Last active
August 3, 2020 13:29
-
-
Save igorhrq/048b4891b03b650b8a898f8973de8db3 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # iptables meridiuns revision 1.0 12/07 | |
| # Updated 25/07 - adjusted some ports | |
| # Usage: sh fw.sh start/stop | |
| # Author: Igor A. | |
| # look vars below into 'CHANGE IF NECESSARY' | |
| arg=$1 | |
| if [[ $arg == 'start' ]] ; then | |
| # CHANGE IF NECESSARY | |
| interface="ens3" | |
| sshport="1157" | |
| otsrvlist1="147.135.0.224,147.135.33.66" | |
| # limpando chains | |
| iptables -F | |
| iptables -X | |
| iptables -t nat -F | |
| iptables -t nat -X | |
| iptables -t mangle -F | |
| iptables -t mangle -X | |
| iptables -t raw -F | |
| iptables -t raw -X | |
| # definindo politica padrao | |
| iptables -P INPUT DROP | |
| iptables -P FORWARD DROP | |
| iptables -P OUTPUT ACCEPT | |
| # liberando loopback | |
| iptables -A INPUT -i lo -j ACCEPT | |
| # Reject ICMP Geral | |
| iptables -A INPUT -p icmp -j DROP | |
| iptables -A INPUT -p udp -j ACCEPT | |
| #ICMP RELEASE | |
| ### START ICMP RELEASE | |
| #OUTGOING | |
| iptables -A OUTPUT -p icmp --icmp-type 8 -s ${otsrvlist1} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | |
| iptables -A INPUT -p icmp --icmp-type 0 -s 0/0 -d ${otsrvlist1} -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| #INCOMING | |
| iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d ${otsrvlist1} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | |
| iptables -A OUTPUT -p icmp --icmp-type 0 -s ${otsrvlist1} -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| ### END ICMP RELEASE | |
| # mantendo conexao ja estabelecida | |
| #iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| # release ports make sure change your interface name | |
| iptables -A INPUT -i $interface -p tcp -m multiport --dport 20,21,43,53,80,443,$sshport,3306,6081,6082,7171:7175,7788:7799,8088 -j ACCEPT | |
| #proteção porta 21 FTP | |
| iptables -A INPUT -i $interface -p tcp --dport 21 -m state --state NEW -m recent --set --name FTP | |
| iptables -A INPUT -i $interface -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name FTP -j DROP | |
| #iptables -A INPUT -i ens3 -p tcp -m multiport --dport 20,21,22,25,26,43,53,80,82,110,143,443,465,587,993,995,3306,7171:7175,7788:7799 -j ACCEPT | |
| # bloquear pacotes invalidos: | |
| iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP | |
| #dropa pacotes vazios e fragmentados (contra nmap scans): | |
| iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP | |
| iptables -A INPUT -f -j DROP | |
| # dropa pacotes quebrados XMAS (geralmente usado pelo nmap) | |
| iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP | |
| # regras que bloqueiam pacotes que tão usando flags incorretas/falhas no protocolo TCP. | |
| iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP | |
| iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP | |
| iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP | |
| iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP | |
| iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP | |
| iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP | |
| iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP | |
| iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP | |
| iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP | |
| iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP | |
| iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP | |
| iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP | |
| iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP | |
| # Dropa pacotes que tentam pingar pro teu host, e pra fazer footprint usando esse protocolo e também ataques (ping of death, icmp flood e icmp fragmentation flood) | |
| iptables -t mangle -A PREROUTING -p icmp -j DROP | |
| # rejeita conexões com mais de 50 conexões no servidor: | |
| iptables -A INPUT -p tcp -m connlimit --connlimit-above 50 -j REJECT --reject-with tcp-reset | |
| # limita novas conexões para cada 60 segundos que um cliente pode fazer, evitando varios ataques | |
| iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT | |
| iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP | |
| #Syn-flood attack para todas as portas usando SYNPROXY | |
| iptables -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack | |
| iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460 | |
| iptables -A INPUT -m conntrack --ctstate INVALID -j DROP | |
| ### brute-force no ssh | |
| iptables -A INPUT -p tcp --dport $sshport -m conntrack --ctstate NEW -m recent --set | |
| iptables -A INPUT -p tcp --dport $sshport -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP | |
| ### port-scanning drop | |
| iptables -N port-scanning | |
| iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN | |
| iptables -A port-scanning -j DROP | |
| fi | |
| if [[ $arg == 'stop' ]] ; then | |
| iptables -F | |
| iptables -X | |
| iptables -t nat -F | |
| iptables -t nat -X | |
| iptables -t mangle -F | |
| iptables -t mangle -X | |
| iptables -t raw -F | |
| iptables -t raw -X | |
| iptables -P INPUT ACCEPT | |
| iptables -P FORWARD ACCEPT | |
| iptables -P OUTPUT ACCEPT | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment