Last active
October 22, 2023 11:53
-
-
Save bruvv/4b1283fa7902447b3d2ae69481ea8ffa to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# flush the nat and mangle tables, flush all chains (-F), and delete all non-default chains (-X) | |
iptables -F | |
iptables -X | |
iptables -t mangle -F | |
ip6tables -X | |
ip6tables -t mangle -F | |
ip6tables -F | |
# accept all | |
iptables -P INPUT ACCEPT | |
iptables -P FORWARD ACCEPT | |
iptables -P OUTPUT ACCEPT | |
#ip6tables -P INPUT ACCEPT | |
#ip6tables -P FORWARD ACCEPT | |
#ip6tables -P OUTPUT ACCEPT | |
#iptables -P INPUT DROP | |
#iptables -P FORWARD DROP | |
#iptables -P OUTPUT ACCEPT | |
#iptables -A INPUT -j REJECT | |
#ip6tables -P INPUT DROP | |
#ip6tables -P FORWARD DROP | |
#ip6tables -P OUTPUT ACCEPT | |
#ip6tables -A INPUT -j REJECT | |
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
iptables -A INPUT -i lo -s 127.0.0.0/8 -j ACCEPT | |
iptables -A INPUT -p tcp --dport 443 -j ACCEPT | |
iptables -A INPUT -p tcp --dport 22 -j ACCEPT | |
iptables -A INPUT -p tcp --dport 80 -j ACCEPT | |
iptables -A INPUT -p tcp --dport 853 -j ACCEPT | |
iptables -A INPUT -p tcp --dport 53 -j ACCEPT | |
iptables -A INPUT -p udp --dport 53 -j ACCEPT | |
iptables -A INPUT -p udp --dport 53 -m string --from 40 --algo bm --hex-string '|0000FF0001|' -m recent --set --name dnsanyquery | |
iptables -A INPUT -p udp --dport 53 -m string --from 40 --algo bm --hex-string '|0000FF0001|' -m recent --name dnsanyquery --rcheck --seconds 60 --hitcount 3 -j DROP | |
iptables -A INPUT -p tcp --dport 53 -m string --from 52 --algo bm --hex-string '|0000FF0001|' -m recent --set --name dnsanyquery | |
iptables -A INPUT -p tcp --dport 53 -m string --from 52 --algo bm --hex-string '|0000FF0001|' -m recent --name dnsanyquery --rcheck --seconds 60 --hitcount 3 -j DROP | |
iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE | |
iptables -A INPUT -p tcp --destination-port 443 -j REJECT --reject-with tcp-reset | |
iptables -A INPUT -p udp --destination-port 80 -j REJECT --reject-with icmp-port-unreachable | |
iptables -A INPUT -p udp --destination-port 443 -j REJECT --reject-with icmp-port-unreachable | |
ip6tables -A INPUT -p tcp --destination-port 443 -j REJECT --reject-with tcp-reset | |
ip6tables -A INPUT -p udp --destination-port 80 -j REJECT --reject-with icmp6-port-unreachable | |
ip6tables -A INPUT -p udp --destination-port 443 -j REJECT --reject-with icmp6-port-unreachable | |
#testing this still using it for DOT | |
iptables -t mangle -A OUTPUT -p tcp --sport 53 -j MARK --set-xmark 7 | |
ip rule add fwmark 7 lookup 99 | |
ip route add local 0.0.0.0/0 dev lo table 99 | |
iptables-save > /etc/iptables/rules.v4 | |
ip6tables-save > /etc/iptables/rules.v6 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment