Skip to content

Instantly share code, notes, and snippets.

@schiederme

schiederme/deploy-consul-agent.sh

Forked from shikendon/deploy-consul-agent.sh
Created August 30, 2020 15:39
Show Gist options
  • Save schiederme/4dd643283ed750d7cebfbbfdd30f774c to your computer and use it in GitHub Desktop.
Save schiederme/4dd643283ed750d7cebfbbfdd30f774c to your computer and use it in GitHub Desktop.
Download ZIP
Debian network optimization scripts. (Development)
Raw
deploy-consul-agent.sh
#!/bin/bash
# Author: Shi-Ken Don <shiken.don@gmail.com>
# Source: https://git.io/deploy-consul-agent.sh.dev
# License: MIT
set -e
sudo -V > /dev/null || apt -y install sudo
sudo apt -y install consul
sudo systemctl enable consul
CONSUL_SERVER_IP=${CONSUL_SERVER_IP:-2606:2800:220:1:248:1893:25c8:1946}
cat <<END | sudo tee /etc/consul.d/consul-client.json
{
"retry_join": ["${CONSUL_SERVER_IP}"]
}
END
sudo chown -R consul.consul /var/lib/consul /etc/consul.d
sudo systemctl start consul
Raw
deploy-dhcp-server.sh
#!/bin/bash
# Author: Shi-Ken Don <shiken.don@gmail.com>
# Source: https://git.io/deploy-dhcp-server.sh.dev
# License: MIT
set -e
sudo -V > /dev/null || apt -y install sudo
PRIVATE_INSTANCE_IPV4_ADDRESS=$(curl -fsSL http://169.254.169.254/v1/interfaces/1/ipv4/address)
PRIVATE_INSTANCE_IPV4_NETMASK=$(curl -fsSL http://169.254.169.254/v1/interfaces/1/ipv4/netmask)
# Enable IP forwarding
cat <<END | sudo tee /etc/sysctl.d/66-enable-ip-forward.conf
# `/sbin/sysctl net.ipv4.ip_forward`
net.ipv4.ip_forward = 1
# `/sbin/sysctl net.ipv6.conf.all.forwarding`
net.ipv6.conf.all.forwarding = 1
END
/sbin/sysctl -p /etc/sysctl.d/66-enable-ip-forward.conf
sudo apt -y install isc-dhcp-server
sed -i 's/INTERFACESv4=""/INTERFACESv4="ens7"/' /etc/default/isc-dhcp-server
if [[ ! -e /etc/dhcp/dhcpd.conf.bak ]]; then
/bin/cp /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.bak
cat <<END | sudo tee -a /etc/dhcp/dhcpd.conf
option classless-static-route code 121 = array of integer 8;
subnet $(echo ${PRIVATE_INSTANCE_IPV4_ADDRESS} | sed -r 's/[0-9]+$/0/') netmask ${PRIVATE_INSTANCE_IPV4_NETMASK} {
range $(echo ${PRIVATE_INSTANCE_IPV4_ADDRESS} | sed -r 's/[0-9]+$/100/') $(echo ${PRIVATE_INSTANCE_IPV4_ADDRESS} | sed -r 's/[0-9]+$/200/');
option routers ${PRIVATE_INSTANCE_IPV4_ADDRESS};
option classless-static-route 0, ${PRIVATE_INSTANCE_IPV4_ADDRESS//./,};
option domain-name-servers 8.8.8.8, 1.1.1.1;
}
END
fi
sudo systemctl enable isc-dhcp-server
sudo systemctl start isc-dhcp-server
Raw
deploy-haproxy.sh
#!/bin/bash
# Author: Shi-Ken Don <shiken.don@gmail.com>
# Source: https://git.io/deploy-haproxy.sh.dev
# License: MIT
BGP_IPV4=${BGP_IPV4:-192.0.2.0/24}
set -e
sudo -V > /dev/null || apt -y install sudo
# Disable VIP ARP announces
cat <<END | sudo tee /etc/sysctl.d/55-disable-vip-arp.conf
# `/sbin/sysctl net.ipv4.conf.all.arp_announce`
net.ipv4.conf.all.arp_announce = 2
# `/sbin/sysctl net.ipv4.conf.all.arp_ignore`
net.ipv4.conf.all.arp_ignore = 1
END
sudo sysctl -p /etc/sysctl.d/55-disable-vip-arp.conf
# Improve packets tolerance from PPPoE client
echo 'default interface-mtu 1280;' | sudo tee -a /etc/dhcp/dhclient.conf
sudo ip link set ens3 mtu 1280
sudo sed -i 's/#source/source/' /etc/network/interfaces
# Setup BGP VIP
cat <<END | sudo tee /etc/network/interfaces.d/dummy1
auto dummy1
iface dummy1 inet manual
pre-up ip link add \$IFACE type dummy
post-up ip route add local ${BGP_IPV4} dev lo
post-down ip route del local ${BGP_IPV4} dev lo
post-down ip link del \$IFACE
END
sudo ifup dummy1
sudo apt -y install haproxy
sudo systemctl enable haproxy
sudo systemctl restart haproxy
Raw
deploy-iptables.sh
#!/bin/bash
# Author: Shi-Ken Don <shiken.don@gmail.com>
# Source: https://git.io/deploy-iptables.sh.dev
# License: MIT
BGP_IPV4=${BGP_IPV4:-192.0.2.0/24}
BGP_IPV6=${BGP_IPV6:-fc00::/7}
set -e
sudo -V > /dev/null || apt -y install sudo
sudo modprobe nf_conntrack
# Apply network security kernel parameters
if [[ ! -e /etc/sysctl.d/22-standalone-network-security.conf ]]; then
cat <<END | sudo tee /etc/sysctl.d/22-standalone-network-security.conf
# `/sbin/sysctl net.ipv4.tcp_synack_retries`
net.ipv4.tcp_synack_retries = 0
# `/sbin/sysctl net.ipv4.tcp_syncookies`
net.ipv4.tcp_syncookies = 1
# `/sbin/sysctl net.ipv4.tcp_rfc1337`
net.ipv4.tcp_rfc1337 = 1
# `/sbin/sysctl net.netfilter.nf_conntrack_tcp_loose`
net.netfilter.nf_conntrack_tcp_loose = 0
# `/sbin/sysctl net.netfilter.nf_conntrack_tcp_timeout_established`
net.netfilter.nf_conntrack_tcp_timeout_established = 300
# `/sbin/sysctl kernel.panic`
kernel.panic = 10
END
fi
sudo sysctl -p /etc/sysctl.d/22-standalone-network-security.conf
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | sudo debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean true | sudo debconf-set-selections
sudo apt -y install iptables-persistent ipset
sudo ipset -exist create blacklist hash:net family inet timeout 0 comment
sudo ipset -exist create blacklist6 hash:net family inet6 timeout 0 comment
sudo ipset -exist create whitelist hash:net family inet timeout 0 comment
sudo ipset -exist create whitelist6 hash:net family inet6 timeout 0 comment
sudo ipset -exist save -f /etc/iptables/rules.ipset
curl -fsSL git.io/10-ipset | sudo tee /usr/share/netfilter-persistent/plugins.d/10-ipset
sudo chmod +x /usr/share/netfilter-persistent/plugins.d/10-ipset
curl -fsSL git.io/iptables.dev | sudo tee /etc/iptables/rules.v4
sudo /bin/cp /etc/iptables/rules.v4 /etc/iptables/rules.v6
sudo sed -i "s|192.0.2.0/24|${BGP_IPV4}|" /etc/iptables/rules.v4
sudo sed -i 's/icmp/icmpv6/g' /etc/iptables/rules.v6
sudo sed -i 's/blacklist/blacklist6/g' /etc/iptables/rules.v6
sudo sed -i 's/whitelist/whitelist6/g' /etc/iptables/rules.v6
sudo sed -i "s|192.0.2.0/24|${BGP_IPV6}|g" /etc/iptables/rules.v6
sudo sed -i 's/443/9100/' /etc/iptables/rules.v6
sudo systemctl enable netfilter-persistent
sudo systemctl restart netfilter-persistent
if [[ ! -e ${HOME}/update-iptables.sh ]]; then
cat <<END | tee ${HOME}/update-iptables.sh
#!/bin/bash
export BGP_IPV4=${BGP_IPV4:-192.0.2.0/24}
export BGP_IPV6=${BGP_IPV6:-fc00::/7}
curl -fsSL git.io/deploy-iptables.sh.dev | bash
END
chmod +x $HOME/update-iptables.sh
fi
Raw
deploy-ipvsadm.sh
#!/bin/bash
# Author: Shi-Ken Don <shiken.don@gmail.com>
# Source: https://git.io/deploy-ipvsadm.sh.dev
# License: MIT
set -e
sudo -V > /dev/null || apt -y install sudo
# Disable VIP ARP announces
cat <<END | sudo tee /etc/sysctl.d/55-disable-vip-arp.conf
# `/sbin/sysctl net.ipv4.conf.all.arp_announce`
net.ipv4.conf.all.arp_announce = 2
# `/sbin/sysctl net.ipv4.conf.all.arp_ignore`
net.ipv4.conf.all.arp_ignore = 1
END
sudo sysctl -p /etc/sysctl.d/55-disable-vip-arp.conf
# Enable IP forwarding
cat <<END | sudo tee /etc/sysctl.d/66-enable-ip-forward.conf
# `/sbin/sysctl net.ipv4.ip_forward`
net.ipv4.ip_forward = 1
# `/sbin/sysctl net.ipv6.conf.all.forwarding`
net.ipv6.conf.all.forwarding = 1
END
sudo sysctl -p /etc/sysctl.d/66-enable-ip-forward.conf
# Accept local sources
cat <<END | sudo tee /etc/sysctl.d/77-accept-local.conf
# `/sbin/sysctl net.ipv4.conf.default.accept_local`
net.ipv4.conf.default.accept_local = 1
# `/sbin/sysctl net.ipv4.conf.all.accept_local`
net.ipv4.conf.all.accept_local = 1
# `/sbin/sysctl net.ipv4.conf.default.rp_filter`
net.ipv4.conf.default.rp_filter=0
# `/sbin/sysctl net.ipv4.conf.all.rp_filter`
net.ipv4.conf.all.rp_filter=0
END
sudo sysctl -p /etc/sysctl.d/77-accept-local.conf
# Improve packets tolerance from PPPoE client
echo 'default interface-mtu 1280;' | sudo tee -a /etc/dhcp/dhclient.conf
sudo ip link set ens3 mtu 1280
sudo apt -y install ipvsadm
sudo modprobe ip_vs
# Schedule non-SYN packets
cat <<END | sudo tee /etc/sysctl.d/88-accept-ipvs-packets.conf
# `/sbin/sysctl net.ipv4.vs.sloppy_tcp`
net.ipv4.vs.sloppy_tcp = 1
# `/sbin/sysctl net.ipv4.vs.conn_reuse_mode`
net.ipv4.vs.conn_reuse_mode = 2
END
sudo sysctl -p /etc/sysctl.d/88-accept-ipvs-packets.conf
sudo sed -i 's/AUTO="false"/AUTO="true"/' /etc/default/ipvsadm
sudo systemctl enable ipvsadm
Raw
deploy-nginx-edge.sh
#!/bin/bash
# Author: Shi-Ken Don <shiken.don@gmail.com>
# Source: https://git.io/deploy-nginx-edge.sh.dev
# License: MIT
apt -y install nginx
sed -i 's/index.nginx-debian.html/index.nginx-edge.txt/' /etc/nginx/sites-available/default
mv /var/www/html/* /tmp/
echo -e "User-agent: *\nDisallow: /" > /var/www/html/robots.txt
curl -fsSL git.io/index.nginx-edge.txt.dev > /var/www/html/index.nginx-edge.txt
systemctl reload nginx
systemctl enable nginx
Raw
deploy-prometheus-node-exporter.sh
#!/bin/bash
# Author: Shi-Ken Don <shiken.don@gmail.com>
# Source: https://git.io/deploy-prometheus-node-exporter.sh.dev
# License: MIT
set -e
sudo -V > /dev/null || apt -y install sudo
sudo apt -y install prometheus-node-exporter
sudo systemctl enable prometheus-node-exporter
if [[ -f /etc/iptables/rules.v6 ]]; then
sudo sed -i 's/80/9100/' /etc/iptables/rules.v6
sudo systemctl restart netfilter-persistent
fi
Raw
deploy-vultr-bird-bgp.sh
#!/bin/bash
# Author: Shi-Ken Don <shiken.don@gmail.com>
# Source: https://git.io/deploy-vultr-bird-bgp.sh.dev
# License: MIT
BGP_ASN=$(curl -fsSL http://169.254.169.254/v1/bgp/ipv4/my-asn)
BGP_IPV4=${BGP_IPV4:-192.0.2.0/24}
BGP_IPV6=${BGP_IPV6:-fc00::/7}
BGP_PASSWORD=${BGP_PASSWORD:-vuL7rb6Pp455w0RD}
INSTANCE_IPV4=$(curl -fsSL http://169.254.169.254/v1/bgp/ipv4/my-address)
INSTANCE_IPV6=$(curl -fsSL http://169.254.169.254/v1/bgp/ipv6/my-address)
GATEWAY_IPV4=${GATEWAY_IPV4:-${INSTANCE_IPV4}}
GATEWAY_IPV6=${GATEWAY_IPV6:-${INSTANCE_IPV6}}
apt -y install bird
sed -i "s/198.51.100.1/${INSTANCE_IPV4}/" /etc/bird/bird.conf
cat <<END | tee -a /etc/bird/bird.conf
filter optimize {
# bgp_community.add((64600, XXXX)); # Do not announce to specific AS
# bgp_community.add((20473, 6000)); # Do not export out of AS20473
# bgp_community.add((20473, 64609)); # Set Metric to 0 to all AS's
# bgp_community.add((20473, 666)); # Export blackhole to all AS's
# bgp_path.prepend(20473);
accept;
}
protocol bgp vultr {
local as ${BGP_ASN};
source address ${INSTANCE_IPV4};
import none;
export all;
export filter optimize;
graceful restart on;
multihop 2;
neighbor 169.254.169.254 as 64515;
password "${BGP_PASSWORD}";
hold time 240;
keepalive time 15;
}
protocol static {
route ${BGP_IPV4} via ${GATEWAY_IPV4};
}
END
cat <<END | tee -a /etc/bird/bird6.conf
protocol bgp vultr {
local as ${BGP_ASN};
source address ${INSTANCE_IPV6};
import none;
export all;
graceful restart on;
multihop 2;
neighbor 2001:19f0:ffff::1 as 64515;
password "${BGP_PASSWORD}";
hold time 240;
keepalive time 15;
}
protocol static {
route ${BGP_IPV6} via ${GATEWAY_IPV6};
}
END
systemctl enable bird
systemctl disable bird6
systemctl restart bird
systemctl stop bird6
Raw
deploy-vultr-dhcp-private-network.sh
#!/bin/bash
# Author: Shi-Ken Don <shiken.don@gmail.com>
# Source: https://git.io/deploy-vultr-dhcp-private-network.sh.dev
# License: MIT
set -e
sudo -V > /dev/null || apt -y install sudo
sudo sed -i 's/#source/source/' /etc/network/interfaces
# sudo ifdown ens3
# sudo ifup ens3
PRIVATE_INSTANCE_IPV4_ADDRESS=$(curl -fsSL http://169.254.169.254/v1/interfaces/1/ipv4/address)
PRIVATE_INSTANCE_IPV4_NETMASK=$(curl -fsSL http://169.254.169.254/v1/interfaces/1/ipv4/netmask)
# Setup Vultr Private Network
cat <<END | sudo tee /etc/network/interfaces.d/ens7
auto ens7
iface ens7 inet dhcp
address ${PRIVATE_INSTANCE_IPV4_ADDRESS}
netmask ${PRIVATE_INSTANCE_IPV4_NETMASK}
mtu 1280
post-up ip addr replace ${PRIVATE_INSTANCE_IPV4_ADDRESS} dev \$IFACE
END
sudo ifup ens7
sudo apt -y install arping
cat <<'END' > /root/check-gateway.sh
#!/bin/bash
while true; do
GATEWAY=$(ip route show default dev ens7 | cut -d' ' -f3)
arping -q -c 1 -w 1 ${GATEWAY}
if [[ $? -eq 0 ]]; then
sleep 1
continue
fi
/sbin/ifdown ens7
sleep 1
/sbin/ifup ens7
done
END
chmod +x /root/check-gateway.sh
Raw
deploy-vultr-private-network.sh
#!/bin/bash
# Author: Shi-Ken Don <shiken.don@gmail.com>
# Source: https://git.io/deploy-vultr-private-network.sh.dev
# License: MIT
set -e
sudo -V > /dev/null || apt -y install sudo
sudo sed -i 's/#source/source/' /etc/network/interfaces
PRIVATE_INSTANCE_IPV4_ADDRESS=$(curl -fsSL http://169.254.169.254/v1/interfaces/1/ipv4/address)
PRIVATE_INSTANCE_IPV4_NETMASK=$(curl -fsSL http://169.254.169.254/v1/interfaces/1/ipv4/netmask)
# Setup Vultr Private Network
cat <<END | sudo tee /etc/network/interfaces.d/ens7
auto ens7
iface ens7 inet static
address ${PRIVATE_INSTANCE_IPV4_ADDRESS}
netmask ${PRIVATE_INSTANCE_IPV4_NETMASK}
mtu 1280
END
sudo ifup ens7
Raw
deploy-xdp.sh
#!/bin/bash
# Author: Shi-Ken Don <shiken.don@gmail.com>
# Source: https://git.io/deploy-xdp.sh.dev
# License: MIT
apt -y install clang libc6-dev-i386
cat <<'END' > /root/update-xdp.sh
#!/bin/bash
export CPATH=/usr/include/x86_64-linux-gnu
curl -fsSL git.io/xdp-drop-ebpf.c.dev > xdp-drop-ebpf.c
clang -Wall -Wextra -O2 -target bpf -c xdp-drop-ebpf.c -o xdp-drop-ebpf.o
END
chmod +x /root/update-xdp.sh
cat <<'END' > /root/reload-xdp.sh
#!/bin/bash
ip link set dev ens3 xdp off || ip link set dev ens3 xdpgeneric off
ip link set dev ens3 xdp obj xdp-drop-ebpf.o || ip link set dev ens3 xdpgeneric obj xdp-drop-ebpf.o
END
chmod +x /root/reload-xdp.sh
/root/update-xdp.sh
cat <<'END' >> /etc/network/interfaces
post-up ip link set dev $IFACE xdp obj /root/xdp-drop-ebpf.o || ip link set dev $IFACE xdpgeneric obj /root/xdp-drop-ebpf.o
post-down ip link set dev $IFACE xdp off || ip link set dev $IFACE xdpgeneric off
END
cat <<'END' > /root/start-tcpdump.sh
#!/bin/bash
mkdir -p ${HOME}/captures
while true; do
FILENAME=${HOME}/captures/$(date +%Y%m%d%H%M%S).pcap
timeout 1s tcpdump -i ens3 inbound -c 20000 -w ${FILENAME}
if [ $? -ne 0 ]; then
rm ${FILENAME}
sleep 10
else
sleep 60
fi
done
END
chmod +x /root/start-tcpdump.sh
Raw
enable-rc-local.sh
#!/bin/bash
# Author: Shi-Ken Don <shiken.don@gmail.com>
# Source: https://git.io/enable-rc-local.sh.dev
# License: MIT
set -e
sudo -V > /dev/null || apt -y install sudo
if [[ ! -e /etc/rc.local ]]; then
cat <<END | sudo tee /etc/rc.local
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
# Load kernel variables from /etc/sysctl.d
/etc/init.d/procps restart
exit 0
END
fi
sudo chmod +x /etc/rc.local
Raw
haproxy-iptables
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PORT_SCAN - [0:0]
# Author: Shi-Ken Don <shiken.don@gmail.com>
# Source: https://git.io/haproxy-iptables.dev
# License: MIT
# Drop non-listening ports packets
-A PREROUTING -i ens3 -p tcp --syn -j PORT_SCAN
-A PORT_SCAN -p tcp -m multiport --dports 22,443 -m set --match-set whitelist src -j RETURN
-A PORT_SCAN -d 192.0.2.0/24 -p tcp -m multiport --dports 80,5222,25565,25577,30000 -j RETURN
-A PORT_SCAN -j DROP
# Drop too fast SYN packets
-A PREROUTING -i ens3 -p tcp --syn -m hashlimit --hashlimit-above 1/sec --hashlimit-burst 1 --hashlimit-mode srcip,dstport --hashlimit-name syn24 --hashlimit-htable-size 2097152 --hashlimit-srcmask 24 -j DROP
-A PREROUTING -i ens3 -p tcp --syn -m hashlimit --hashlimit-above 1/sec --hashlimit-burst 1 --hashlimit-mode srcip,dstport --hashlimit-name syn16 --hashlimit-htable-size 8192 --hashlimit-srcmask 16 -j DROP
-A PREROUTING -i ens3 -p tcp --syn -m hashlimit --hashlimit-above 1/sec --hashlimit-burst 1 --hashlimit-mode dstport --hashlimit-name syn00 --hashlimit-htable-size 65536 -j DROP
# Drop too fast ACK packets
-A PREROUTING -i ens3 -d 192.0.2.0/24 -p tcp -m multiport ! --dports 32768:60999 --tcp-flags PSH,ACK PSH,ACK -m hashlimit --hashlimit-above 100/s --hashlimit-burst 100 --hashlimit-mode srcip,srcport,dstip,dstport --hashlimit-name ack -j DROP
# Drop too fast ICMP packets
-A PREROUTING -i ens3 -p icmp -m hashlimit --hashlimit-above 100/sec --hashlimit-burst 100 --hashlimit-mode srcip,dstip --hashlimit-name icmp -j DROP
# Drop too fast UDP packets
-A PREROUTING -i ens3 -p udp -m hashlimit --hashlimit-above 100/sec --hashlimit-burst 100 --hashlimit-mode srcip,dstport --hashlimit-name udp -j DROP
# Drop too many connections packets
# -A PREROUTING -i ens3 -p tcp --syn -m connlimit --connlimit-above 60 --connlimit-mask 16 -j DROP
# Drop malicious packets
-A PREROUTING -i ens3 -p tcp -m tcpmss --mss 1:500 -j DROP
# Drop blacklisted source packets
-A PREROUTING -i ens3 -m set --match-set blacklist src -j DROP
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# Drop invalid packets
-A PREROUTING -i ens3 -m conntrack --ctstate INVALID -j DROP
# Drop UDP packets that are new
-A PREROUTING -i ens3 -p udp -m conntrack --ctstate NEW -j DROP
# Drop TCP packets that are new and are not SYN
-A PREROUTING -i ens3 -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
# Accept established packets
-A PREROUTING -i ens3 -p tcp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Accept ICMP packets
-A PREROUTING -i ens3 -p icmp -j ACCEPT
# Accept UDP packets
-A PREROUTING -i ens3 -p udp -j ACCEPT
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
Raw
index.nginx-edge.txt
This is a private edge server of an Anti-DDoS-as-a-Service. If you see packet flood sending from our IPs, it's NOT true. Please refer to `IP spoofing` and `Reflection attack`.
Raw
iptables
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PORT_SCAN - [0:0]
# Author: Shi-Ken Don <shiken.don@gmail.com>
# Source: https://git.io/iptables.dev
# License: MIT
# Drop non-listening ports packets
-A PREROUTING -i ens3 -p tcp --syn -j PORT_SCAN
-A PORT_SCAN -p tcp -m multiport --dports 22,443 -m set --match-set whitelist src -j RETURN
-A PORT_SCAN -d 192.0.2.0/24 -p tcp -m multiport --dports 80,5222,25565,25577,30000 -j RETURN
-A PORT_SCAN -j DROP
# Drop too fast SYN packets
-A PREROUTING -i ens3 -p tcp --syn -m hashlimit --hashlimit-above 100/sec --hashlimit-burst 100 --hashlimit-mode srcip,dstport --hashlimit-name syn24 --hashlimit-htable-size 2097152 --hashlimit-srcmask 24 -j DROP
-A PREROUTING -i ens3 -p tcp --syn -m hashlimit --hashlimit-above 100/sec --hashlimit-burst 100 --hashlimit-mode srcip,dstport --hashlimit-name syn16 --hashlimit-htable-size 8192 --hashlimit-srcmask 16 -j DROP
# Drop too fast ACK packets
-A PREROUTING -i ens3 -d 192.0.2.0/24 -p tcp ! --dport 32768:60999 --tcp-flags PSH,ACK PSH,ACK -m hashlimit --hashlimit-above 100/s --hashlimit-burst 100 --hashlimit-mode srcip,srcport,dstip,dstport --hashlimit-name ack32 -j DROP
-A PREROUTING -i ens3 -d 192.0.2.0/24 -p tcp ! --dport 32768:60999 --tcp-flags ALL ACK -m hashlimit --hashlimit-above 1000/sec --hashlimit-burst 1000 --hashlimit-mode srcip,dstport --hashlimit-name ack16 --hashlimit-htable-size 8192 --hashlimit-srcmask 16 -j DROP
# Drop too fast ICMP packets
-A PREROUTING -i ens3 -p icmp -m hashlimit --hashlimit-above 100/sec --hashlimit-burst 100 --hashlimit-mode srcip,dstip --hashlimit-name icmp -j DROP
# Drop too fast UDP packets
-A PREROUTING -i ens3 -p udp -m hashlimit --hashlimit-above 100/sec --hashlimit-burst 100 --hashlimit-mode srcip,dstport --hashlimit-name udp -j DROP
# Drop too many connections packets
# -A PREROUTING -i ens3 -p tcp --syn -m connlimit --connlimit-above 60 --connlimit-mask 16 -j DROP
# Drop malicious packets
-A PREROUTING -i ens3 -p tcp -m tcpmss --mss 1:500 -j DROP
# Drop blacklisted source packets
-A PREROUTING -i ens3 -p tcp --syn -m hashlimit --hashlimit-above 1/sec --hashlimit-burst 100 --hashlimit-mode dstport --hashlimit-name syn00 --hashlimit-htable-size 65536 -m set --match-set blacklist src -j SET --add-set blacklist src --timeout 60 --exist
-A PREROUTING -i ens3 -m set --match-set blacklist src -j DROP
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# Drop invalid packets
-A PREROUTING -i ens3 -m conntrack --ctstate INVALID -j DROP
# Drop UDP new packets
-A PREROUTING -i ens3 -m conntrack --ctstate NEW -p udp -j DROP
# Drop non-SYN new packets
-A PREROUTING -i ens3 -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:3WHS_ACK - [0:0]
:LOG_DROP - [0:0]
# Track 3WHS ACK packets
-A INPUT -i ens3 -p tcp --syn -m recent --set
-A INPUT -i ens3 -p tcp --tcp-flags ALL ACK -m recent --remove -j 3WHS_ACK
# Drop too fast 3WHS ACK packets
-A 3WHS_ACK -m hashlimit --hashlimit-above 1/sec --hashlimit-burst 10 --hashlimit-mode srcip,dstport --hashlimit-name ack24 --hashlimit-htable-size 2097152 --hashlimit-srcmask 24 -j LOG_DROP
-A 3WHS_ACK -m hashlimit --hashlimit-above 1/sec --hashlimit-burst 100 --hashlimit-mode dstport --hashlimit-name ack00 --hashlimit-htable-size 65536 -j LOG_DROP
-A LOG_DROP -m hashlimit --hashlimit-upto 1/min --hashlimit-name log32 --hashlimit-mode srcip -j LOG --log-prefix "DROP: "
-A LOG_DROP -j SET --add-set blacklist src --timeout 60 --exist
-A LOG_DROP -p tcp -j REJECT --reject-with tcp-reset
# Accept loopback interface packets
-A INPUT -i lo -j ACCEPT
# Accept established packets
-A INPUT -i ens3 -m conntrack --ctstate ESTABLISHED,RELATED -p tcp -j ACCEPT
# Accept SYN new packets
-A INPUT -i ens3 -m conntrack --ctstate NEW -p tcp --syn -j ACCEPT
# Accept ICMP packets
-A INPUT -i ens3 -p icmp -j ACCEPT
# Accept UDP packets
-A INPUT -i ens3 -p udp -j ACCEPT
# Log undefined packets
-A INPUT -j LOG --log-prefix "ACCEPT: "
COMMIT
Raw
router-iptables
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PORT_SCAN - [0:0]
# Author: Shi-Ken Don <shiken.don@gmail.com>
# Source: https://git.io/router-iptables.dev
# License: MIT
# Mark ipvs packets
-A PREROUTING -i ens3 -d 192.0.2.0/24 -j NOTRACK
# Drop non-listening ports packets
-A PREROUTING -i ens3 -p tcp --syn -j PORT_SCAN
-A PORT_SCAN -p tcp -m multiport --dports 22,443 -m set --match-set whitelist src -j RETURN
-A PORT_SCAN -d 192.0.2.0/24 -p tcp -m multiport --dports 80,5222,25565,25577,30000 -j RETURN
-A PORT_SCAN -j DROP
# Drop too fast SYN packets
-A PREROUTING -i ens3 -p tcp --syn -m hashlimit --hashlimit-above 100/sec --hashlimit-burst 100 --hashlimit-mode srcip,dstport --hashlimit-name syn24 --hashlimit-htable-size 2097152 --hashlimit-srcmask 24 -j DROP
-A PREROUTING -i ens3 -p tcp --syn -m hashlimit --hashlimit-above 100/sec --hashlimit-burst 100 --hashlimit-mode srcip,dstport --hashlimit-name syn16 --hashlimit-htable-size 8192 --hashlimit-srcmask 16 -j DROP
# Drop too fast ACK packets
-A PREROUTING -i ens3 -d 192.0.2.0/24 -p tcp ! --dport 32768:60999 --tcp-flags PSH,ACK PSH,ACK -m hashlimit --hashlimit-above 100/s --hashlimit-burst 100 --hashlimit-mode srcip,srcport,dstip,dstport --hashlimit-name ack32 -j DROP
-A PREROUTING -i ens3 -d 192.0.2.0/24 -p tcp ! --dport 32768:60999 --tcp-flags ALL ACK -m hashlimit --hashlimit-above 1000/sec --hashlimit-burst 1000 --hashlimit-mode srcip,dstport --hashlimit-name ack16 --hashlimit-htable-size 8192 --hashlimit-srcmask 16 -j DROP
# Drop too fast ICMP packets
-A PREROUTING -i ens3 -p icmp -m hashlimit --hashlimit-above 100/sec --hashlimit-burst 100 --hashlimit-mode srcip,dstip --hashlimit-name icmp -j DROP
# Drop too fast UDP packets
-A PREROUTING -i ens3 -p udp -m hashlimit --hashlimit-above 100/sec --hashlimit-burst 100 --hashlimit-mode srcip,dstport --hashlimit-name udp -j DROP
# Drop malicious packets
-A PREROUTING -i ens3 -p tcp -m tcpmss --mss 1:500 -j DROP
# Drop blacklisted source packets
-A PREROUTING -i ens3 -m set --match-set blacklist src -j DROP
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# Drop UDP packets that are new
-A PREROUTING -i ens3 -p udp -m conntrack --ctstate NEW -j DROP
# Drop ipvs untracked packets
-A PREROUTING -i ens3 -d 192.0.2.0/24 -p tcp --syn -j DROP
# Mark ipvs packets
-A PREROUTING -i ens3 -d 192.0.2.0/24 -j MARK --set-mark 1
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
Raw
upgrade-kernel.sh
#!/bin/bash
# Author: Shi-Ken Don <shiken.don@gmail.com>
# Source: https://git.io/upgrade-kernel.sh.dev
# License: MIT
set -e
sudo -V > /dev/null || apt -y install sudo
cat <<'END' | sudo tee /etc/apt/sources.list.d/unstable.list
deb http://deb.debian.org/debian unstable main
deb-src http://deb.debian.org/debian unstable main
END
sudo apt -y update
Raw
xdp-drop-ebpf.c
#include <linux/bpf.h>
#include <linux/if_ether.h>
#include <linux/in.h>
#include <linux/ip.h>
#include <linux/ipv6.h>
#include <linux/udp.h>
#include <stdint.h>
/* IP flags. */
#define IP_CE 0x8000 /* Flag: "Congestion" */
#define IP_DF 0x4000 /* Flag: "Don't Fragment" */
#define IP_MF 0x2000 /* Flag: "More Fragments" */
#define IP_OFFSET 0x1FFF /* "Fragment Offset" part */
#define SEC(NAME) __attribute__((section(NAME), used))
#define htons(x) ((__be16)___constant_swab16((x)))
#define htonl(x) ((__be32)___constant_swab32((x)))
struct vlan_hdr {
__be16 h_vlan_TCI;
__be16 h_vlan_encapsulated_proto;
};
SEC("prog")
int xdp_drop(struct xdp_md *ctx) {
void *data_end = (void *)(long)ctx->data_end;
void *data = (void *)(long)ctx->data;
struct ethhdr *eth = data;
uint64_t nh_off = sizeof(*eth);
if (data + nh_off > data_end) {
return XDP_PASS;
}
uint16_t h_proto = eth->h_proto;
int i;
/* Handle double VLAN tagged packet. See https://en.wikipedia.org/wiki/IEEE_802.1ad */
for (i = 0; i < 2; i++) {
if (h_proto == htons(ETH_P_8021Q) || h_proto == htons(ETH_P_8021AD)) {
struct vlan_hdr *vhdr;
vhdr = data + nh_off;
nh_off += sizeof(struct vlan_hdr);
if (data + nh_off > data_end) {
return XDP_PASS;
}
h_proto = vhdr->h_vlan_encapsulated_proto;
}
}
if (h_proto == htons(ETH_P_IP)) {
struct iphdr *iph = data + nh_off;
struct udphdr *udph = data + nh_off + sizeof(struct iphdr);
uint32_t hostid = iph->daddr >> 24;
if (udph + 1 > (struct udphdr *)data_end) {
return XDP_PASS;
}
if (hostid == 0 || hostid == 255) {
return XDP_DROP;
}
if (iph->frag_off & htons(IP_MF | IP_OFFSET)) {
return XDP_DROP;
}
if (iph->protocol == IPPROTO_UDP) {
__be16 dport = htons(udph->dest);
__be16 sport = htons(udph->source);
if ((dport != 68 && dport != 8301 && (dport < 32768 || dport > 60999)) || sport == 123 || sport == 389) {
return XDP_DROP;
}
}
} else if (h_proto == htons(ETH_P_IPV6)) {
struct ipv6hdr *ip6h = data + nh_off;
struct udphdr *udph = data + nh_off + sizeof(struct ipv6hdr);
if (udph + 1 > (struct udphdr *)data_end) {
return XDP_PASS;
}
if (ip6h->nexthdr == IPPROTO_UDP) {
__be16 dport = htons(udph->dest);
__be16 sport = htons(udph->source);
if ((dport != 546 && dport != 8301 && (dport < 32768 || dport > 60999)) || sport == 123 || sport == 389) {
return XDP_DROP;
}
}
}
return XDP_PASS;
}
char _license[] SEC("license") = "GPL";
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment