Last active
March 23, 2018 05:20
-
-
Save nirui/893179919d95c24ae9e1a962a34df778 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# DEFAULT | |
iptables -P INPUT DROP | |
iptables -P FORWARD ACCEPT | |
iptables -P OUTPUT ACCEPT | |
iptables -A INPUT -i lo -j ACCEPT | |
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
iptables -A INPUT -p tcp --dport 30001 -j ACCEPT | |
# HTTP server | |
iptables -A INPUT -p tcp --dport 80 -j ACCEPT | |
# Public SS-Server shared to friends on 2302 | |
iptables -A INPUT -p tcp --syn --dport 2302 -m connlimit --connlimit-above 32 --connlimit-mask 32 -j DROP | |
iptables -A INPUT -p tcp --dport 2302 -j ACCEPT | |
iptables -A INPUT -p udp --dport 2302 -m limit --limit 16/s --limit-burst 32 -j ACCEPT | |
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --sport 2302 -j ACCEPT | |
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p udp --sport 2302 -j ACCEPT | |
# COWARD server on 8808 | |
iptables -A INPUT -p tcp --syn --dport 8808 -m connlimit --connlimit-above 64 --connlimit-mask 64 -j DROP | |
iptables -A INPUT -p tcp --dport 8808 -j ACCEPT | |
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --sport 8808 -j ACCEPT | |
iptables -t nat -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 9128 | |
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 995 -j ACCEPT | |
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 465 -j ACCEPT | |
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 119 -j ACCEPT | |
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 2302 -j ACCEPT | |
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 9999 -j ACCEPT | |
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p udp --dport 2302 -j ACCEPT | |
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 30001 -j ACCEPT | |
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 221 -j ACCEPT | |
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 80 -j ACCEPT | |
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 9128 -j ACCEPT | |
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 443 -j ACCEPT | |
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p udp --dport 53 -m limit --limit 6/s --limit-burst 12 -j ACCEPT | |
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp --dport 53 -j ACCEPT | |
iptables -t filter -m owner --uid-owner shadowsocks -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset | |
# -s <server_host> host name or ip address of your remote server | |
# -p <server_port> port number of your remote server | |
# -l <local_port> port number of your local server | |
# -k <password> password of your remote server | |
su - shadowsocks -c "ss-server -s 0.0.0.0 -p 2302 -l 1080 -k public -m aes-128-cfb -u &>/tmp/ss-crash.log &" | |
su - shadowsocks -c "/opt/coward/coward -p /opt/coward/proxy.conf -d -log /tmp/coward.log -s proxy &>/tmp/coward-crash.log &" | |
# OCserv | |
iptables -A INPUT -p tcp --syn --dport 443 -m connlimit --connlimit-above 32 --connlimit-mask 32 -j DROP | |
iptables -A INPUT -p tcp --dport 443 -j ACCEPT | |
iptables -A INPUT -p udp --dport 443 -m limit --limit 16/s --limit-burst 32 -j ACCEPT | |
iptables -t filter -A FORWARD -s 192.168.251.0/24 -d 192.168.251.0/24 -j DROP | |
iptables -t filter -A FORWARD -d 192.168.251.0/24 -j ACCEPT | |
iptables -t nat -A PREROUTING -s 192.168.251.0/24 -p tcp --dport 80 -j REDIRECT --to-port 9128 | |
iptables -t filter -A INPUT -s 192.168.251.0/24 -p tcp --dport 9128 -j ACCEPT | |
iptables -t filter -A FORWARD -s 192.168.251.0/24 -p udp --dport 53 -j ACCEPT | |
iptables -t filter -A FORWARD -s 192.168.251.0/24 -p tcp --dport 53 -j ACCEPT | |
iptables -t filter -A FORWARD -s 192.168.251.0/24 -p tcp --dport 21 -j ACCEPT | |
iptables -t filter -A FORWARD -s 192.168.251.0/24 -p tcp --dport 443 -j ACCEPT | |
iptables -t filter -A FORWARD -s 192.168.251.0/24 -p tcp --dport 993 -j ACCEPT | |
iptables -t filter -A FORWARD -s 192.168.251.0/24 -p tcp --dport 995 -j ACCEPT | |
iptables -t filter -A FORWARD -s 192.168.251.0/24 -p tcp --syn -m limit --limit 1/s --limit-burst 2 --dport 465 -j ACCEPT | |
iptables -t filter -A FORWARD -s 192.168.251.0/24 -p tcp --syn -m connlimit --connlimit-above 32 --connlimit-mask 32 -j DROP | |
iptables -t filter -A FORWARD -s 192.168.251.0/24 -p tcp -j REJECT --reject-with tcp-reset | |
iptables -t filter -A FORWARD -s 192.168.251.0/24 -j DROP | |
iptables -t nat -A POSTROUTING -s 192.168.251.0/24 -j MASQUERADE | |
/opt/ocserv/sbin/ocserv -c /opt/ocserv/etc/config | |
su - root -c "/opt/trap/trap -config /opt/trap/trap-config.json -log /tmp/trap.log -profiling-cpu /tmp/trap-cpu.pprof -profiling-mem /tmp/trap-mem.pprof 2>/tmp/trap-crash.log &" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment