hroland · December 26, 2023 10:59 · Mar 8, 2022 · Mar 8, 2022 · Mar 8, 2022 · Mar 8, 2022
diff --git a/torrentban.sh b/torrentban.sh
@@ -105,4 +105,11 @@ iptables -A FORWARD -d 100.1.0.0/16 -j ACCEPT
 
 iptables -A FORWARD -s 10.99.0.0/16 -d 10.99.0.0/16 -j REJECT --reject-with icmp-port-unreachable
 iptables -A FORWARD -s 10.99.0.0/16 -j ACCEPT
-iptables -A FORWARD -d 10.99.0.0/16 -j ACCEPT
+iptables -A FORWARD -d 10.99.0.0/16 -j ACCEPT
+
+# wireguard ports?
+iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT
+iptables -A INPUT -p udp -m udp --dport 51214 -j ACCEPT
+iptables -A INPUT -p udp -m udp --dport 51294 -j ACCEPT
+iptables -A FORWARD -i wg0 -j ACCEPT
+iptables -A FORWARD -o wg0 -j ACCEPT
diff --git a/torrentban.sh b/torrentban.sh
@@ -98,18 +98,11 @@ iptables -I FORWARD -p udp -m ipp2p --bit -j REJECT --reject-with icmp-port-unre
 iptables -P INPUT ACCEPT
 iptables -P FORWARD ACCEPT
 iptables -P OUTPUT ACCEPT
-iptables -N ts-forward
-iptables -N ts-input
-iptables -A INPUT -j ts-input
-iptables -A FORWARD -j ts-forward
+iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 iptables -A FORWARD -s 100.1.0.0/16 -d 100.1.0.0/16 -j REJECT --reject-with icmp-port-unreachable
 iptables -A FORWARD -s 100.1.0.0/16 -j ACCEPT
 iptables -A FORWARD -d 100.1.0.0/16 -j ACCEPT
-iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-iptables -A ts-forward -i tailscale0 -j MARK --set-xmark 0x40000/0xffffffff
-iptables -A ts-forward -m mark --mark 0x40000 -j ACCEPT
-iptables -A ts-forward -s 100.64.0.0/10 -o tailscale0 -j DROP
-iptables -A ts-forward -o tailscale0 -j ACCEPT
-iptables -A ts-input -s 100.85.163.74/32 -i lo -j ACCEPT
-iptables -A ts-input -s 100.115.92.0/23 ! -i tailscale0 -j RETURN
-iptables -A ts-input -s 100.64.0.0/10 ! -i tailscale0 -j DROP
+
+iptables -A FORWARD -s 10.99.0.0/16 -d 10.99.0.0/16 -j REJECT --reject-with icmp-port-unreachable
+iptables -A FORWARD -s 10.99.0.0/16 -j ACCEPT
+iptables -A FORWARD -d 10.99.0.0/16 -j ACCEPT
diff --git a/torrentban.sh b/torrentban.sh
@@ -5,6 +5,7 @@
 
 # Delete all existing rules
 iptables -F
+iptables -X
 
 # Set default chain policies
 iptables -P INPUT DROP

diff --git a/torrentban.sh b/torrentban.sh
@@ -55,8 +55,9 @@ iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100
 # Log dropped packets
 iptables -N LOGGING
 iptables -A INPUT -j LOGGING
-iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
+iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "[torrentban] IPTables Packet Dropped: " --log-level 7
 iptables -A LOGGING -j DROP
+iptables -A LOGGING -j REJECT
 
 # Block torrent - https://gist.github.com/iamtartan/872a0db39fa017dceee0?permalink_comment_id=3122192#gistcomment-3122192
 iptables -I OUTPUT -t filter -p tcp -m string --string "BitTorrent" --algo bm -j REJECT --reject-with tcp-reset

diff --git a/torrentban.sh b/torrentban.sh
@@ -90,4 +90,24 @@ iptables -A INPUT -m string --string "find_node" --algo bm -j DROP
 apt-get update
 apt-get install xtables-addons-common
 iptables -I FORWARD -p tcp -m ipp2p --bit -j REJECT --reject-with tcp-reset
-iptables -I FORWARD -p udp -m ipp2p --bit -j REJECT --reject-with icmp-port-unreachable
+iptables -I FORWARD -p udp -m ipp2p --bit -j REJECT --reject-with icmp-port-unreachable
+
+# from eng vpn test
+iptables -P INPUT ACCEPT
+iptables -P FORWARD ACCEPT
+iptables -P OUTPUT ACCEPT
+iptables -N ts-forward
+iptables -N ts-input
+iptables -A INPUT -j ts-input
+iptables -A FORWARD -j ts-forward
+iptables -A FORWARD -s 100.1.0.0/16 -d 100.1.0.0/16 -j REJECT --reject-with icmp-port-unreachable
+iptables -A FORWARD -s 100.1.0.0/16 -j ACCEPT
+iptables -A FORWARD -d 100.1.0.0/16 -j ACCEPT
+iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
+iptables -A ts-forward -i tailscale0 -j MARK --set-xmark 0x40000/0xffffffff
+iptables -A ts-forward -m mark --mark 0x40000 -j ACCEPT
+iptables -A ts-forward -s 100.64.0.0/10 -o tailscale0 -j DROP
+iptables -A ts-forward -o tailscale0 -j ACCEPT
+iptables -A ts-input -s 100.85.163.74/32 -i lo -j ACCEPT
+iptables -A ts-input -s 100.115.92.0/23 ! -i tailscale0 -j RETURN
+iptables -A ts-input -s 100.64.0.0/10 ! -i tailscale0 -j DROP
diff --git a/torrentban.sh b/torrentban.sh
@@ -90,4 +90,4 @@ iptables -A INPUT -m string --string "find_node" --algo bm -j DROP
 apt-get update
 apt-get install xtables-addons-common
 iptables -I FORWARD -p tcp -m ipp2p --bit -j REJECT --reject-with tcp-reset
-iptables -I FORWARD -p udp -m ipp2p --bit -j --reject-with icmp-port-unreachable
+iptables -I FORWARD -p udp -m ipp2p --bit -j REJECT --reject-with icmp-port-unreachable
diff --git a/torrentban.sh b/torrentban.sh
@@ -1,6 +1,7 @@
 #!/bin/sh
 # block torrent traffic by iptable/firewall for VPN/Proxy server
 # [email protected]
+# forked by roland
 
 # Delete all existing rules
 iptables -F

diff --git a/iptable-block-torrent → torrentban.sh b/iptable-block-torrent → torrentban.sh
@@ -57,4 +57,36 @@ iptables -A INPUT -j LOGGING
 iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
 iptables -A LOGGING -j DROP
 
+# Block torrent - https://gist.github.com/iamtartan/872a0db39fa017dceee0?permalink_comment_id=3122192#gistcomment-3122192
 iptables -I OUTPUT -t filter -p tcp -m string --string "BitTorrent" --algo bm -j REJECT --reject-with tcp-reset
+iptables -I OUTPUT -t filter -p udp -m string --string "BitTorrent" --algo bm -j REJECT --reject-with icmp-port-unreachable
+
+# Block torrent - https://www.unixmen.com/how-to-block-bittorrent-traffic-on-your-linux-firewall/
+iptables -A FORWARD -m string --algo bm --string "BitTorrent" -j DROP
+iptables -A FORWARD -m string --algo bm --string "BitTorrent protocol" -j DROP
+iptables -A FORWARD -m string --algo bm --string "peer_id=" -j DROP
+iptables -A FORWARD -m string --algo bm --string ".torrent" -j DROP
+iptables -A FORWARD -m string --algo bm --string "announce.php?passkey=" -j DROP
+iptables -A FORWARD -m string --algo bm --string "torrent" -j DROP
+iptables -A FORWARD -m string --algo bm --string "announce" -j DROP
+iptables -A FORWARD -m string --algo bm --string "info_hash" -j DROP
+
+# Block torrent - https://www.digitalocean.com/community/questions/updating-iptables-to-block-torrent-traffic
+iptables -A INPUT -m string --string "BitTorrent" --algo bm -j DROP
+iptables -A INPUT -m string --string "BitTorrent protocol" --algo bm -j DROP
+iptables -A INPUT -m string --string "peer_id=" --algo bm -j DROP
+iptables -A INPUT -m string --string ".torrent" --algo bm -j DROP
+iptables -A INPUT -m string --string "announce.php?passkey=" --algo bm -j DROP
+iptables -A INPUT -m string --string "torrent" --algo bm -j DROP
+iptables -A INPUT -m string --string "announce" --algo bm -j DROP
+iptables -A INPUT -m string --string "info_hash" --algo bm -j DROP
+iptables -A INPUT -m string --string "tracker" --algo bm -j DROP
+iptables -A INPUT -m string --string "get_peers" --algo bm -j DROP
+iptables -A INPUT -m string --string "announce_peer" --algo bm -j DROP
+iptables -A INPUT -m string --string "find_node" --algo bm -j DROP
+
+# Block Torrent - https://techexpert.tips/ubuntu/block-bittorrent-linux/
+apt-get update
+apt-get install xtables-addons-common
+iptables -I FORWARD -p tcp -m ipp2p --bit -j REJECT --reject-with tcp-reset
+iptables -I FORWARD -p udp -m ipp2p --bit -j --reject-with icmp-port-unreachable
diff --git a/iptable-block-torrent b/iptable-block-torrent
@@ -56,3 +56,5 @@ iptables -N LOGGING
 iptables -A INPUT -j LOGGING
 iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
 iptables -A LOGGING -j DROP
+
+iptables -I OUTPUT -t filter -p tcp -m string --string "BitTorrent" --algo bm -j REJECT --reject-with tcp-reset
diff --git a/iptable-block-torrent b/iptable-block-torrent
@@ -51,13 +51,6 @@ iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
 # Prevent DoS attack
 iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
 
