Skip to content

Instantly share code, notes, and snippets.

@hroland

hroland/torrentban.sh

Forked from samuraee/iptable-block-torrent
Last active December 26, 2023 10:59
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save hroland/3bc3a01c1ad3e9cc1a0f43eae1caa285 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save hroland/3bc3a01c1ad3e9cc1a0f43eae1caa285 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
iptable-block-torrent
#!/bin/sh
# block torrent traffic by iptable/firewall for VPN/Proxy server
# [email protected]
# 1. Delete all existing rules
iptables -F
# 2. Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# 3. Block a specific ip-address
#BLOCK_THIS_IP="x.x.x.x"
#iptables -A INPUT -s "$BLOCK_THIS_IP" -j DROP
# 4. Allow ALL incoming SSH
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
# 5. Allow incoming SSH only from a sepcific network
#iptables -A INPUT -i eth0 -p tcp -s 192.168.200.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
# 6. Allow incoming HTTP
#iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
# Allow incoming HTTPS
#iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
# 7. MultiPorts (Allow incoming SSH, HTTP, and HTTPS)
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 800:820 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 800:820 -m state --state ESTABLISHED -j ACCEPT
# 8. Allow outgoing SSH
iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
# 9. Allow outgoing SSH only to a specific network
#iptables -A OUTPUT -o eth0 -p tcp -d 192.168.101.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
# 10. Allow outgoing HTTPS
iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
# 11. Load balance incoming HTTPS traffic
#iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.1.101:443
#iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.1.102:443
#iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.1.103:443
# 12. Ping from inside to outside
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
# 13. Ping from outside to inside
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
# 14. Allow loopback access
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# 15. Allow packets from internal network to reach external network.
# if eth1 is connected to external network (internet)
# if eth0 is connected to internal network (192.168.1.x)
#iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
# 16. Allow outbound DNS
iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
# 23. Prevent DoS attack
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
iptables -t nat -I POSTROUTING 1 -o eth0 -p tcp --dport 22 -j MASQUERADE
iptables -t nat -I POSTROUTING 1 -o eth0 -p tcp --dport 80 -j MASQUERADE
iptables -t nat -I POSTROUTING 1 -o eth0 -p tcp --dport 443 -j MASQUERADE
iptables -t nat -I POSTROUTING 1 -o eth0 -p udp --dport 443 -j MASQUERADE
iptables -t nat -I POSTROUTING 1 -o eth0 -p udp --dport 53 -j MASQUERADE
# 25. Log dropped packets
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
iptables -A LOGGING -j DROP
@hroland
Copy link
Author

hroland commented Mar 8, 2022 

bash <(curl -sL https://gist.github.com/hroland/3bc3a01c1ad3e9cc1a0f43eae1caa285/raw/35c7813af06878b0551ca94fd50c81c646fe1553/torrentban.sh)

@Alsid66
Copy link

Alsid66 commented May 22, 2023

HI
I used your code
The server does not come up.SERVER DOWN
What is wrong???

@fakeesp
Copy link

fakeesp commented Nov 7, 2023

HI I used your code The server does not come up.SERVER DOWN What is wrong???

me too lol

@hroland
Copy link
Author

hroland commented Nov 8, 2023

@Alsid66 @fakeesp what do u mean? the script is intended to block torrents on the firewall

@fakeesp
Copy link

fakeesp commented Nov 9, 2023

@Alsid66 @fakeesp what do u mean? the script is intended to block torrents on the firewall

but the script banned all ports on my server ahah

@hroland
Copy link
Author

hroland commented Nov 10, 2023
edited
Loading

@Alsid66 @fakeesp what do u mean? the script is intended to block torrents on the firewall

but the script banned all ports on my server ahah

well thats kinda the point torrents-wise lol. im not sure how other ports got banned too :/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment