Last active
May 26, 2022 08:57
-
-
Save sven-hash/17a1ba116d581be8b4b9f687aef107d6 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
if ! command -v ipset &> /dev/null | |
then | |
echo "ipset could not be found\nInstall it" | |
exit | |
fi | |
ipset -L blacklist-mixnode >/dev/null 2>&1 | |
if [ $? -ne 0 ]; then | |
echo "blacklist-mixnode created" | |
ipset create blacklist-mixnode hash:ip | |
fi | |
ipset -L blacklist6-mixnode >/dev/null 2>&1 | |
if [ $? -ne 0 ]; then | |
echo "blacklist6-mixnode created" | |
ipset create blacklist6-mixnode hash:ip family inet6 | |
fi | |
iptables -C INPUT -m set --match-set blacklist-mixnode src -j DROP > /dev/null 2>&1 | |
if [ $? -ne 0 ] ;then | |
echo "Rule IP blocklist added" | |
iptables -I INPUT 1 -m set --match-set blacklist-mixnode src -j DROP | |
fi | |
ip6tables -C INPUT -m set --match-set blacklist6-mixnode src -j DROP > /dev/null 2>&1 | |
if [ $? -ne 0 ] ;then | |
echo "Rule IP blocklist added" | |
ip6tables -I INPUT 1 -m set --match-set blacklist6-mixnode src -j DROP | |
fi | |
# SAVE IPTABLES iptables-save > /etc/iptables/rules.v4 && ip6tables-save > /etc/iptables/rules.v6 | |
# Limit connections to 150 per source IP | |
iptables -C INPUT -p tcp -m connlimit --connlimit-above 150 -j REJECT --reject-with tcp-reset | |
if [ $? -ne 0 ] ;then | |
echo "Rule Limit connections to 150 per source IP added" | |
iptables -A INPUT -p tcp -m connlimit --connlimit-above 150 -j REJECT --reject-with tcp-reset | |
fi | |
ip6tables -C INPUT -p tcp -m connlimit --connlimit-above 150 -j REJECT --reject-with tcp-reset | |
if [ $? -ne 0 ] ;then | |
echo "Rule Limit connections to 150 per source IP added" | |
ip6tables -A INPUT -p tcp -m connlimit --connlimit-above 150 -j REJECT --reject-with tcp-reset | |
fi | |
# Limit new TCP (80) connections per second per source IP | |
iptables -C INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 100/s --limit-burst 20 -j ACCEPT | |
if [ $? -ne 0 ] ;then | |
echo "Rule Limit new TCP (120) connections per second per source IP added" | |
iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 100/s --limit-burst 20 -j ACCEPT | |
fi | |
iptables -C INPUT -p tcp -m conntrack --ctstate NEW -j DROP | |
if [ $? -ne 0 ] ;then | |
echo "Rule Limit new TCP (120) connections per second per source IP added" | |
iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP | |
fi | |
ip6tables -C INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 100/s --limit-burst 20 -j ACCEPT | |
if [ $? -ne 0 ] ;then | |
echo "Rule Limit new TCP (120) connections per second per source IP added" | |
ip6tables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 100/s --limit-burst 20 -j ACCEPT | |
fi | |
ip6tables -C INPUT -p tcp -m conntrack --ctstate NEW -j DROP | |
if [ $? -ne 0 ] ;then | |
echo "Rule Limit new TCP (120) connections per second per source IP added" | |
ip6tables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment