Skip to content

Instantly share code, notes, and snippets.

@Atem18

Atem18/iptables.sh

Last active November 2, 2023 17:13
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save Atem18/4695539 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save Atem18/4695539 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. Atem18 revised this gist Feb 9, 2013. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion iptables.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -1,6 +1,6 @@
    #!/bin/sh

    IPT="/sbin/$IPT" #Iptable's path
    IPT="/sbin/iptables" #Iptable's path

    #Network interfaces :
    interface=eth0 # Internet
  2. Atem18 created this gist Feb 2, 2013.
    168 changes: 168 additions & 0 deletions iptables.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,168 @@
    #!/bin/sh

    IPT="/sbin/$IPT" #Iptable's path

    #Network interfaces :
    interface=eth0 # Internet

    start() {
    ### DELETE ALL ENTRIES ###
    $IPT -F
    $IPT -X
    ### BLOCK ALL BY DEFAULT ###
    $IPT -P INPUT DROP
    $IPT -P OUTPUT DROP
    $IPT -P FORWARD DROP
    ### Block needless IP
    ## RIPE Website https://apps.db.ripe.net/search/full-text.html
    $IPT -I INPUT -s 85.116.217.200/29 -j DROP # HADOPI
    $IPT -I INPUT -s 193.107.240.0/22 -j DROP # trident media guard (tmg)
    $IPT -I INPUT -s 195.191.244.0/23 -j DROP # trident media guard (tmg)
    $IPT -I INPUT -s 193.105.197.0/24 -j DROP # trident media guard (tmg)

    $IPT -I OUTPUT -d 85.116.217.200/29 -j DROP # HADOPI
    $IPT -I OUTPUT -d 193.107.240.0/22 -j DROP # trident media guard (tmg)
    $IPT -I OUTPUT -d 195.191.244.0/23 -j DROP # trident media guard (tmg)
    $IPT -I OUTPUT -d 193.105.197.0/24 -j DROP # trident media guard (tmg)

    # Enable free use of loopback interfaces
    $IPT -A INPUT -i lo -j ACCEPT
    $IPT -A OUTPUT -o lo -j ACCEPT

    ###############
    ### INPUT ###
    ###############

    # === anti scan ===
    $IPT -N SCANS
    $IPT -A SCANS -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
    $IPT -A SCANS -p tcp --tcp-flags ALL ALL -j DROP
    $IPT -A SCANS -p tcp --tcp-flags ALL NONE -j DROP
    $IPT -A SCANS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
    ####################
    echo "Anti-scan is ready"

    #No spoofing
    if [ -e /proc/sys/net/ipv4/conf/all/ip_filter ] ;
    then
    for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
    do
    echo > 1 $filtre
    done
    fi
    echo "[Anti-spoofing is ready]"

    #No synflood
    if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ;
    then
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies
    fi
    echo "[Anti-synflood is ready]"

    # === limited TCP, UDP, ICMP Flood ! ===

    # TCP Syn Flood
    $IPT -A INPUT -i $interface -p tcp --syn -m limit --limit 3/s -j ACCEPT
    # UDP Syn Flood
    $IPT -A INPUT -i $interface -p udp -m limit --limit 10/s -j ACCEPT
    # Ping Flood
    $IPT -A INPUT -i $interface -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
    $IPT -A INPUT -i $interface -p icmp --icmp-type echo-reply -m limit --limit 1/s -j ACCEPT
    #
    echo "TCP, UDP, ICMP Flood is now limited!"

    ####################
    # === Clean particulars paquets ===
    #Make sure NEW incoming tcp connections are SYN packets
    $IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
    # Packets with incoming fragments
    $IPT -A INPUT -f -j DROP
    # incoming malformed XMAS packets
    $IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
    # Incoming malformed NULL packets
    $IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
    #limit the number of connection
    $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name BLACKLIST --set
    $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name BLACKLIST --update --seconds 10 --hitcount 10 --rttl -j DROP
    echo "Cleaned particulars paquets"

    #Drop icmp on WAN from serveur
    $IPT -A INPUT -i $interface -p icmp -j DROP
    echo "Ping (ICMP) is now blocked on the interface WAN"
    #Drop broadcast
    $IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP

    # Accept inbound TCP packets
    $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPT -A INPUT -p tcp --dport 21 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT
    $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -s 0.0.0.0/0 -j AC$
    $IPT -A INPUT -p tcp --dport 25 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT
    $IPT -A INPUT -p tcp --dport 80 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT
    $IPT -A INPUT -p tcp --dport 110 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT

    # Accept inbound UDP packets
    $IPT -A INPUT -p udp -m udp --dport 123 -s 0.0.0.0/0 -j ACCEPT
    $IPT -A INPUT -p udp -m udp --dport 67 -s 0.0.0.0/0 -j ACCEPT
    $IPT -A INPUT -p udp -m udp --dport 53 -s 0.0.0.0/0 -j ACCEPT

    # Allow inbound access to Samba shares
    $IPT -A INPUT -p udp -m udp --dport 137 -s 0.0.0.0/0 -j ACCEPT
    $IPT -A INPUT -p udp -m udp --dport 138 -s 0.0.0.0/0 -j ACCEPT
    $IPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -s 0.0.0.0/0 -j ACCEPT
    $IPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -s 0.0.0.0/0 -j ACCEPT

    # Accept inbound ICMP messages
    $IPT -A INPUT -p ICMP --icmp-type 8 -s 0.0.0.0/0 -j ACCEPT
    $IPT -A INPUT -p ICMP --icmp-type 11 -s 0.0.0.0/0 -j ACCEPT

    ####################
    ### OUTPUT ###
    ####################

    # == We do accept some protocols ==
    $IPT -A OUTPUT -o $interface -p UDP --dport 123 -j ACCEPT # Port 123 (Time ntp udp)
    $IPT -A OUTPUT -o $interface -p TCP --dport 123 -j ACCEPT # Port 123 (Time ntp tcp)
    $IPT -A OUTPUT -o $interface -p UDP --dport domain -j ACCEPT # Port 53 (DNS)
    $IPT -A OUTPUT -o $interface -p TCP --dport domain -j ACCEPT # Port 53 (DNS)
    $IPT -A OUTPUT -o $interface -p TCP --dport http -j ACCEPT # Port 80 (Http)
    $IPT -A OUTPUT -o $interface -p TCP --dport https -j ACCEPT # Port 443 (Https)
    $IPT -A OUTPUT -o $interface -p TCP --dport ssh -j ACCEPT # Port 22 (SSH)
    $IPT -t filter -A OUTPUT -o $interface -m state --state NEW -s $serveur -d $UPNP_Broadcast -p udp --sport 1024: --dport $SSDP_port -j ACCEPT # broadcast UPNP for ushare
    # Generic OUTPUT
    $IPT -A OUTPUT -o $interface --match state --state ESTABLISHED,RELATED -j ACCEPT

    echo "############ <START> ##############"
    $IPT -L -n # comment to deactivate printing of the current rules
    echo "############ </START> ##############"
    }
    stop() {
    ### OPEN ALL !!! ###
    $IPT -F
    $IPT -X
    $IPT -P INPUT ACCEPT
    $IPT -P OUTPUT ACCEPT
    $IPT -P FORWARD ACCEPT
    echo "############ <STOP> ##############"
    $IPT -L -n # comment to deactivate printing of the current rules
    echo "############ </STOP> ##############"
    }

    case "$1" in
    start)
    start
    ;;
    stop)
    stop
    ;;
    restart)
    stop
    start
    ;;
    *)
    N=/etc/init.d/${0##*/}
    echo "Usage: $N {start|stop|restart}" >&2
    exit 1
    ;;
    esac

    exit 0