-# Allow NAT only for HTTP/HTTPS/SSH
-iptables -t nat -I POSTROUTING 1 -o eth0 -p tcp --dport 22 -j MASQUERADE
-iptables -t nat -I POSTROUTING 1 -o eth0 -p tcp --dport 80 -j MASQUERADE
-iptables -t nat -I POSTROUTING 1 -o eth0 -p tcp --dport 443 -j MASQUERADE
-iptables -t nat -I POSTROUTING 1 -o eth0 -p udp --dport 443 -j MASQUERADE
-iptables -t nat -I POSTROUTING 1 -o eth0 -p udp --dport 53 -j MASQUERADE
-
 # Log dropped packets
 iptables -N LOGGING
 iptables -A INPUT -j LOGGING

diff --git a/iptable-block-torrent b/iptable-block-torrent
@@ -2,92 +2,63 @@
 # block torrent traffic by iptable/firewall for VPN/Proxy server
 # [email protected]
 
-# 1. Delete all existing rules
+# Delete all existing rules
 iptables -F
 
-# 2. Set default chain policies
+# Set default chain policies
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
 iptables -P OUTPUT DROP
 
-# 3. Block a specific ip-address
-#BLOCK_THIS_IP="x.x.x.x"
-#iptables -A INPUT -s "$BLOCK_THIS_IP" -j DROP
-
-# 4. Allow ALL incoming SSH
+# Allow ALL incoming SSH
 iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
 iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
 
-# 5. Allow incoming SSH only from a sepcific network
-#iptables -A INPUT -i eth0 -p tcp -s 192.168.200.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-#iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-
-# 6. Allow incoming HTTP
-#iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-#iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
-
-# Allow incoming HTTPS
-#iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-#iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
-
-# 7. MultiPorts (Allow incoming SSH, HTTP, and HTTPS)
+# MultiPorts (Allow incoming SSH, HTTP, and HTTPS)
 iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
 iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT
 
+# Allow All custom proxy ports
 iptables -A INPUT -i eth0 -p tcp -m multiport --dports 800:820 -m state --state NEW,ESTABLISHED -j ACCEPT
 iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 800:820 -m state --state ESTABLISHED -j ACCEPT
 
-
-# 8. Allow outgoing SSH
+# Allow outgoing SSH
 iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
 iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
 
-# 9. Allow outgoing SSH only to a specific network
-#iptables -A OUTPUT -o eth0 -p tcp -d 192.168.101.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-#iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-
-# 10. Allow outgoing HTTPS
+# Allow outgoing HTTPS
 iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
 iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
 iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
 iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
 
-
-# 11. Load balance incoming HTTPS traffic
-#iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.1.101:443
-#iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.1.102:443
-#iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.1.103:443
-
-# 12. Ping from inside to outside
+# Ping from inside to outside
 iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
 iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
 
-# 13. Ping from outside to inside
+# Ping from outside to inside
 iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
 iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
 
-# 14. Allow loopback access
+# Allow loopback access
 iptables -A INPUT -i lo -j ACCEPT
 iptables -A OUTPUT -o lo -j ACCEPT
 
-# 15. Allow packets from internal network to reach external network.
-# if eth1 is connected to external network (internet)
-# if eth0 is connected to internal network (192.168.1.x)
-#iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
-
-# 16. Allow outbound DNS
+# Allow outbound DNS
 iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
 iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
 
-# 23. Prevent DoS attack
+# Prevent DoS attack
 iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
 
+# Allow NAT only for HTTP/HTTPS/SSH
 iptables -t nat -I POSTROUTING 1 -o eth0 -p tcp --dport 22 -j MASQUERADE
 iptables -t nat -I POSTROUTING 1 -o eth0 -p tcp --dport 80 -j MASQUERADE
 iptables -t nat -I POSTROUTING 1 -o eth0 -p tcp --dport 443 -j MASQUERADE
 iptables -t nat -I POSTROUTING 1 -o eth0 -p udp --dport 443 -j MASQUERADE
 iptables -t nat -I POSTROUTING 1 -o eth0 -p udp --dport 53 -j MASQUERADE
-# 25. Log dropped packets
+
+# Log dropped packets
 iptables -N LOGGING
 iptables -A INPUT -j LOGGING
 iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7

diff --git a/iptable-block-torrent b/iptable-block-torrent
@@ -0,0 +1,94 @@
+#!/bin/sh
+# block torrent traffic by iptable/firewall for VPN/Proxy server
+# [email protected]
+
+# 1. Delete all existing rules
+iptables -F
+
+# 2. Set default chain policies
+iptables -P INPUT DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT DROP
+
+# 3. Block a specific ip-address
+#BLOCK_THIS_IP="x.x.x.x"
+#iptables -A INPUT -s "$BLOCK_THIS_IP" -j DROP
+
+# 4. Allow ALL incoming SSH
+iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
+iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
+
+# 5. Allow incoming SSH only from a sepcific network
+#iptables -A INPUT -i eth0 -p tcp -s 192.168.200.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
+#iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
+
+# 6. Allow incoming HTTP
+#iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+#iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
+
+# Allow incoming HTTPS
+#iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
+#iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
+
+# 7. MultiPorts (Allow incoming SSH, HTTP, and HTTPS)
+iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
+iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT
+
+iptables -A INPUT -i eth0 -p tcp -m multiport --dports 800:820 -m state --state NEW,ESTABLISHED -j ACCEPT
+iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 800:820 -m state --state ESTABLISHED -j ACCEPT
+
+
+# 8. Allow outgoing SSH
+iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
+iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
+
+# 9. Allow outgoing SSH only to a specific network
+#iptables -A OUTPUT -o eth0 -p tcp -d 192.168.101.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
+#iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
+
+# 10. Allow outgoing HTTPS
+iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
+iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
+iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
+
+
+# 11. Load balance incoming HTTPS traffic
+#iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.1.101:443
+#iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.1.102:443
+#iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.1.103:443
+
+# 12. Ping from inside to outside
+iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
+iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
+
+# 13. Ping from outside to inside
+iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
+
+# 14. Allow loopback access
+iptables -A INPUT -i lo -j ACCEPT
+iptables -A OUTPUT -o lo -j ACCEPT
+
+# 15. Allow packets from internal network to reach external network.
+# if eth1 is connected to external network (internet)
+# if eth0 is connected to internal network (192.168.1.x)
+#iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
+
+# 16. Allow outbound DNS
+iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
+iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
+
+# 23. Prevent DoS attack
+iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
+
+iptables -t nat -I POSTROUTING 1 -o eth0 -p tcp --dport 22 -j MASQUERADE
+iptables -t nat -I POSTROUTING 1 -o eth0 -p tcp --dport 80 -j MASQUERADE
+iptables -t nat -I POSTROUTING 1 -o eth0 -p tcp --dport 443 -j MASQUERADE
+iptables -t nat -I POSTROUTING 1 -o eth0 -p udp --dport 443 -j MASQUERADE
+iptables -t nat -I POSTROUTING 1 -o eth0 -p udp --dport 53 -j MASQUERADE
+# 25. Log dropped packets
+iptables -N LOGGING
+iptables -A INPUT -j LOGGING
+iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
+iptables -A LOGGING -j DROP
No results found