Created
December 17, 2016 21:36
-
-
Save titovanton/049051ce7a4665134d6d7a682a367947 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| IPT='/sbin/iptables' | |
| IPSET='/sbin/ipset' | |
| IP=$(ifconfig eth0 | grep "inet addr" | cut -d ':' -f 2 | cut -d ' ' -f 1) | |
| ipset_trust=$(cat /root/ipset_trust.txt) | |
| ipset_blacklist=$(cat /root/ipset_blacklist.txt) | |
| $IPT -F | |
| $IPT -t raw -F | |
| $IPSET -X | |
| # ipset init | |
| $IPSET -N trust iphash | |
| $IPSET -N blacklist iphash | |
| $IPSET -N autoban iphash timeout 172800 | |
| # trusted | |
| for ip in $ipset_trust; do | |
| $IPSET -A trust $ip | |
| done | |
| # default blacklist | |
| for ip in $ipset_blacklist; do | |
| $IPSET -A blacklist $ip | |
| done | |
| # ipset to iptables | |
| $IPT -v -A PREROUTING -t raw -d $IP -m set --match-set trust src -j ACCEPT | |
| $IPT -v -A PREROUTING -t raw -d $IP -m set --match-set blacklist src -j DROP | |
| $IPT -v -A PREROUTING -t raw -d $IP -m set --match-set autoban src -j DROP | |
| # Разрешаем связанные и установленые соединения | |
| $IPT -A INPUT -d $IP -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| # Разрешаем служебный icmp-трафик | |
| $IPT -A INPUT -d $IP -p icmp -j ACCEPT | |
| # Разрешаем доверенный трафик на интерфейс loopback | |
| $IPT -A INPUT -d $IP -i lo -j ACCEPT | |
| # ssh, smtp, smtps, http, https, runserver | |
| $IPT -A INPUT -d $IP -p tcp -m conntrack --ctstate NEW -m multiport --dports 22,25,465,80,443,8000 -j ACCEPT | |
| # Запрещаем всё остальное для INPUT | |
| $IPT -A INPUT -d $IP -j REJECT --reject-with icmp-host-prohibited | |
| # drop all forwarding | |
| $IPT -A FORWARD -j DROP |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment