Last active
January 27, 2017 13:33
Revisions
-
chmodx revised this gist
Dec 24, 2015 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -66,7 +66,7 @@ $IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT #$IPT -A INPUT -p UDP --dport 68 --sport 67 -j ACCEPT #Allow SSH $IPT -A INPUT -m state --state NEW,ESTABLISHED,RELATED --source 10.10.10.10 -p TCP -i eth0 -m multiport --dport "21,22,3306" -j ACCEPT #Allow HTTP $IPT -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT -
Dec 24, 2015 . No changes.There are no files selected for viewing
-
Dec 24, 2015 . No changes.There are no files selected for viewing
-
Dec 24, 2015 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,163 @@ #!/bin/bash echo "@b4ut4 | Writing firewall rules..." IPT="/sbin/iptables" echo "0" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/tcp_syncookies echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses #Tcp tuning echo 7 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1 > /proc/sys/net/ipv4/tcp_orphan_retries echo 2 > /proc/sys/net/ipv4/tcp_synack_retries echo 60 > /proc/sys/net/ipv4/tcp_keepalive_time echo 4096 > /proc/sys/net/ipv4/tcp_max_syn_backlog echo 10 > /proc/sys/net/ipv4/tcp_keepalive_intvl echo 5 > /proc/sys/net/ipv4/tcp_keepalive_probes echo "4096 65536 16777216" > /proc/sys/net/ipv4/tcp_wmem echo "4096 65536 16777216" > /proc/sys/net/ipv4/tcp_rmem #For ftp /sbin/modprobe ip_conntrack_ftp #Flush all rules $IPT -F $IPT -F -t nat $IPT -F -t mangle $IPT -X $IPT -X -t nat $IPT -X -t mangle echo "Old Rules Flushed" #Set Default-Drop Policy $IPT -P INPUT DROP $IPT -P OUTPUT DROP #Create New Chain Called BAD_PACKETS $IPT -N BAD_PACKETS #Allow The Loopback (lo - 127.0.0.1) $IPT -A INPUT -i lo -j ACCEPT #Jump To BAD_PACKETS $IPT -A INPUT -j BAD_PACKETS #Allow Established Connections $IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT #Allow DHCP #$IPT -A INPUT -p UDP --dport 68 --sport 67 -j ACCEPT #Allow SSH $IPT -A INPUT -m state --state NEW,ESTABLISHED,RELATED --source 62.212.235.211 -p TCP -i eth0 -m multiport --dport "21,22,3306" -j ACCEPT #Allow HTTP $IPT -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT #Allow net print #$IPT -A INPUT -p UDP -i eth0 --dport 631 -j ACCEPT #Allow webmin #$IPT -A INPUT -p TCP -i eth0 --dport 10000 -j ACCEPT #Allow avahi-daemon #$IPT -A INPUT -p TCP -i eth0 --dport 5353 -j ACCEPT #Allow input torrents-client #$IPT -A INPUT -p TCP -i eth0 --dport 51413 -j ACCEPT #$IPT -A INPUT -p UDP -i eth0 --dport 51413 -j ACCEPT #$IPT -A INPUT -p TCP -i eth0 --dport 6881 -j ACCEPT #$IPT -A INPUT -p UDP -i eth0 --dport 6881 -j ACCEPT #Allow Samba From Specified Hosts #$IPT -A INPUT -p TCP -i eth0 --dport 137:139 -j ACCEPT #$IPT -A INPUT -p UDP -i eth0 --dport 137:139 -j ACCEPT #$IPT -A INPUT -p TCP -i eth0 --sport 137:139 -j ACCEPT #$IPT -A INPUT -p UDP -i eth0 --sport 137:139 -j ACCEPT #Allow ICMP Replies From Specified Hosts (Ping) $IPT -A INPUT -p ICMP -i eth0 --icmp-type 8 -j ACCEPT $IPT -A INPUT -p ICMP -i eth0 --icmp-type 8 -j ACCEPT #Allow input mail on 465 port $IPT -A INPUT -p tcp --dport 465 -j ACCEPT #Log $IPT -A INPUT -j LOG --log-prefix "INPUT DROP: " #Accept Loopback On OUTPUT $IPT -A OUTPUT -o lo -j ACCEPT #Allow Established Connections $IPT -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT #Allow HTTP,FTP,DNS,SSH, SMTP & Port 443 Outbound $IPT -A OUTPUT -p TCP -o eth0 --dport 443 -j ACCEPT $IPT -A OUTPUT -p TCP -o eth0 --dport 80 -j ACCEPT $IPT -A OUTPUT -p TCP -o eth0 --dport 53 -j ACCEPT $IPT -A OUTPUT -p UDP -o eth0 --dport 53 -j ACCEPT $IPT -A OUTPUT -p TCP -o eth0 --dport 25 -j ACCEPT $IPT -A OUTPUT -p TCP -o eth0 --dport 22 -j ACCEPT $IPT -A OUTPUT -p TCP -o eth0 --dport 21 -j ACCEPT #Allow POP, IMAP #$IPT -A OUTPUT -p TCP -o eth0 --dport 110 -j ACCEPT #$IPT -A OUTPUT -p TCP -o eth0 --dport 143 -j ACCEPT #Allow IMAPS #$IPT -A OUTPUT -p TCP -o eth0 --dport 993 -j ACCEPT #Allow output IRC #$IPT -A OUTPUT -p TCP -o eth0 --dport 6667 -j ACCEPT #$IPT -A OUTPUT -p TCP -o eth0 --dport 6668 -j ACCEPT #$IPT -A OUTPUT -p TCP -o eth0 --dport 6669 -j ACCEPT #$IPT -A OUTPUT -p TCP -o eth0 --dport 8001 -j ACCEPT #Allow output Google talk #$IPT -A OUTPUT -p TCP -o eth0 --dport 5222 -j ACCEPT #Allow output CUPS (for printers in net) #$IPT -A OUTPUT -p UDP -o eth0 --dport 631 -j ACCEPT #Allow output teamviewer #$IPT -A OUTPUT -p UDP -o eth0 --dport 5938 -j ACCEPT #Allow output NTP (for ntpdate) #$IPT -A OUTPUT -p UDP -o eth0 --dport 123 -j ACCEPT #Allow output Urban Terror #$IPT -A OUTPUT -p UDP -o eth0 --dport 27960 -j ACCEPT #Allow specify ports #$IPT -A OUTPUT -p TCP -o eth0 --dport 2046 -j ACCEPT #$IPT -A OUTPUT -p TCP -o eth0 --dport 2050 -j ACCEPT #Drop $IPT -A OUTPUT -j LOG --log-prefix "OUTPUT DROP: " $IPT -A BAD_PACKETS -p TCP ! --syn -m state --state NEW -j DROP $IPT -A BAD_PACKETS -p TCP --tcp-flags ALL ALL -j DROP $IPT -A BAD_PACKETS -p TCP --tcp-flags ALL NONE -j DROP $IPT -A BAD_PACKETS -p TCP --tcp-flags ALL SYN \-m state --state ESTABLISHED -j DROP $IPT -A BAD_PACKETS -p ICMP --fragment -j DROP $IPT -A BAD_PACKETS -m state --state INVALID -j DROP $IPT -A BAD_PACKETS -d 255.255.255.255 -j DROP $IPT -A BAD_PACKETS -j RETURN echo "Writing success"