Last active
October 20, 2024 06:54
-
-
Save samuraee/872a0db39fa017dceee0 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # block torrent traffic by iptable/firewall for VPN/Proxy server | |
| # [email protected] | |
| # Delete all existing rules | |
| iptables -F | |
| # Set default chain policies | |
| iptables -P INPUT DROP | |
| iptables -P FORWARD DROP | |
| iptables -P OUTPUT DROP | |
| # Allow ALL incoming SSH | |
| iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT | |
| iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT | |
| # MultiPorts (Allow incoming SSH, HTTP, and HTTPS) | |
| iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT | |
| iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT | |
| # Allow All custom proxy ports | |
| iptables -A INPUT -i eth0 -p tcp -m multiport --dports 800:820 -m state --state NEW,ESTABLISHED -j ACCEPT | |
| iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 800:820 -m state --state ESTABLISHED -j ACCEPT | |
| # Allow outgoing SSH | |
| iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT | |
| iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT | |
| # Allow outgoing HTTPS | |
| iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT | |
| iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT | |
| iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT | |
| iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT | |
| # Ping from inside to outside | |
| iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT | |
| iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT | |
| # Ping from outside to inside | |
| iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT | |
| iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT | |
| # Allow loopback access | |
| iptables -A INPUT -i lo -j ACCEPT | |
| iptables -A OUTPUT -o lo -j ACCEPT | |
| # Allow outbound DNS | |
| iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT | |
| iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT | |
| # Prevent DoS attack | |
| iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT | |
| # Log dropped packets | |
| iptables -N LOGGING | |
| iptables -A INPUT -j LOGGING | |
| iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7 | |
| iptables -A LOGGING -j DROP |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
DPI generates many false positives and is not a solution for medium or small environments as it consumes a lot of hardware resources.
Is better block well-known torrent ports (like a bittorrent/p2p TCP/UDP 6881-6889 58251-58252,58687,6969,1337,2760,4662,4672,8104) using Ipset rules into iptables bash script. For more information check ipset netfilter https://ipset.netfilter.org/
You can also use an iptables string rule (example: -m string --hex-string "|$string|" --algo kmp) to block anything that can evade the Ipset rule.