packets with suspicious MSS value ### | |
iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP | |
### 4: Block packets with bogus TCP flags ### | |
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP | |
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP | |
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP | |
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP | |
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP | |
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP | |
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP | |
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP | |
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP | |
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP | |
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP | |
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP | |
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP | |
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP | |
### 7: Drop fragments in all chains ### | |
iptables -t mangle -A PREROUTING -f -j DROP | |
### 8: Limit connections per source IP ### | |
iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset | |
### 9: Limit RST packets ### | |
iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT | |
iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP | |
### 10: Limit new TCP connections per second per source IP ### | |
iptables -D INPUT -j limit-tcp | |
iptables -F limit-tcp | |
iptables -N limit-tcp | |
iptables -A limit-tcp -m set --match-set cloudflare-v4 src -j ACCEPT | |
iptables -A limit-tcp -m set --match-set origin src -j ACCEPT | |
iptables -A limit-tcp -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT | |
iptables -A limit-tcp -p tcp -m conntrack --ctstate NEW -j DROP | |
iptables -A INPUT -j limit-tcp | |
### 11: Use SYNPROXY on all ports (disables connection limiting rule) ### | |
#iptables -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack | |
#iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460 | |
#iptables -A INPUT -m conntrack --ctstate INVALID -j DROP | |
### SSH brute-force protection ### | |
iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set | |
iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP | |
### Protection against port scanning ### | |
iptables -N port-scanning | |
iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN | |
iptables -A port-scanning -j DROP | |
### UDP LIMIT | |
iptables -D INPUT -j UDPLIMIT | |
iptables -F UDPLIMIT | |
iptables -N UDPLIMIT # New chain called UDPLIMIT | |
iptables -A UDPLIMIT -m set --match-set origin src -j ACCEPT | |
iptables -A UDPLIMIT --match hashlimit --hashlimit-upto 300/second --hashlimit-mode srcip --hashlimit-name udp_rate_limit -j ACCEPT # Only accept 300/second, ignore the rest | |
iptables -A UDPLIMIT --match limit --limit 5/min -j LOG --log-prefix "UDP Flood DROP: " # Log the attacker (optional) | |
iptables -A UDPLIMIT -j DROP # Drop anything over 300 pps |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment