Last active
January 6, 2022 23:18
-
-
Save manjeshpv/531783af6b222c554b6205644ae50b9b to your computer and use it in GitHub Desktop.
cPanel IPTABLES https://enlook.wordpress.com/2012/11/21/script-to-reset-default-iptable-rules-on-cpanel-server/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
/sbin/modprobe nf_conntrack_ftp 2>&1 >/dev/null | |
IPTABLES='/sbin/iptables' | |
# policy | |
$IPTABLES -P INPUT DROP | |
$IPTABLES -P OUTPUT DROP | |
$IPTABLES -P FORWARD ACCEPT | |
$IPTABLES -F | |
$IPTABLES -X | |
$IPTABLES -Z | |
# | |
# INPUT Policy | |
# | |
# default | |
$IPTABLES -A INPUT -p icmp -j ACCEPT | |
$IPTABLES -A INPUT -i lo -j ACCEPT | |
if [ -s /etc/ip.allow ]; then | |
for ip in `cat /etc/ip.allow`; do | |
$IPTABLES -A INPUT -s $ip -j ACCEPT | |
done | |
fi | |
# ident | |
$IPTABLES -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset | |
# | |
$IPTABLES -N IPDENY | |
$IPTABLES -A IPDENY -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES IPDENY]: ' | |
$IPTABLES -A IPDENY -j DROP | |
if [ -s /etc/ip.deny ]; then | |
for ip in `cat /etc/ip.deny`; do | |
$IPTABLES -A INPUT -s $ip -j IPDENY | |
done | |
fi | |
# syn-flood | |
$IPTABLES -N CHK-SYNFLOOD | |
$IPTABLES -N LOG-SYNFLOOD | |
$IPTABLES -A CHK-SYNFLOOD -p tcp --syn -m limit --limit 10/s --limit-burst 10 -j ACCEPT | |
$IPTABLES -A CHK-SYNFLOOD -p tcp --syn -j LOG-SYNFLOOD | |
$IPTABLES -A CHK-SYNFLOOD -p tcp ! --syn -j ACCEPT | |
$IPTABLES -A LOG-SYNFLOOD -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix "iptables SYNFLOOD DROP " | |
$IPTABLES -A LOG-SYNFLOOD -j DROP | |
# drop new connection except syn | |
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP | |
# related | |
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
# whm/cpanel | |
$IPTABLES -A INPUT -p tcp --dport 2086 -j ACCEPT | |
$IPTABLES -A INPUT -p tcp --dport 2087 -j ACCEPT | |
$IPTABLES -A INPUT -p tcp --dport 2082 -j ACCEPT | |
$IPTABLES -A INPUT -p tcp --dport 2083 -j ACCEPT | |
$IPTABLES -A INPUT -p tcp --dport 2095 -j ACCEPT | |
$IPTABLES -A INPUT -p tcp --dport 2096 -j ACCEPT | |
# ssh | |
$IPTABLES -N SSH_OnBruteForceAttacked | |
$IPTABLES -A SSH_OnBruteForceAttacked -m recent --name SSHSyn --remove | |
$IPTABLES -A SSH_OnBruteForceAttacked -m recent --name SSHBlackList --set -j LOG --log-level warning --log-prefix "SSH BruteForceAttack: " | |
$IPTABLES -A SSH_OnBruteForceAttacked -j DROP | |
$IPTABLES -N SSH | |
$IPTABLES -A SSH -p tcp ! --syn -m state --state ESTABLISHED,RELATED -j ACCEPT | |
$IPTABLES -A SSH -p tcp --syn -m state --state NEW -m recent --name SSHBlackList --update --seconds 600 --rttl -j DROP | |
$IPTABLES -A SSH -p tcp --syn -m state --state NEW -m recent --name SSHSyn --update --seconds 60 --hitcount 5 --rttl -j SSH_OnBruteForceAttacked | |
$IPTABLES -A SSH -p tcp --syn -m state --state NEW -m recent --name SSHSyn --set | |
$IPTABLES -A SSH -j ACCEPT | |
$IPTABLES -A INPUT -p tcp --dport 22 -j SSH | |
# ftp | |
$IPTABLES -N FTP_OnBruteForceAttacked | |
$IPTABLES -A FTP_OnBruteForceAttacked -m recent --name ftp_block --set -j LOG --log-level warning --log-prefix "FTP BruteForceAttack: " | |
$IPTABLES -A FTP_OnBruteForceAttacked -j DROP | |
$IPTABLES -N FTP | |
$IPTABLES -A FTP -p tcp ! --syn -m state --state ESTABLISHED,RELATED -j ACCEPT | |
$IPTABLES -A FTP -p tcp --syn -m recent --name ftp_block --update --seconds 600 -j REJECT --reject-with icmp-port-unreachable | |
$IPTABLES -A FTP -p tcp --syn -m recent --name ftp_conn --rcheck --seconds 20 --hitcount 10 -j FTP_OnBruteForceAttacked | |
$IPTABLES -A FTP -p tcp --syn -m recent --name ftp_conn --set | |
$IPTABLES -A FTP -p tcp --syn -j ACCEPT | |
$IPTABLES -A INPUT -p tcp -m state --state NEW --dport 21 -j FTP | |
$IPTABLES -A INPUT -p tcp --dport 1200:5000 -m state --state NEW -j ACCEPT | |
# tftp | |
$IPTABLES -A INPUT -p udp --dport 69 -j ACCEPT | |
# dhcp | |
$IPTABLES -A INPUT -p udp --dport 67 -j ACCEPT | |
$IPTABLES -A INPUT -p udp --dport 4077 -j ACCEPT | |
# dns | |
$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT | |
$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT | |
$IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT | |
# smtp | |
$IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT | |
$IPTABLES -A INPUT -p tcp --dport 465 -j ACCEPT | |
$IPTABLES -A INPUT -p tcp --dport 587 -j ACCEPT | |
# pop/imap | |
$IPTABLES -A INPUT -p tcp --dport 110 -j ACCEPT | |
$IPTABLES -A INPUT -p tcp --dport 143 -j ACCEPT | |
$IPTABLES -A INPUT -p tcp --dport 993 -j ACCEPT | |
$IPTABLES -A INPUT -p tcp --dport 995 -j ACCEPT | |
# munin | |
$IPTABLES -A INPUT -p tcp --dport 4949 -j ACCEPT | |
# http/https | |
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT | |
$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT | |
# mysql | |
$IPTABLES -A INPUT -p tcp --dport 3306 -j ACCEPT | |
# GRE | |
$IPTABLES -A INPUT -p 47 -j ACCEPT | |
# all | |
$IPTABLES -A INPUT -j LOG --log-prefix "[INPUT Block] : " | |
# | |
# Output Policy | |
# | |
# trust | |
$IPTABLES -A OUTPUT -p icmp -j ACCEPT | |
$IPTABLES -A OUTPUT -o lo -j ACCEPT | |
$IPTABLES -A OUTPUT -d $trustnet -j ACCEPT | |
$IPTABLES -A OUTPUT -d $admin02 -j ACCEPT | |
$IPTABLES -A OUTPUT -d $admin03 -j ACCEPT | |
# related | |
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
# ident | |
$IPTABLES -A OUTPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset | |
# whm/cpanel | |
$IPTABLES -A OUTPUT -p tcp --dport 2086 -j ACCEPT | |
$IPTABLES -A OUTPUT -p tcp --dport 2087 -j ACCEPT | |
$IPTABLES -A OUTPUT -p tcp --dport 2082 -j ACCEPT | |
$IPTABLES -A OUTPUT -p tcp --dport 2083 -j ACCEPT | |
$IPTABLES -A OUTPUT -p tcp --dport 2095 -j ACCEPT | |
$IPTABLES -A OUTPUT -p tcp --dport 2096 -j ACCEPT | |
$IPTABLES -A OUTPUT -p tcp --dport 2089 -j ACCEPT | |
# http/https | |
$IPTABLES -A OUTPUT -p tcp --dport 80 -j ACCEPT | |
$IPTABLES -A OUTPUT -p tcp --dport 443 -j ACCEPT | |
$IPTABLES -A OUTPUT -p tcp --sport 80 -j ACCEPT | |
$IPTABLES -A OUTPUT -p tcp --sport 443 -j ACCEPT | |
# ssh | |
$IPTABLES -A OUTPUT -p tcp --dport 22 -j ACCEPT | |
# ftp | |
$IPTABLES -A OUTPUT -p tcp --dport 21 -j ACCEPT | |
$IPTABLES -A OUTPUT -p tcp -m state --state NEW --sport 20 -j ACCEPT | |
$IPTABLES -A OUTPUT -p tcp --sport 1200:5000 -j ACCEPT | |
# dns | |
$IPTABLES -A OUTPUT -p tcp --dport 53 -j ACCEPT | |
$IPTABLES -A OUTPUT -p udp --dport 53 -j ACCEPT | |
$IPTABLES -A OUTPUT -p udp --sport 53 -j ACCEPT | |
# smtp | |
$IPTABLES -A OUTPUT -p tcp --dport 25 -j ACCEPT | |
$IPTABLES -A OUTPUT -p tcp --dport 465 -j ACCEPT | |
$IPTABLES -A OUTPUT -p tcp --dport 587 -j ACCEPT | |
# pop/imap | |
$IPTABLES -A OUTPUT -p tcp --dport 110 -j ACCEPT | |
$IPTABLES -A OUTPUT -p tcp --dport 143 -j ACCEPT | |
$IPTABLES -A OUTPUT -p tcp --dport 993 -j ACCEPT | |
$IPTABLES -A OUTPUT -p tcp --dport 995 -j ACCEPT | |
# ntp | |
$IPTABLES -A OUTPUT -p tcp --dport 123 -j ACCEPT | |
$IPTABLES -A OUTPUT -p udp --dport 123 -j ACCEPT | |
# mysql | |
$IPTABLES -A OUTPUT -p tcp --dport 3306 -j ACCEPT | |
# svn/git | |
$IPTABLES -A OUTPUT -p tcp --dport 3690 -j ACCEPT | |
$IPTABLES -A OUTPUT -p tcp --dport 9418 -j ACCEPT | |
# whois | |
$IPTABLES -A OUTPUT -p tcp --dport 43 -j ACCEPT | |
# backup/rsync | |
$IPTABLES -A OUTPUT -p tcp --dport 5801 -j ACCEPT | |
# traceroute | |
$IPTABLES -A OUTPUT -p udp --dport 33434:33523 -m state --state NEW -j ACCEPT | |
$IPTABLES -A OUTPUT -p 47 -j ACCEPT | |
# logging | |
$IPTABLES -A OUTPUT -j LOG --log-prefix "[OUTPUT Block] : " | |
$IPTABLES -A OUTPUT -j DROP |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment