#!/bin/bash # Stateful Firewall Using IPtables by CCNA HUB - Imad Daou # For more information: https://www.ccnahub.com/linux-courses/ # The following IPtables Firewall Rules recommended for Single Web Hosting VPS. # ********************Please read all notes carefully before Applying************************* # # This Script Built ONLY for single Host Firewall, it was not meant to service as gateway Firewall or Multi-home Firewall. # # Things to keep in mind before running the the script at your VPS: # 1. If you are using OpenVZ VPS, most probably you need to comment the "modprobe" rules below using hash sign. # 2. The default interface across Public VPS is "eth0". However, OpenVZ might need "venet0" interface instead. # 3. Besides, If you are testing from Class C Private Network, please comment the Spoofing Class A,B, or C rules # using hash sign, otherwise, your ssh session will be blocked. echo echo -e "\x1B[01;93m#### ####\x1B[0m" echo -e "\x1B[01;92m# Preparing IPtables v4 and v6 Script for Single VPS... #\x1B[0m" echo -e "\x1B[01;93m#### ####\x1B[0m" echo sleep 2 IPT="/sbin/iptables" IP6="/sbin/ip6tables" MODPROBE="/sbin/modprobe" ## ## Remove all IPtables Chains ## $IPT -F $IPT -X $IPT -t nat -F $IPT -t nat -X $IPT -t mangle -F $IPT -t mangle -X $IPT -P INPUT ACCEPT $IPT -P FORWARD ACCEPT $IPT -P OUTPUT ACCEPT $IP6 -F $IP6 -X $IP6 -t mangle -F $IP6 -t mangle -X $IP6 -P INPUT ACCEPT $IP6 -P FORWARD ACCEPT $IP6 -P OUTPUT ACCEPT ## ## Load IPTables Modules ## echo echo -e "\x1B[01;92m [+]\x1B[0m" "\x1B[01;89mEnabling IPTables v4 and v6 Firewall Modules...\x1B[0m" echo # Note: If you are applying this IPtables Firewall Script on OpenVZ container, then you probably # need to comment the following lines IPtables and Netfilter Modules using the hash sign. $MODPROBE ip_tables $MODPROBE ip_conntrack $MODPROBE ip_conntrack_ftp $MODPROBE ip_conntrack_irc $MODPROBE nf_conntrack_irc $MODPROBE nf_conntrack_ftp $MODPROBE nf_conntrack_ipv4 $MODPROBE nf_defrag_ipv4 $MODPROBE nf_conntrack_ipv4 $MODPROBE nf_conntrack # Is it Linux OpenVZ or Linux VM? # The following would be most probably the main and the only one Interface which connects the VPS to the world. # Some OpenVZ VPS such OVH Classic might use venet0 instead of eth0, default is eth0. # Most KVM VPS uses eth0 as internet interface - If that's the case, then you good to go. Use ifconfig command to verify. PUB_IF="eth0" # Public Ethernet Card that is connected to the Internet # Most OpenVZ VPS uses venet0 as internet interface - If that's the case, then you need to comment upper rule and uncomment the following rule. #PUB_IF="venet0" # Public Ethernet Card that is connected to the Internet # LAN Interface LAN_IF="eth1" # LAN Ethernet Card that is connected to private network # Setting TCP and UDP Flood Prevention policy. # Assume you set 20 as the limit connections. Once a client opens 21 connections, # then iptables rules set below counts all connections as part of # the same source IP and blocks any exceeded connections over 20 in let's say per every 6 seconds. # Max sessions Per IP Address. (All NAT devices will be considered as one IP) BLOCKCOUNT=255 # Linux Default IP Packet List is 20, however, it can be changed to 255 after optimizing IPtables Modules. # Max IP sessions per seconds SECONDS=20 # The IPtables Firewall will try to throttle the connection if it tries to open more than 255 IP sessions per 20 Seconds. # If any client creates more than 254 sessions during 60 seconds drop the packets. # No human will open a 254 sessions in 60 seconds, hence, this rule used to prevent Denial of Service Attacks. DACTION="DROP" RACTION="REJECT" # Always accept local traffic - Unlimited access to loopback $IPT -A INPUT -s 127.0.0.0/8 ! -i lo --jump $DACTION $IPT -A INPUT -s 127.0.0.1/32 --jump ACCEPT $IPT -A INPUT -i lo --jump ACCEPT $IPT -A OUTPUT -o lo --jump ACCEPT $IP6 -A INPUT -i lo -j ACCEPT $IP6 -A OUTPUT -o lo -j ACCEPT ## ## Drop all Incoming, Outgoing, and Forwarding Traffic ## echo echo -e "\x1B[01;92m [+]\x1B[0m" "\x1B[01;89mSetting Global Policy: Drop All IPv4/IPv6 Traffic...\x1B[0m" echo # The default INPUT IPtables policy is set to Drop, meaning what is not explicitly accepted is discarded. # However we accept all incoming connections that are already established. For example, your server won't # answer to any request from the outside unless you enable the IPtables rules that associated with that service. # But as a client, query a distant server is possible and you will be able to get Server response. E.g. running # apt-get update should work fine. Finally, Local services won't be affected because the firewall is set to accept # anything on loop interface. # # Deny All Traffic by default. Drop all Incoming, Outgoing, and Forwarding Traffic. $IPT -P INPUT $DACTION $IPT -P OUTPUT $DACTION $IPT -P FORWARD $DACTION $IP6 -P INPUT $DACTION $IP6 -P OUTPUT $DACTION $IP6 -P FORWARD $DACTION ## ## IPset Rules ## # IPset Blacklist Rules # Note: Enable Only if you have IPSET Plugin for IPtables installed and ipset-blacklist.sh has been already loaded. #echo #echo -e "\x1B[01;92m [+]\x1B[0m" "\x1B[01;89mSetting Public/Private IPset IPv4 Blacklists...\x1B[0m" #echo BLACKLIST=IPSET-BLACKLIST #$IPT -I INPUT -m set --match-set $BLACKLIST src -j $DACTION #$IPT -I OUTPUT -m set --match-set $BLACKLIST src -j $DACTION # IPset Whitelist Rules # Note: Enable Only if you have IPSET Plugin for IPtables installed and ipset-whitelist.sh has been already loaded. #echo #echo -e "\x1B[01;92m [+]\x1B[0m" "\x1B[01;89mSetting Public/Private IPset IPv4 Whitelists...\x1B[0m" #echo WHITELIST=IPSET-WHITELIST #$IPT -I INPUT -p tcp -m multiport --dport 80,443 -m set --match-set $WHITELIST src -j ACCEPT #$IPT -I OUTPUT -p tcp -m multiport --dport 80,443 -m set --match-set $WHITELIST src -j ACCEPT ## ## Setting IPtables Firewall INPUT and OUTPUT Rules ## echo echo -e "\x1B[01;92m [+]\x1B[0m" "\x1B[01;89mSetting Stateful INPUT/OUPUT IPtables Firewall Rules...\x1B[0m" echo # # INPUT chain # # Below you will find Stateful inspection to track and Drop INVALID packets; # plus Established and Related connections Burst Limitation to fight Denial Of Services. # Port scanning or probing are used by attackers to identify open ports on your VPS. # This allows them to identify and fingerprint your running services, and possibly launch # exploits against them. ## ## Prevent TCP/UDP Port Scanning and Invalid Packets ## # TCP Scanning and Probing rules # If anyone tries to probe using nmap or similar tool, Drop and Trap the IP Address for one day. # E.g. nmap commands such -sS, -sA, -Pn, -PE, -PS, -PA, -PP, -PM, -PU, -PY, -PR, or -PO $IPT -I INPUT -m recent --name TCP-PORTSCAN --rcheck --seconds 86400 -j $DACTION $IP6 -I INPUT -m recent --name V6TCP-PORTSCAN --rcheck --seconds 86400 -j $DACTION # Once the day has passed, remove them from the TCP-PORTSCAN Trap. $IPT -A INPUT -m recent --name TCP-PORTSCAN --remove $IP6 -A INPUT -m recent --name V6TCP-PORTSCAN --remove # These rules add scanners to the TCP-PORTSCAN trap, and log the attempt. $IPT -I INPUT -m multiport -p tcp --dports 139 -m recent --name TCP-PORTSCAN --set -j LOG --log-prefix "IPT Drop TCP Scans: " --log-ip-options --log-tcp-options --log-level 7 $IPT -I INPUT -m multiport -p tcp --dports 139 --tcp-flags ALL SYN -m recent --name TCP-PORTSCAN --set -m comment --comment "IPT Dropping SYN Scans" -j $DACTION $IP6 -I INPUT -m multiport -p tcp --dports 139 -m recent --name V6TCP-PORTSCAN --set -j LOG --log-prefix "IP6 Drop TCP Scans: " --log-ip-options --log-tcp-options --log-level 7 $IP6 -I INPUT -m multiport -p tcp --dports 139 --tcp-flags ALL SYN -m recent --name V6TCP-PORTSCAN --set -m comment --comment "IP6 Dropping SYN Scans" -j $DACTION # Drop Invalid or Stealth Nmap Scan types Packets # If anyone sends Unclean Packets, Drop and Trap the IP Address for 15 Seconds. # The INVALID state rule will Drop most type of nmap scanning such -sT, -sF, -sI, # -sM, -sN, -sW, and -sX, however, does not stop -sU, -sA, or -sS scan type. # By default, the INVALID packet with trap rules are disabled. If you are so # much after hardening and security, then enable the rules that got the trap # and disable the INVALID packet rules that has no trap. # Keep the trap to the lowest second possible. Pick like 30 or 15 seconds. $IPT -A INPUT -m recent --name PACKET-CHECK --rcheck --seconds 15 -j $DACTION $IP6 -A INPUT -m recent --name V6PACKET-CHECK --rcheck --seconds 15 -j $DACTION # Once the sixty seconds have passed, remove them from the PACKET-CHECK Trap. $IPT -A INPUT -m recent --name PACKET-CHECK --remove $IP6 -A INPUT -m recent --name V6PACKET-CHECK --remove # INVALID rules with Trap #$IPT -A INPUT -m conntrack --ctstate INVALID -m recent --name PACKET-CHECK --set -j LOG --log-prefix "IPT Drop INVALID Packets: " --log-ip-options --log-tcp-options --log-level 7 #$IPT -A INPUT -m conntrack --ctstate INVALID -m recent --name PACKET-CHECK --set -m comment --comment "IPT Drop and Trap IP for few Seconds" -j $DACTION #$IPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT #$IP6 -A INPUT -m conntrack --ctstate INVALID -m recent --name V6PACKET-CHECK --set -j LOG --log-prefix "IP6 Drop INVALID Packets: " --log-ip-options --log-tcp-options --log-level 7 #$IP6 -A INPUT -m conntrack --ctstate INVALID -m recent --name V6PACKET-CHECK --set -m comment --comment "IP6 Drop and Trap IP for few Seconds" -j $DACTION $IP6 -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # INVALID rules without Trap $IPT -A INPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "IPT Drop INVALID Packets: " --log-ip-options --log-tcp-options --log-level 7 $IPT -A INPUT -m conntrack --ctstate INVALID -m comment --comment "IPT Dropping Invalid Packets" -j $DACTION $IPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT $IP6 -A INPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "IP6 Drop INVALID Packets: " --log-ip-options --log-tcp-options --log-level 7 $IP6 -A INPUT -m conntrack --ctstate INVALID -m comment --comment "IP6 Dropping Invalid Packets" -j $DACTION $IP6 -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # # OUTPUT chain # # Stateful inspection to track and Drop INVALID packets # Enable the first 2 lines, IPtables will check outgoing for INVALID Packets. #$IPT -A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "IPT INVALID OUT Packets: " --log-ip-options --log-tcp-options --log-level 7 #$IPT -A OUTPUT -m conntrack --ctstate INVALID -j $DACTION $IPT -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT #$IP6 -A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "IP6 INVALID OUT Packets: " --log-ip-options --log-tcp-options --log-level 7 #$IP6 -A OUTPUT -m conntrack --ctstate INVALID -j $DACTION $IP6 -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT echo echo -e "\x1B[01;92m [+]\x1B[0m" "\x1B[01;89mSetting Rules Against TCP and UDP Port Scanning...\x1B[0m" echo ## ## Prevent UDP Port Scanning or Probing ## # UDP Scanning and Probing rules # If anyone tries to probe using nmap or similar tool, Drop and Trap the IP Address for One day. # E.g. nmap commands such -sU, or hping3 -U scan. $IPT -A INPUT -m recent --name UDP-PORTSCAN --rcheck --seconds 86400 -j $DACTION $IP6 -A INPUT -m recent --name V6UDP-PORTSCAN --rcheck --seconds 86400 -j $DACTION # Once the day has passed, remove them from the UDP-PORTSCAN Trap. $IPT -A INPUT -m recent --name UDP-PORTSCAN --remove $IP6 -A INPUT -m recent --name V6UDP-PORTSCAN --remove # These rules add scanners to the UDP-PORTSCAN trap, and log the attempt. $IPT -A INPUT -m multiport -p udp --dports 139 -m recent --name UDP-PORTSCAN --set -j LOG --log-prefix "IPT Drop UDP Scans: " --log-ip-options --log-level 7 $IPT -A INPUT -m multiport -p udp --dports 139 -m recent --name UDP-PORTSCAN --set -m comment --comment "IPT Drop UDP Scans" -j $DACTION $IP6 -A INPUT -m multiport -p udp --dports 139 -m recent --name V6UDP-PORTSCAN --set -j LOG --log-prefix "IP6 Drop UDP Scans: " --log-ip-options --log-level 7 $IP6 -A INPUT -m multiport -p udp --dports 139 -m recent --name V6UDP-PORTSCAN --set -m comment --comment "IP6 Drop UDP Scans" -j $DACTION $IPT -A INPUT -p udp -m udp --sport 0 -m recent --name UDP-PORTSCAN --set -j LOG --log-prefix "IPT UDP src port-0-scan: " --log-ip-options --log-level 7 $IPT -A INPUT -p udp -m udp --sport 0 -m recent --name UDP-PORTSCAN --set -m comment --comment "IPT Drop UDP src port 0 scans" -j $DACTION $IP6 -A INPUT -p udp -m udp --sport 0 -m recent --name V6UDP-PORTSCAN --set -j LOG --log-prefix "IP6 UDP src port-0-scan: " --log-ip-options --log-level 7 $IP6 -A INPUT -p udp -m udp --sport 0 -m recent --name V6UDP-PORTSCAN --set -m comment --comment "IP6 Drop UDP src port 0 scans" -j $DACTION # Drop UDP 0 length packets $IPT -A INPUT -p udp -m limit --limit 6/h --limit-burst 1 -m length --length 0:28 -j LOG --log-prefix "IPT Drop-0-length UDP Scans: " --log-ip-options --log-level 7 $IPT -A INPUT -p udp -m length --length 0:28 -m comment --comment "IPT Drop udp packet with no content" -j $DACTION $IP6 -A INPUT -p udp -m limit --limit 6/h --limit-burst 1 -m length --length 0:28 -j LOG --log-prefix "IP6 Drop-0-length UDP scans:" --log-ip-options --log-level 7 $IP6 -A INPUT -p udp -m length --length 0:28 -m comment --comment "IP6 Drop udp packet with no content" -j $DACTION ## ## Against port 0 fingerprinting ## # Log and Drop tcp/udp packet with source or destination has port 0..." $IPT -A INPUT -p tcp -m tcp --dport 0 -m recent --name TCP-PORTSCAN --set -j LOG --log-prefix "IPT Drop TCP dest-port-0: " --log-ip-options --log-tcp-options --log-level 7 $IPT -A INPUT -p tcp -m tcp --dport 0 -m recent --name TCP-PORTSCAN --set -m comment --comment "IPT Drop TCP dest-port-0:" -j $DACTION $IP6 -A INPUT -p tcp -m tcp --dport 0 -m recent --name V6TCP-PORTSCAN --set -j LOG --log-prefix "IP6 Drop TCP dest-port-0: " --log-ip-options --log-tcp-options --log-level 7 $IP6 -A INPUT -p tcp -m tcp --dport 0 -m recent --name V6TCP-PORTSCAN --set -m comment --comment "IP6 Drop TCP dest-port-0:" -j $DACTION $IPT -A INPUT -p udp -m udp --dport 0 -m recent --name TCP-PORTSCAN --set -j LOG --log-prefix "IPT Drop UDP dest-port-0: " --log-level 7 $IPT -A INPUT -p udp -m udp --dport 0 -m recent --name TCP-PORTSCAN --set -m comment --comment "IPT Drop UDP dest-port-0:" -j $DACTION $IP6 -A INPUT -p udp -m udp --dport 0 -m recent --name V6TCP-PORTSCAN --set -j LOG --log-prefix "IP6 Drop UDP dest-port-0: " --log-level 7 $IP6 -A INPUT -p udp -m udp --dport 0 -m recent --name V6TCP-PORTSCAN --set -m comment --comment "IP6 Drop UDP dest-port-0:" -j $DACTION $IPT -A INPUT -p tcp -m tcp --sport 0 -m recent --name TCP-PORTSCAN --set -j LOG --log-prefix "IPT Drop TCP src-port-0: " --log-ip-options --log-tcp-options --log-level 7 $IPT -A INPUT -p tcp -m tcp --sport 0 -m recent --name TCP-PORTSCAN --set -m comment --comment "IPT Drop TCP src-port-0:" -j $DACTION $IP6 -A INPUT -p tcp -m tcp --sport 0 -m recent --name V6TCP-PORTSCAN --set -j LOG --log-prefix "IP6 Drop TCP src-port-0: " --log-ip-options --log-tcp-options --log-level 7 $IP6 -A INPUT -p tcp -m tcp --sport 0 -m recent --name V6TCP-PORTSCAN --set -m comment --comment "IP6 Drop TCP src-port-0:" -j $DACTION $IPT -A INPUT -p udp -m udp --sport 0 -m recent --name TCP-PORTSCAN --set -j LOG --log-prefix "IPT Drop UDP src-port-0: " --log-level 7 $IPT -A INPUT -p udp -m udp --sport 0 -m recent --name TCP-PORTSCAN --set -m comment --comment "IPT Drop UDP src-port-0:" -j $DACTION $IP6 -A INPUT -p udp -m udp --sport 0 -m recent --name V6TCP-PORTSCAN --set -j LOG --log-prefix "IP6 Drop UDP src-port-0: " --log-level 7 $IP6 -A INPUT -p udp -m udp --sport 0 -m recent --name V6TCP-PORTSCAN --set -m comment --comment "IP6 Drop UDP src-port-0:" -j $DACTION # To monitor your ports, you can use nmap. E.g. nmap 127.0.0.1. # Or, netstat -tupl or netstat -tupl -anov which can be better than nmap to check for open ports. ## ## Drop Unclean Packets ## # Drop Fragment Packets $IPT -A INPUT -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IPT Drop Fragmented Packets: " --log-level 7 $IPT -A INPUT -f -m comment --comment "IPT Drop Fragmented Packets: " -j $DACTION $IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j $DACTION $IPT -A INPUT -p tcp --tcp-flags ALL ALL -j $DACTION $IP6 -A INPUT -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IP6 Drop Fragmented Packets: " --log-level 7 $IP6 -A INPUT -m comment --comment "IP6 Drop Fragmented Packets: " -j $DACTION $IP6 -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j $DACTION $IP6 -A INPUT -p tcp --tcp-flags ALL ALL -j $DACTION # Drop Windows and SMB sharing Packets $IPT -A INPUT -p tcp --dport 137:139 -j $DACTION $IPT -A INPUT -p udp --dport 137:139 -j $DACTION $IP6 -A INPUT -p tcp --dport 137:139 -j $DACTION $IP6 -A INPUT -p udp --dport 137:139 -j $DACTION # Drop Broadcast and Multicast Packets $IPT -A INPUT -m pkttype --pkt-type broadcast -m limit --limit 5/m -j LOG --log-level 7 --log-prefix "IPT Drop Broadcast Packets: " --limit-burst 7 $IPT -A INPUT -m pkttype --pkt-type broadcast -j $DACTION $IPT -A INPUT -m pkttype --pkt-type multicast -m limit --limit 5/m -j LOG --log-level 7 --log-prefix "IPT Drop Multicast Packets: " --limit-burst 7 $IPT -A INPUT -m pkttype --pkt-type multicast -j $DACTION $IP6 -A INPUT -m pkttype --pkt-type broadcast -m limit --limit 5/m -j LOG --log-level 7 --log-prefix "IP6 Drop Broadcast Packets: " --limit-burst 7 $IP6 -A INPUT -m pkttype --pkt-type broadcast -j $DACTION $IP6 -A INPUT -m pkttype --pkt-type multicast -m limit --limit 5/m -j LOG --log-level 7 --log-prefix "IP6 Drop Multicast Packets: " --limit-burst 7 $IP6 -A INPUT -m pkttype --pkt-type multicast -j $DACTION # Drop excessive RST packets to avoid smurf attacks $IPT -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT $IP6 -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT # Reject ident probes with a tcp reset. $IPT -A INPUT -p tcp --dport 113 -j $RACTION --reject-with tcp-reset $IP6 -A INPUT -p tcp --dport 113 -j $RACTION --reject-with tcp-reset ## ## Fingerprinting Countermeasures ## echo echo -e "\x1B[01;92m [+]\x1B[0m" "\x1B[01;89mSetting Rules Against IPv4 Finger Printing...\x1B[0m" echo # Drop ICMP time stamp request and reply $IPT -A INPUT -p icmp --icmp-type timestamp-request -m comment --comment "IPT Drop icmp-timestamp request: " -j $DACTION $IP6 -A INPUT -p ipv6-icmp --icmpv6-type 13 -m comment --comment "IP6 Drop icmp-timestamp request: " -j $DACTION $IPT -A OUTPUT -p icmp --icmp-type timestamp-reply -m comment --comment "IPT Drop icmp-timestamp reply: " -j $DACTION $IP6 -A OUTPUT -p ipv6-icmp --icmpv6-type 14 -m comment --comment "IP6 Drop icmp-timestamp reply: " -j $DACTION # Drop ICMP address mask request $IPT -A INPUT -p icmp --icmp-type address-mask-request -m comment --comment "IPT Drop icmp-address-mask request: " -j $DACTION $IP6 -A INPUT -p ipv6-icmp --icmpv6-type 17 -m comment --comment "IP6 Drop icmp-address-mask request: " -j $DACTION # Drop TFTP port (69 udp/tcp) $IPT -A INPUT -p udp --destination-port 69 -m comment --comment "IPT Drop tftp port: " -j $DACTION $IP6 -A INPUT -p udp --destination-port 69 -m comment --comment "IP6 Drop tftp port: " -j $DACTION # Drop rwho port (513 udp) $IPT -A INPUT -p udp ! -i lo --destination-port 513 -m comment --comment "IPT Drop rwho port:" -j $DACTION $IP6 -A INPUT -p udp ! -i lo --destination-port 513 -m comment --comment "IP6 Drop rwho port: " -j $DACTION # Drop rusers port (10002 udp) $IPT -A INPUT -p udp ! -i lo --destination-port 10002 -m comment --comment "IPT Drop rusers port: " -j $DACTION $IP6 -A INPUT -p udp ! -i lo --destination-port 10002 -m comment --comment "IP6 Drop rusers port: " -j $DACTION # Drop finger port (79) $IPT -A INPUT -p tcp --destination-port 79 -m comment --comment "IPT Drop finger port: " -j $DACTION $IP6 -A INPUT -p tcp --destination-port 79 -m comment --comment "IP6 Drop finger port: " -j $DACTION # Drop connection that doesn't start by a syn " $IPT -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -m comment --comment "IPT Drop TCP not-starting-by-SYN: " -j $DACTION $IP6 -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -m comment --comment "IP6 Drop TCP not-starting-by-SYN: " -j $DACTION ## ## Reverse Tunnel Countermeasures ## # Drop any ICMP packet greater than 128 bytes $IPT -A INPUT -p icmp -m limit --limit 6/h --limit-burst 1 -m length --length 129:0xffff -j LOG --log-prefix "IPT Too big-icmp packet: " --log-level 7 $IPT -A INPUT -p icmp -m length --length 129:0xffff -m comment --comment "IPT Drop icmp packet bigger than 128 bytes (limit tunneling): " -j $DACTION $IP6 -A INPUT -p ipv6-icmp -m limit --limit 6/h --limit-burst 1 -m length --length 129:0xffff -j LOG --log-prefix "IP6 Too big-icmp packet: " --log-level 7 $IP6 -A INPUT -p ipv6-icmp -m length --length 129:0xffff -m comment --comment "IP6 Drop icmp packet bigger than 128 bytes (limit tunneling): " -j $DACTION # Drop ICMP echo-request greater than 85 bytes" $IPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 6/h --limit-burst 1 -m length --length 86:0xffff -j LOG --log-prefix "IPT Too big-icmp echo: " --log-level 7 $IPT -A INPUT -p icmp --icmp-type echo-request -m length --length 86:0xffff -m comment --comment "Drop icmp echo request bigger than 85 bytes (limit tunneling): " -j $DACTION $IP6 -A INPUT -p ipv6-icmp --icmpv6-type echo-request -m limit --limit 6/h --limit-burst 1 -m length --length 86:0xffff -j LOG --log-prefix "IP6 Too big-icmp echo: " --log-level 7 $IP6 -A INPUT -p ipv6-icmp --icmpv6-type echo-request -m length --length 86:0xffff -m comment --comment "IP6 Drop icmp echo request bigger than 85 bytes (limit tunneling): " -j $DACTION # Drop ICMP echo-reply greater than 85 bytes" $IPT -A INPUT -p icmp --icmp-type echo-reply -m limit --limit 6/h --limit-burst 1 -m length --length 86:0xffff -j LOG --log-prefix "IPT Too big-icmp echo: " --log-level 7 $IPT -A INPUT -p icmp --icmp-type echo-reply -m length --length 86:0xffff -m comment --comment "Drop icmp echo reply bigger than 85 bytes (limit tunnelling): " -j $DACTION $IP6 -A INPUT -p ipv6-icmp --icmpv6-type echo-reply -m limit --limit 6/h --limit-burst 1 -m length --length 86:0xffff -j LOG --log-prefix "IP6 Too big-icmp echo: " --log-level 7 $IP6 -A INPUT -p ipv6-icmp --icmpv6-type echo-reply -m length --length 86:0xffff -m comment --comment "IP6 Drop icmp echo reply bigger than 85 bytes (limit tunnelling): " -j $DACTION # Reject access to Telnet Server $IPT -A OUTPUT -p tcp --dport 23 --jump $RACTION --reject-with tcp-reset $IP6 -A OUTPUT -p tcp --dport 23 --jump $RACTION --reject-with tcp-reset ## ## IPv4 Spoofing Countermeasures ## # Get Server IP Address # You need to choose whether you are using Debian Base of Red Hat Base to the following rules: # Debian Base grab IP address enabled by default. # Debian Base rule to grab Ip address of eth0, works on CentOS6 too. SERVERIPADDR=$(ifconfig eth0 | grep 'inet addr:' | awk -F'inet addr:' '{ print $2}' | awk '{ print $1}') # CentOS7 rule to grab IP Address of eth0. #SERVERIPADDR=$(ifconfig eth0 | grep 'inet ' | awk -F'inet ' '{ print $2}' | awk '{ print $1}') # Or, you can set your VPS IP address manually instead #SERVERIPADDR=VPS-IP-AAddress LOOPBACK="127.0.0.0/8" CLASS_A="10.0.0.0/8" CLASS_B="172.16.0.0/12" CLASS_C="192.168.0.0/16" CLASS_D_MULTICAST3="224.0.0.0/3" CLASS_D_MULTICAST4="224.0.0.0/4" CLASS_E_RESERVED_NET="240.0.0.0/5" BRCAST="255.255.255.255/32" # Note: If you are testing using Private Networks, please comment the Class that # you are using otherwise the IPT will block your SSH session. # Drop spoofed packets pretending to be from your IP address. $IPT -A INPUT -i $PUB_IF -s $SERVERIPADDR -j LOG --log-prefix "IPT Spoofing as Server IP: " --log-level 7 $IPT -A INPUT -i $PUB_IF -s $SERVERIPADDR -j $DACTION # Drop packets claiming to be to the loopback interface to protect against # source quench, whereby a machine can be told to slow itself down by an icmp source quench to the loopback. $IPT -A INPUT -i $PUB_IF -s $LOOPBACK -j LOG --log-prefix "IPT Spoofing as Loopback: " --log-level 7 $IPT -A INPUT -i $PUB_IF -d $LOOPBACK -j $DACTION # Drop packets claiming to be from a Class A private network. $IPT -A INPUT -i $PUB_IF -s $CLASS_A -j LOG --log-prefix "IPT Spoofing as-Class-A IP: " --log-level 7 $IPT -A INPUT -i $PUB_IF -s $CLASS_A -j $DACTION # Drop packets claiming to be from a Class B private network. $IPT -A INPUT -i $PUB_IF -s $CLASS_B -j LOG --log-prefix "IPT Spoofing as-Class-B IP: " --log-level 7 $IPT -A INPUT -i $PUB_IF -s $CLASS_B -j $DACTION # Drop packets claiming to be from a Class C private network. $IPT -A INPUT -i $PUB_IF -s $CLASS_C -j LOG --log-prefix "IPT Spoofing as-Class-C IP: " --log-level 7 $IPT -A INPUT -i $PUB_IF -s $CLASS_C -j $DACTION # Drop Class D multicast addresses. Multicast is illegal as a source address. $IPT -A INPUT -i $PUB_IF -s $CLASS_D_MULTICAST3 -j LOG --log-prefix "IPT Spoofing as-Class-D IP: " --log-level 7 $IPT -A INPUT -i $PUB_IF -s $CLASS_D_MULTICAST3 -j $DACTION # Drop Class D multicast addresses. Multicast is illegal as a source address. $IPT -A INPUT -i $PUB_IF -s $CLASS_D_MULTICAST4 -j LOG --log-prefix "IPT Spoofing as-Class-D IP: " --log-level 7 $IPT -A INPUT -i $PUB_IF -s $CLASS_D_MULTICAST4 -j $DACTION # Drop Class E reserved IP addresses. $IPT -A INPUT -i $PUB_IF -s $CLASS_E_RESERVED_NET -j LOG --log-prefix "IPT Spoofing as-Class-E IP: " --log-level 7 $IPT -A INPUT -i $PUB_IF -s $CLASS_E_RESERVED_NET -j $DACTION # Drop 255.255.255.255/32 Spoofing. $IPT -A INPUT -i $PUB_IF -s $BRCAST -j LOG --log-prefix "IPT Spoofing as-Class-E IP: " --log-level 7 $IPT -A INPUT -i $PUB_IF -s $BRCAST -j $DACTION ## ## Prevent Denial of Service (DoS) or Distributed Denial of Service (DDoS). ## echo echo -e "\x1B[01;92m [+]\x1B[0m" "\x1B[01;89mSetting Rules Against Denial Of Service Attacks...\x1B[0m" echo # Setting firewall TCP Syn flood limitation $IPT -N SYN-FLOOD $IPT -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -m comment --comment "Drop SYN Flood: " -j SYN-FLOOD $IPT -A SYN-FLOOD -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IPT Drop SYN Flood: " --log-ip-options --log-tcp-options --log-level 7 $IPT -A SYN-FLOOD -p tcp ! --syn -m recent --update --seconds $SECONDS --hitcount $BLOCKCOUNT -m comment --comment "IPT Drop SYN Flood: " --rsource -j $RACTION --reject-with tcp-rst # Setting IPv6 firewall TCP Syn flood limitation $IP6 -N V6SYN-FLOOD $IP6 -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -m comment --comment "v6Drop SYN Flood: " -j V6SYN-FLOOD $IP6 -A V6SYN-FLOOD -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IP6 Drop SYN Flood: " --log-ip-options --log-tcp-options --log-level 7 $IP6 -A V6SYN-FLOOD -p tcp ! --syn -m recent --update --seconds $SECONDS --hitcount $BLOCKCOUNT -m comment --comment "IP6 Drop SYN Flood: " --rsource -j $DACTION # Setting firewall ICMP flood limitation $IPT -N ICMP-FLOOD $IPT -A INPUT -p icmp -m conntrack --ctstate NEW -m comment --comment "Drop ICMP Flood: " -j ICMP-FLOOD $IPT -A ICMP-FLOOD -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IPT Drop ICMP Flood: " --log-ip-options --log-tcp-options --log-level 7 $IPT -A ICMP-FLOOD -f -p icmp -m recent --update --seconds $SECONDS --hitcount $BLOCKCOUNT -m comment --comment "IPT Drop ICMP Flood: " --rsource -j $RACTION --reject-with icmp-port-unreachable # Setting IPv6 firewall ICMPv6 flood limitation $IP6 -N V6ICMP-FLOOD $IP6 -A INPUT -p icmpv6 -m conntrack --ctstate NEW -m comment --comment "IP6 Drop ICMP Flood: " -j V6ICMP-FLOOD $IP6 -A V6ICMP-FLOOD -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IP6 Drop ICMP Flood: " --log-ip-options --log-tcp-options --log-level 7 $IP6 -A V6ICMP-FLOOD -p icmp -m recent --update --seconds $SECONDS --hitcount $BLOCKCOUNT -m comment --comment "IP6 Drop ICMP Flood: " --rsource -j $DACTION # Setting firewall UDP flood limitation $IPT -N UDP-FLOOD $IPT -A INPUT -p udp -m conntrack --ctstate NEW -m comment --comment "Drop UDP Flood" -j UDP-FLOOD $IPT -A UDP-FLOOD -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IPT Drop UDP Flood: " --log-ip-options --log-tcp-options --log-level 7 $IPT -A UDP-FLOOD -p udp -m recent --update --seconds $SECONDS --hitcount $BLOCKCOUNT -m comment --comment "IPT Drop UDP Flood" --rsource -j $RACTION --reject-with icmp-port-unreachable # Setting IPv6 firewall UDP flood limitation $IP6 -N V6UDP-FLOOD $IP6 -A INPUT -p udp -m conntrack --ctstate NEW -m comment --comment "Drop UDP Flood: " -j V6UDP-FLOOD $IP6 -A V6UDP-FLOOD -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IP6 Drop UDP Flood: " --log-ip-options --log-tcp-options --log-level 7 $IP6 -A V6UDP-FLOOD -p udp -m recent --update --seconds $SECONDS --hitcount $BLOCKCOUNT -m comment --comment "IP6 Drop UDP Flood: " --rsource -j $DACTION ## ## Authorize Pinging with Limit Protection ## # Allow Incoming pinging through Public Interface $IPT -A INPUT -i $PUB_IF -p icmp --icmp-type echo-request -m limit --limit 1/s -m comment --comment "Accept ICMP echo request" -j ACCEPT $IP6 -A INPUT -i $PUB_IF -p ipv6-icmp --icmpv6-type echo-request -m limit --limit 1/s -m comment --comment "Accept ICMPv6 echo request" -j ACCEPT # Allow Outgoing pinging through Public Interface $IPT -A OUTPUT -o $PUB_IF -p icmp --icmp-type echo-request -m limit --limit 1/s -m comment --comment "Accept ICMP echo reply" -j ACCEPT $IP6 -A OUTPUT -o $PUB_IF -p ipv6-icmp --icmpv6-type echo-request -m limit --limit 1/s -m comment --comment "Accept ICMPv6 echo reply" -j ACCEPT # Allow Incoming pinging through LAN Interface. $IPT -A INPUT -i $LAN_IF -p icmp --icmp-type echo-request -m limit --limit 1/s -m comment --comment "Accept ICMP echo request" -j ACCEPT $IP6 -A INPUT -i $LAN_IF -p ipv6-icmp --icmpv6-type echo-request -m limit --limit 1/s -m comment --comment "Accept ICMPv6 echo request" -j ACCEPT # Allow Outgoing pinging through LAN Interface $IPT -A OUTPUT -o $LAN_IF -p icmp --icmp-type echo-request -m limit --limit 1/s -m comment --comment "Accept ICMP echo reply" -j ACCEPT $IP6 -A OUTPUT -o $LAN_IF -p ipv6-icmp --icmpv6-type echo-request -m limit --limit 1/s -m comment --comment "Accept ICMPv6 echo reply" -j ACCEPT ## ## SSH Brute Force Protection ## echo echo -e "\x1B[01;92m [+]\x1B[0m" "\x1B[01;89mAllowing SSH Access with Brute Force Protection...\x1B[0m" echo # IPv4 SSH Brute Force rules with Brute Force protection. # 5 SSH sessions allowed in 2 minutes (120 seconds), you can increase that time to 5 minutes (300 seconds) if needed. # Default wait time is 5 Minutes (300 seconds) before trying to open another 5 New SSH Sessions or Putty Windows. # If you need 10 SSH sessions instead of 5, change the hitcount below to 11 instead of 6 in both locations. # I recommend to increase the wait time to 30 Minutes (1800 Seconds) instead, to combat against Brute Force Attack. $IPT -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name SSH-TRAP --rsource $IPT -A INPUT -p tcp -m tcp --dport 22 -m recent --rcheck --seconds 120 --hitcount 6 --rttl --name SSH-TRAP --rsource -j LOG --log-prefix "IPT Drop SSH Brute-Force: " --log-ip-options --log-tcp-options --log-level 7 $IPT -A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 300 --hitcount 6 --rttl --name SSH-TRAP --rsource -j $RACTION --reject-with tcp-reset $IPT -A INPUT -s 0/0 -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT # IPv6 SSH Brute Force rules. $IP6 -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name V6SSH-TRAP --rsource $IP6 -A INPUT -p tcp -m tcp --dport 22 -m recent --rcheck --seconds 120 --hitcount 6 --rttl --name V6SSH-TRAP --rsource -j LOG --log-prefix "IP6 Drop SSH Brute-Force: " --log-ip-options --log-tcp-options --log-level 7 $IP6 -A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 300 --hitcount 6 --rttl --name V6SSH-TRAP --rsource -j $RACTION --reject-with tcp-reset $IP6 -A INPUT -s 0/0 -p tcp --dport 22 -j ACCEPT ## ## Allowing Web Hosting Services ## echo echo -e "\x1B[01;92m [+]\x1B[0m" "\x1B[01;89mAllowing TCP or UDP Services such HTTP, HTTPS, and FTP...\x1B[0m" echo # You can allow Services with either Hitcount, limit burst protection, or both. # Note: The default protection is Hitcount. # Web Services # Note: I've disabled throttle for http, enable it if needed. Use limit rules below if Hitcount throttle not suitable. # Allowing Incoming connection using Hitcount protection. #$IPT -A INPUT -p tcp -m multiport --dport 80,443 -m recent --set --name HTTP-HITCOUNT --rsource #$IPT -A INPUT -p tcp -m multiport --dport 80,443 -m recent --update --seconds $SECONDS --hitcount $BLOCKCOUNT --name HTTP-HITCOUNT --rsource -j $DACTION $IPT -A INPUT -p tcp -m multiport --dport 80,443 -j ACCEPT #$IP6 -A INPUT -p tcp -m multiport --dport 80,443 -m recent --set --name V6HTTP-HITCOUNT --rsource #$IP6 -A INPUT -p tcp -m multiport --dport 80,443 -m recent --update --seconds $SECONDS --hitcount $BLOCKCOUNT --name V6HTTP-HITCOUNT --rsource -j $DACTION $IP6 -A INPUT -p tcp -m multiport --dport 80,443 -j ACCEPT # Allowing Incoming connection using Limit Burst protection instead of Hitcount. # Meaning, you have to comment all the above ACCEPT rules if you decided to use Only the Limit Burst Rules below. #$IPT -A INPUT -p tcp -m multiport --dport 80,443 -m limit --limit 300/minute --limit-burst 900 -j ACCEPT #$IPT -A INPUT -p tcp -m multiport --dport 80,443 -j $DACTION #$IP6 -A INPUT -p tcp -m multiport --dport 80,443 -m limit --limit 300/minute --limit-burst 900 -j ACCEPT #$IP6 -A INPUT -p tcp -m multiport --dport 80,443 -j $DACTION # Mail Services # Allowing Incoming connection using Hitcount protection. $IPT -A INPUT -p tcp -m multiport --dport 25,587,465,110,995,143,993 -m recent --set --name MAIL-HITCOUNT --rsource $IPT -A INPUT -p tcp -m multiport --dport 25,587,465,110,995,143,993 -m recent --update --seconds $SECONDS --hitcount $BLOCKCOUNT --name MAIL-HITCOUNT --rsource -j $DACTION $IPT -A INPUT -p tcp -m multiport --dport 25,587,465,110,995,143,993 -j ACCEPT $IP6 -A INPUT -p tcp -m multiport --dport 25,587,465,110,995,143,993 -m recent --set --name V6MAIL-HITCOUNT --rsource $IP6 -A INPUT -p tcp -m multiport --dport 25,587,465,110,995,143,993 -m recent --update --seconds $SECONDS --hitcount $BLOCKCOUNT --name V6MAIL-HITCOUNT --rsource -j $DACTION $IP6 -A INPUT -p tcp -m multiport --dport 25,587,465,110,995,143,993 -j ACCEPT # Allowing Incoming connection using Limit Burst protection instead of Hitcount. #$IPT -A INPUT -p tcp -m multiport --dport 25,587,110,995,143,993 -m limit --limit 300/minute --limit-burst 900 -j ACCEPT #$IPT -A INPUT -p tcp -m multiport --dport 25,587,110,995,143,993 -j $DACTION #$IP6 -A INPUT -p tcp -m multiport --dport 25,587,465,110,995,143,993 -m limit --limit 300/minute --limit-burst 900 -j ACCEPT #$IP6 -A INPUT -p tcp -m multiport --dport 25,587,465,110,995,143,993 -j $DACTION # FTP Services # Allowing Incoming connection using Hitcount protection. # For Security, inform users to use FTP over TLS using an FTP client such FileZilla. 40110:40210 used by Passive FTP. $IPT -A INPUT -p tcp -m multiport --dport 21,20,990,989,30000:35000,40110:40210 -m recent --set --name FTP-HITCOUNT --rsource $IPT -A INPUT -p tcp -m multiport --dport 21,20,990,989,30000:35000,40110:40210 -m recent --update --seconds $SECONDS --hitcount $BLOCKCOUNT --name FTP-HITCOUNT --rsource -j $DACTION $IPT -A INPUT -p tcp -m multiport --dport 21,20,990,989,30000:35000,40110:40210 -j ACCEPT $IP6 -A INPUT -p tcp -m multiport --dport 21,20,990,989,30000:35000,40110:40210 -m recent --set --name V6FTP-HITCOUNT --rsource $IP6 -A INPUT -p tcp -m multiport --dport 21,20,990,989,30000:35000,40110:40210 -m recent --update --seconds $SECONDS --hitcount $BLOCKCOUNT --name V6FTP-HITCOUNT --rsource -j $DACTION $IP6 -A INPUT -p tcp -m multiport --dport 21,20,990,989,30000:35000,40110:40210 -j ACCEPT # Allowing Incoming connection using Limit Burst protection instead of Hitcount. #$IPT -A INPUT -p tcp -m multiport --dport 21,22,30000:35000,40110:40210 -m limit --limit 300/minute --limit-burst 900 -j ACCEPT #$IPT -A INPUT -p tcp -m multiport --dport 21,22,30000:35000,40110:40210 -j $DACTION #$IP6 -A INPUT -p tcp -m multiport --dport 21,22,30000:35000,40110:40210 -m limit --limit 300/minute --limit-burst 900 -j ACCEPT #$IP6 -A INPUT -p tcp -m multiport --dport 21,22,30000:35000,40110:40210 -j $DACTION # Control Panels Service such Webmin, ISPConfig, cPanel, and WHM Services # Allowing Incoming connection using Hitcount protection. $IPT -A INPUT -p tcp -m multiport --dport 10000,8080,8081,2077,2078,2082,2083,2086,2087,2095,2096 -m recent --set --name CPANELS-HITCOUNT --rsource $IPT -A INPUT -p tcp -m multiport --dport 10000,8080,8081,2077,2078,2082,2083,2086,2087,2095,2096 -m recent --update --seconds $SECONDS --hitcount $BLOCKCOUNT --name CPANELS-HITCOUNT --rsource -j $DACTION $IPT -A INPUT -p tcp -m multiport --dport 10000,8080,8081,2077,2078,2082,2083,2086,2087,2095,2096 -j ACCEPT $IP6 -A INPUT -p tcp -m multiport --dport 10000,8080,8081,2077,2078,2082,2083,2086,2087,2095,2096 -m recent --set --name V6CPANELS-HITCOUNT --rsource $IP6 -A INPUT -p tcp -m multiport --dport 10000,8080,8081,2077,2078,2082,2083,2086,2087,2095,2096 -m recent --update --seconds $SECONDS --hitcount $BLOCKCOUNT --name V6CPANELS-HITCOUNT --rsource -j $DACTION $IP6 -A INPUT -p tcp -m multiport --dport 10000,8080,8081,2077,2078,2082,2083,2086,2087,2095,2096 -j ACCEPT # Allowing Incoming connection using Limit Burst protection instead of Hitcount. #$IPT -A INPUT -p tcp -m multiport --dport 10000,8080,8081,2077,2078,2082,2083,2086,2087,2095,2096 -m limit --limit 300/minute --limit-burst 900 -j ACCEPT #$IPT -A INPUT -p tcp -m multiport --dport 10000,8080,8081,2077,2078,2082,2083,2086,2087,2095,2096 -j $DACTION #$IP6 -A INPUT -p tcp -m multiport --dport 10000,8080,8081,2077,2078,2082,2083,2086,2087,2095,2096 -m limit --limit 300/minute --limit-burst 900 -j ACCEPT #$IP6 -A INPUT -p tcp -m multiport --dport 10000,8080,8081,2077,2078,2082,2083,2086,2087,2095,2096 -j $DACTION # DNS TCP Services # Allowing Incoming connection using Hitcount protection. $IPT -A INPUT -p tcp --dport 53 -m recent --set --name DNS-TCP-HITCOUNT --rsource $IPT -A INPUT -p tcp --dport 53 -m recent --update --seconds $SECONDS --hitcount $BLOCKCOUNT --name DNS-TCP-HITCOUNT --rsource -j $DACTION $IPT -A INPUT -p tcp --dport 53 -j ACCEPT $IP6 -A INPUT -p tcp --dport 53 -m recent --set --name V6DNS-TCP-HITCOUNT --rsource $IP6 -A INPUT -p tcp --dport 53 -m recent --update --seconds $SECONDS --hitcount $BLOCKCOUNT --name V6DNS-TCP-HITCOUNT --rsource -j $DACTION $IP6 -A INPUT -p tcp --dport 53 -j ACCEPT # Allowing Incoming connection using Limit Burst protection instead of Hitcount. #$IPT -A INPUT -p tcp --dport 53 -m limit --limit 300/minute --limit-burst 900 -j ACCEPT #$IPT -A INPUT -p tcp --dport 53 -j $DACTION #$IP6 -A INPUT -p tcp -dport 53 -m limit --limit 300/minute --limit-burst 900 -j ACCEPT #$IP6 -A INPUT -p tcp --dport 53 -j $DACTION # DNS UDP Services # Allowing Incoming connection using Hitcount protection. $IPT -A INPUT -p udp --dport 53 -m recent --set --name DNS-UDP-HITCOUNT --rsource $IPT -A INPUT -p udp --dport 53 -m recent --update --seconds $SECONDS --hitcount $BLOCKCOUNT --name DNS-UDP-HITCOUNT --rsource -j $DACTION $IPT -A INPUT -p udp --dport 53 -j ACCEPT $IP6 -A INPUT -p udp --dport 53 -m recent --set --name V6DNS-UDP-HITCOUNT --rsource $IP6 -A INPUT -p udp --dport 53 -m recent --update --seconds $SECONDS --hitcount $BLOCKCOUNT --name V6DNS-UDP-HITCOUNT --rsource -j $DACTION $IP6 -A INPUT -p udp --dport 53 -j ACCEPT # Allowing Incoming connection using Limit Burst protection instead of Hitcount. #$IPT -A INPUT -p udp --dport 53 -m limit --limit 300/minute --limit-burst 900 -j ACCEPT #$IPT -A INPUT -p udp --dport 53 -j $DACTION #$IP6 -A INPUT -p udp -dport 53 -m limit --limit 300/minute --limit-burst 900 -j ACCEPT #$IP6 -A INPUT -p udp --dport 53 -j $DACTION ## ## Final Log and Drop ## LOGLIMIT="5/m" LOGLIMITBURST="7" # IPv4 Log and Drop $IPT -N LOGDROP $IPT -A LOGDROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "IPT FINAL TCP LOG-N-DROP: " --log-ip-options --log-tcp-options --log-level 7 $IPT -A LOGDROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "IPT FINAL UDP LOG-N-DROP: " --log-level 7 $IPT -A LOGDROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "IPT FINAL ICMP LOG-N-DROP: " --log-level 7 $IPT -A LOGDROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "IPT FRAGMENT LOG-N-DROP: " --log-level 7 $IPT -A LOGDROP -j $DACTION $IPT -A INPUT -p icmp -i $PUB_IF -j LOGDROP $IPT -A INPUT -p tcp -i $PUB_IF -j LOGDROP $IPT -A INPUT -p udp -i $PUB_IF -j LOGDROP # IPv6 Log and Drop $IP6 -N LOGDROP $IP6 -A LOGDROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "IP6 FINAL TCP6 LOG-N-DROP: " --log-ip-options --log-tcp-options --log-level 7 $IP6 -A LOGDROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "IP6 FINAL UDP6 LOG-N-DROP: " --log-level 7 $IP6 -A LOGDROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "IP6 FINAL ICMP6 LOG-N-DROP: " --log-level 7 $IP6 -A LOGDROP -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "IP6 FRAGMENT LOG-N-DROP: " --log-level 7 $IP6 -A LOGDROP -j $DACTION $IP6 -A INPUT -p icmp -i $PUB_IF -j LOGDROP $IP6 -A INPUT -p tcp -i $PUB_IF -j LOGDROP $IP6 -A INPUT -p udp -i $PUB_IF -j LOGDROP # # Loop Log and Drop # # default OUTPUT LOG rule $IPT -A OUTPUT ! -o lo -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "IPT INPUT LOOP LOG-N-DROP: " --log-level 7 # default INPUT LOG rule $IPT -A INPUT ! -i lo -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "IPT OUTPUT LOOP LOG-N-DROP: " --log-level 7 # default OUTPUT LOG rule $IP6 -A OUTPUT ! -o lo -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "IP6 OUTPUT LOOP LOG-N-DROP: " --log-level 7 # default INPUT LOG rule $IP6 -A INPUT ! -i lo -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "IP6 INPUT LOOP LOG-N-DROP: " --log-level 7 # # Final Rule # # Reject any packets that do not meet any of the above explicit rules $IPT -A INPUT -p tcp -j $RACTION --reject-with tcp-reset $IPT -A INPUT -p udp -j $RACTION --reject-with icmp-port-unreachable echo echo -e "\x1B[01;92m [+]\x1B[0m" "\x1B[01;89mStateful IPtables IPT Rules have been successfully Loaded!\x1B[0m" echo exit 0