Last active
May 4, 2022 23:32
-
-
Save dabumana/26b7caf09375a01fb38cc11bea1f6872 to your computer and use it in GitHub Desktop.
A ready to use firewall configuration IPTABLES (FRAGMENTPACKAGE, XMAX, LAND, SMURF PORTKNOCKING).
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Flash the current table | |
| iptables -P INPUT ACCEPT | |
| iptables -P FORWARD ACCEPT | |
| iptables -P OUTPUT ACCEPT | |
| iptables -F | |
| # Log current scan | |
| iptables -A INPUT -j LOG | |
| iptables -A FORWARD -j LOG | |
| iptables -A OUTPUT -j LOG | |
| # Tunneling | |
| iptables -N TUNNEL | |
| iptables -N LAYER1 | |
| iptables -N LAYER2 | |
| iptables -N LAYER3 | |
| iptables -N HOSTER | |
| # Prepare the input | |
| iptables -A INPUT -i lo -j ACCEPT | |
| iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
| # Default filter | |
| iptables -A INPUT -p tcp --dport 80 -j ACCEPT | |
| iptables -A INPUT -p tcp --dport 443 -j ACCEPT | |
| iptables -A INPUT -p tcp --dport 8000 -j ACCEPT | |
| # Layer streaming | |
| iptables -A INPUT -j TUNNEL | |
| # Layer requirement A | |
| iptables -A LAYER1 -p tcp --dport 1338 -m recent --name REQ1 --set -j DROP | |
| iptables -A LAYER1 -j DROP | |
| # Layer requirement B | |
| iptables -A LAYER2 -m recent --name REQ1 --remove | |
| iptables -A LAYER2 -p tcp --dport 1339 -m recent --name REQ2 --set -j DROP | |
| iptables -A LAYER2 -j LAYER1 | |
| # Layer requirement C | |
| iptables -A LAYER3 -m recent --name REQ2 --remove | |
| iptables -A LAYER3 -p tcp --dport 1340 -m recent --name REQ3 --set -j DROP | |
| iptables -A LAYER3 -j LAYER1 | |
| # Layer hoster | |
| iptables -A HOSTER -m recent --name REQ3 --remove | |
| iptables -A HOSTER -p tcp --dport 22 -j ACCEPT | |
| iptables -A HOSTER -j LAYER1 | |
| # Tunneling callback | |
| iptables -A TUNNEL -m recent --rcheck --seconds 30 --name REQ3 -j HOSTER | |
| iptables -A TUNNEL -m recent --rcheck --seconds 10 --name REQ2 -j LAYER3 | |
| iptables -A TUNNEL -m recent --rcheck --seconds 10 --name REQ2 -j LAYER2 | |
| iptables -A TUNNEL -j LAYER1 | |
| # Block invalid packets | |
| iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP | |
| # Block new packets that are not SYN | |
| iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP | |
| # Block uncommon MSS values | |
| iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP | |
| # Block packets with Bogus TCP flags | |
| iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP | |
| iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP | |
| iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP | |
| iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP | |
| iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP | |
| iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP | |
| iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP | |
| iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP | |
| iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP | |
| iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP | |
| iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP | |
| iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP | |
| iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP | |
| # Block ping of death | |
| iptables -A INPUT -p tcp -m connlimit --connlimit-above 66 -j REJECT --reject-with tcp-reset | |
| iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT | |
| iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP | |
| iptables -t mangle -A PREROUTING -f -j DROP | |
| iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT | |
| iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP | |
| # Set IP rules | |
| iptables -A INPUT -p tcp --tcp-flags ALL ALL -j REJECT --reject-with tcp-reset | |
| iptables -A INPUT -p tcp --tcp-flags ALL FIN -j REJECT --reject-with tcp-reset | |
| iptables -A INPUT -p tcp --tcp-flags ALL NONE -j REJECT --reject-with tcp-reset | |
| iptables -A INPUT -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j REJECT --reject-with tcp-reset | |
| iptables -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j REJECT --reject-with tcp-reset | |
| iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j REJECT --reject-with tcp-reset | |
| iptables -A INPUT -p tcp --tcp-flags ALL RST -j REJECT --reject-with tcp-reset | |
| # SYN | |
| iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP | |
| iptables -A INPUT -p tcp --tcp-flags SYN RST,ACK -j REJECT --reject-with tcp-reset | |
| iptables -A INPUT -p tcp --tcp-flags SYN,ACK RST,ACK -j REJECT --reject-with tcp-reset | |
| iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j REJECT --reject-with tcp-reset | |
| iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j REJECT --reject-with tcp-reset | |
| # SYN Flood mitigation | |
| iptables -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack | |
| iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460 | |
| iptables -A INPUT -m conntrack --ctstate INVALID -j DROP | |
| # RST | |
| iptables -A INPUT -p tcp --tcp-flags RST,ACK SYN -j REJECT --reject-with tcp-reset | |
| iptables -A INPUT -p tcp --tcp-flags RST,FIN RST,FIN -j REJECT --reject-with tcp-reset | |
| iptables -A INPUT -p tcp --tcp-flags RST,SYN RST,SYN -j REJECT --reject-with tcp-reset | |
| # FIN | |
| iptables -A INPUT -p tcp --tcp-flags FIN,SYN FIN,SYN -j REJECT --reject-with tcp-reset | |
| iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j REJECT --reject-with tcp-reset | |
| iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j REJECT --reject-with tcp-reset | |
| iptables -A INPUT -p tcp --tcp-flags FIN FIN,ACK -j REJECT --reject-with tcp-reset | |
| # ACK | |
| iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j REJECT --reject-with tcp-reset | |
| iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j REJECT --reject-with tcp-reset | |
| iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j REJECT --reject-with tcp-reset | |
| # URG | |
| iptables -A INPUT -p tcp --tcp-flags URG ACK,URG -j REJECT --reject-with tcp-reset | |
| # ICMP | |
| iptables -A INPUT -p icmp -j REJECT | |
| # Fragment package | |
| iptables -A INPUT --fragment -j REJECT | |
| # Zero length requests | |
| iptables -A INPUT -p tcp -m length --length 0 -j REJECT --reject-with tcp-reset | |
| # Block from subnet | |
| iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP | |
| iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP | |
| iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP | |
| iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP | |
| iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP | |
| iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP | |
| iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP | |
| iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP | |
| iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP | |
| iptables -A INPUT -s 127.0.0.0/32 -j DROP | |
| # SSH brute force protection | |
| iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set | |
| iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP | |
| # Block port scanning | |
| iptables -N port-scanning | |
| iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN | |
| iptables -A port-scanning -j DROP |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment