Skip to content

Instantly share code, notes, and snippets.

@NotYusta

NotYusta/firewall.sh

Last active April 3, 2024 14:39
Show Gist options
  • Save NotYusta/d1e227f6dbd27323b8c475586fe6d43d to your computer and use it in GitHub Desktop.
Save NotYusta/d1e227f6dbd27323b8c475586fe6d43d to your computer and use it in GitHub Desktop.
Download ZIP
Firewall Cloudflare & SSH
Raw
firewall.sh
#!/bin/sh
dnf update -y
dnf install iptables ipset -y
ipset create cloudflare-v4 hash:net family inet
ipset add cloudflare-v4 173.245.48.0/20
ipset add cloudflare-v4 103.21.244.0/22
ipset add cloudflare-v4 103.22.200.0/22
ipset add cloudflare-v4 103.31.4.0/22
ipset add cloudflare-v4 141.101.64.0/18
ipset add cloudflare-v4 108.162.192.0/18
ipset add cloudflare-v4 190.93.240.0/20
ipset add cloudflare-v4 188.114.96.0/20
ipset add cloudflare-v4 197.234.240.0/22
ipset add cloudflare-v4 198.41.128.0/17
ipset add cloudflare-v4 162.158.0.0/15
ipset add cloudflare-v4 104.16.0.0/13
ipset add cloudflare-v4 104.24.0.0/14
ipset add cloudflare-v4 172.64.0.0/13
ipset add cloudflare-v4 131.0.72.0/22
ipset create origin hash:net family inet
#ipset add origin ADMIN-IP
iptables -F WEBSITE
iptables -N WEBSITE
iptables -A WEBSITE -m set --match-set cloudflare-v4 src -j ACCEPT
iptables -A WEBSITE -j DROP
iptables -D INPUT -p tcp --dport 443 -j WEBSITE
iptables -D INPUT -p tcp --dport 8443 -j WEBSITE
iptables -A INPUT -p tcp --dport 443 -j WEBSITE
iptables -A INPUT -p tcp --dport 8443 -j WEBSITE
iptables -t mangle -D PREROUTING -p icmp -j DROP
iptables -t mangle -A PREROUTING -p icmp -j DROP
#iptables -D INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
#iptables -D INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
#iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
#iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
## 1: Drop invalid packets ###
iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
### 2: Drop TCP packets that are new and are not SYN ###
iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
### 3: Drop SYN packets with suspicious MSS value ###
iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
### 4: Block packets with bogus TCP flags ###
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
### 7: Drop fragments in all chains ###
iptables -t mangle -A PREROUTING -f -j DROP
### 8: Limit connections per source IP ###
iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset
### 9: Limit RST packets ###
iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP
### 10: Limit new TCP connections per second per source IP ###
iptables -D INPUT -j limit-tcp
iptables -F limit-tcp
iptables -N limit-tcp
iptables -A limit-tcp -m set --match-set cloudflare-v4 src -j ACCEPT
iptables -A limit-tcp -m set --match-set origin src -j ACCEPT
iptables -A limit-tcp -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
iptables -A limit-tcp -p tcp -m conntrack --ctstate NEW -j DROP
iptables -A INPUT -j limit-tcp
### 11: Use SYNPROXY on all ports (disables connection limiting rule) ###
#iptables -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack
#iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
#iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
### SSH brute-force protection ###
iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
### Protection against port scanning ###
iptables -N port-scanning
iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
iptables -A port-scanning -j DROP
### UDP LIMIT
iptables -D INPUT -j UDPLIMIT
iptables -F UDPLIMIT
iptables -N UDPLIMIT # New chain called UDPLIMIT
iptables -A UDPLIMIT -m set --match-set origin src -j ACCEPT
iptables -A UDPLIMIT --match hashlimit --hashlimit-upto 300/second --hashlimit-mode srcip --hashlimit-name udp_rate_limit -j ACCEPT # Only accept 300/second, ignore the rest
iptables -A UDPLIMIT --match limit --limit 5/min -j LOG --log-prefix "UDP Flood DROP: " # Log the attacker (optional)
iptables -A UDPLIMIT -j DROP # Drop anything over 300 pps
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment