Tutorial Firewall Iptables / Protection TeamSpeak 3 Server Crack R4P3

BadySmith

>_ ./teamspeakaddict.sh </>
Joined
Feb 16, 2018
Messages
9
Points
8
Age
18
Location
France
Hello, I'm realease a little homemade firewall to simply protect a simple Debian VPS / Ubuntu server.
this works well on ovh server.


/!\ WARNING /!\

stay in the root folder to test the firewall otherwise you can meter your server in danger!

Command 0 : cd /root

Tools : vi, vim, nano :

Command 1 : vim firewall_testroot

Indicator :

XXX = select you port | speed looking ctrl + f : XXX ;)

# = is not actived
Code:
#!/bin/sh

echo "
______ ___________ _____ _    _  ___  _     _ 
|  ___|_   _| ___ |  ___| |  | |/ _ \| |   | |
| |_    | | | |_/ | |__ | |  | / /_\ | |   | |
|  _|   | | |    /|  __|| |/\| |  _  | |   | |
| |    _| |_| |\ \| |___\  /\  | | | | |___| |____
\_|    \___/\_| \_\____/ \/  \/\_| |_\_____\_____/"

# CLEAR RULES

iptables -t filter -F
iptables -t filter -X



# DENY ALL ACCESS

iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP


# READY ACCEPT

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# loop-back (localhost)

iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT

# STOP PING CMD

iptables -t filter -A INPUT -p icmp -j REJECT
iptables -t filter -A OUTPUT -p icmp -j REJECT

# SSH ACCEPT

iptables -t filter -A INPUT -p tcp --dport XXX -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport XXX -j ACCEPT

   # Active Localhost OPENVPN SECURITY
  #iptables -t filter -A INPUT -p tcp --dport 22 -s 100:100:100:100 -j ACCEPT


# HTTP WEB

#iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
#iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT



   #HTTPS



    #iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT

    #iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT

    #iptables -t filter -A INPUT -p udp --dport 443 -j ACCEPT

    #iptables -t filter -A OUTPUT -p udp --dport 443 -j ACCEPT



#SMTP MAIL



#iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT

#iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT

#iptables -t filter -A INPUT -p tcp --dport 587 -j ACCEPT

#iptables -t filter -A OUTPUT -p tcp --dport 587 -j ACCEPT

#iptables -t filter -A INPUT -p tcp --dport 465 -j ACCEPT

#iptables -t filter -A OUTPUT -p tcp --dport 465 -j ACCEPT



# DNS

iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT

iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT

iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT

iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT



# NTP

iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT





# ANTI DDOS

iptables -A FORWARD -p tcp --syn -m limit --limit 1/second -j ACCEPT

iptables -A FORWARD -p udp -m limit --limit 1/second -j ACCEPT

iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT

iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT



# Reject spoofed packets

iptables -A INPUT -s 10.0.0.0/8 -j DROP

iptables -A INPUT -s 169.254.0.0/16 -j DROP

iptables -A INPUT -s 172.16.0.0/12 -j DROP

iptables -A INPUT -s 127.0.0.0/8 -j DROP



iptables -A INPUT -s 224.0.0.0/4 -j DROP

iptables -A INPUT -d 224.0.0.0/4 -j DROP

iptables -A INPUT -s 240.0.0.0/5 -j DROP

iptables -A INPUT -d 240.0.0.0/5 -j DROP

iptables -A INPUT -s 0.0.0.0/8 -j DROP

iptables -A INPUT -d 0.0.0.0/8 -j DROP

iptables -A INPUT -d 239.255.255.0/24 -j DROP

iptables -A INPUT -d 255.255.255.255 -j DROP



# Drop all invalid packets

iptables -A INPUT -m state --state INVALID -j DROP

iptables -A FORWARD -m state --state INVALID -j DROP

iptables -A OUTPUT -m state --state INVALID -j DROP



# Drop excessive RST packets to avoid smurf attacks

iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT



# Attempt to block portscans

# Anyone who tried to portscan us is locked out for an entire day.

iptables -A INPUT   -m recent --name portscan --rcheck --seconds 86400 -j DROP

iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP



# Once the day has passed, remove them from the portscan list

iptables -A INPUT   -m recent --name portscan --remove

iptables -A FORWARD -m recent --name portscan --remove



# These rules add scanners to the portscan list, and log the attempt.

iptables -A INPUT   -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"

iptables -A INPUT   -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP



iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"

iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP



# Drop all invalid packets

iptables -A INPUT -m state --state INVALID -j DROP

iptables -A FORWARD -m state --state INVALID -j DROP

iptables -A OUTPUT -m state --state INVALID -j DROP


# Conf 2

iptables -A INPUT -p tcp --syn -m limit --limit 2/s --limit-burst 30 -j ACCEPT

iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

iptables -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 1/h -j ACCEPT

iptables -A INPUT -p tcp --tcp-flags ALL ALL -m limit --limit 1/h -j ACCEPT


# MYSQL

iptables -t filter -A INPUT -p tcp --dport 3306 -j ACCEPT

iptables -t filter -A INPUT -p udp --dport 3306 -j ACCEPT


# TS APPS

iptables -t filter -A OUTPUT -p tcp --dport 41144 -j ACCEPT

iptables -t filter -A INPUT -p tcp --dport 41144 -j ACCEPT



# QUERY


iptables -t filter -A OUTPUT -p tcp --dport 10011-j ACCEPT

iptables -t filter -A INPUT -p tcp --dport 10011 -j ACCEPT

iptables -t filter -A OUTPUT -p tcp --dport 30033 -j ACCEPT

iptables -t filter -A INPUT -p tcp --dport 30033 -j ACCEPT



# Account



iptables -t filter -A OUTPUT -p udp --dport 587 -j ACCEPT

iptables -t filter -A INPUT -p udp --dport 587 -j ACCEPT


iptables -t filter -A OUTPUT -p udp --dport 587 -j ACCEPT

iptables -t filter -A INPUT -p udp --dport 587 -j ACCEPT



# ALL TS SERVER

iptables -t filter -A OUTPUT -p udp --dport XXX -j ACCEPT

iptables -t filter -A INPUT -p udp --dport XXX -j ACCEPT
    

# ANTI DDOS Production Server WEB



#iptables -N http-flood

#iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 1 -j http-flood

#iptables -A INPUT -p tcp --syn --dport 443 -m connlimit --connlimit-above 1 -j http-flood

#iptables -A http-flood -m limit --limit 10/s --limit-burst 10 -j RETURN

#iptables -A http-flood -m limit --limit 1/s --limit-burst 10 -j LOG --log-prefix "HTTP-FLOOD "

#iptables -A http-flood -j DROP


#iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 -j DROP

#iptables -A INPUT -p tcp --syn --dport 443 -m connlimit --connlimit-above 20 -j DROP

#iptables -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set

#iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 10 --hitcount 20 -j DROP

#iptables -A INPUT -p tcp --dport 443 -i eth0 -m state --state NEW -m recent --set

#iptables -I INPUT -p tcp --dport 443 -m state --state NEW -m recent --update --seconds 10 --hitcount 20 -j DROP

#iptables -A INPUT -p tcp --syn -m limit --limit 10/s --limit-burst 13 -j DROP

#iptables -N flood

#iptables -A flood -j LOG --log-prefix "FLOOD "

#iptables -A flood -j DROP


iptables -t filter -N syn-flood

iptables -t filter -A INPUT -i eth0 -p tcp --syn -j syn-flood

iptables -t filter -A syn-flood -m limit --limit 1/sec --limit-burst 4 -j RETURN

iptables -t filter -A syn-flood -j LOG \

--log-prefix "IPTABLES SYN-FLOOD:"

iptables -t filter -A syn-flood -j DROP


iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP

iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP

iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP

iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP

iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP

iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP

iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP

iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP

iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP

iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP

iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP

iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP

iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

iptables -t mangle -A PREROUTING -p icmp -j DROP

iptables -A INPUT -p tcp -m connlimit --connlimit-above 80 -j REJECT --reject-with tcp-reset

iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT

iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP

iptables -t mangle -A PREROUTING -f -j DROP

iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT

iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP

iptables -N port-scanning

iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN

iptables -A port-scanning -j DROP



#OPENVPN Is not actived



#iptables -t filter -A INPUT -p udp --dport 1194 -j ACCEPT

#iptables -t filter -A INPUT -p tcp --dport 1194 -j ACCEPT

#iptables -t filter -A OUTPUT -p udp --dport 1194 -j ACCEPT

#iptables -t filter -A OUTPUT -p tcp --dport 1194 -j ACCEPT



#Accepter le flux entrant depuis le tunnel vpn vers le réseau interne pour les ports 80 et 443 en TCP :

#iptables -t filter -A FORWARD -p tcp --dport 80 -j ACCEPT -i tun0

#iptables -t filter -A FORWARD -p tcp --dport 443 -j ACCEPT -i tun0



#Accepter n'importe quel flux vers le tunnel vpn

#iptables -t filter -A FORWARD -j ACCEPT -o tun0



#iptables -A FORWARD -o eth0 -i tun0 -s 192.168.2.0/24 -m conntrack --ctstate NEW -j ACCEPT

#iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

#iptables -t nat -F POSTROUTING

#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#sudo iptables -t nat -A POSTROUTING -s 10/8 -o eth0 -j MASQUERADE

Command 2 : chmod 777 ./firewall_testroot
Command 2.1 : ./firewall_testroot

ERROR 1 : Is not run, Verif firewall conf
ERROR 2 : SERVER CRASHED SSH CLOSED, Restart you vps by pannels admin hosting.


IS OK ? :

Command 3 : mv firewall_testroot /etc/init.d//firewall

Command 4 : cd /etc/init.d/

Command 5 : sudo chmod +x firewall

Command 6 : sudo update-rc.d firewall defaults

Finish, Thanks for reading my post and hope this helped you! ;)
 
Last edited:

SrFernando

Member
Joined
Jan 7, 2016
Messages
0
Points
35
Age
24
he says:
Code:
-bash: ./firewall_testroot.sh: /bin/sh^M: bad interpreter: No such file or directory
could you help me im very new..
 

pwn3r

Member
Joined
Jan 1, 2018
Messages
131
Points
44
Location
/dev/null
he says:
-bash: ./firewall_testroot.sh: /bin/sh^M: bad interpreter: No such file or directory
could you help me im very new..
I think the file has some Windows line endings somehow, but you can fix that by running this command:
sed -i -e 's/\r$//' firewall_testroot.sh
or if you have dos2unix installed, you can do:
dos2unix firewall_testroot.sh
and then run it normally:
./firewall_testroot.sh
Source: https://askubuntu.com/questions/304999/not-able-to-execute-a-sh-file-bin-bashm-bad-interpreter
 
Joined
Sep 30, 2015
Messages
12
Points
53
A person who finishes this script to vps automatically blocks port 9987 and 22 or the person has to use vnc or contact the support or even reboot is enough.

---- Automatically Merged Double Post ----

I'm not a professional but this helped me
Code:
#!/bin/bash
IPT="/sbin/iptables"
 
echo "Starting IPv4 Wall..."
modprobe ip_conntrack
 
BADIPS=$(egrep -v -E "^#|^$" /root/scripts/blocked.fw)
PUB_IF="venet0"

#block udp with a 0-byte payload
iptables -A INPUT -p udp -m u32 --u32 "22&0xFFFF=0x0008" -j DROP

#block all packets from ips ending in .255.255
iptables -A INPUT -m u32 --u32 "12&0xFFFF=0xFFFF" -j DROP

#block common Camfrog-specific attacks
iptables -A INPUT -m u32 --u32 "28&0x00000FF0=0xFEDFFFFF" -j DROP

#block udp containing "farewall"
iptables -A INPUT -m string --algo bm --from 28 --to 29 --string "farewell" -j DROP

#block udp starting with alternating spaces
iptables -A INPUT -p udp -m u32 --u32 "28 & 0x00FF00FF = 0x00200020 && 32 & 0x00FF00FF = 0x00200020 && 36 & 0x00FF00FF = 0x00200020 && 40 & 0x00FF00FF = 0x00200020" -j DROP

#block tcp ack 0 of length 40
iptables -I INPUT -p tcp -m tcp -m string --hex-string "|000000005010|" --algo kmp --from 28 --to 29 -m length --length 40 -j DROP

#block udp containing "SAMP"
iptables -I INPUT -p udp -m udp -m string --hex-string "|53414d50|" --algo kmp --from 28 --to 29 -j DROP

#block udp starting with "std" and 00s
iptables -I INPUT -p udp -m udp -m string --hex-string "|7374640000000000|" --algo kmp --from 28 --to 29 -j DROP

#block udp containing 16 null (00) chars
iptables -I INPUT -p udp -m udp -m string --hex-string "|00000000000000000000000000000000|" --algo kmp --from 32 --to 33 -j DROP

#block udp containing "AAAAAAAAAAAAAAAA"
iptables -A INPUT -p udp -m udp -m string --algo bm --from 32 --to 33 --string "AAAAAAAAAAAAAAAA" -j DROP

#block udp containing "0123456789ABCDE"
iptables -A INPUT -p udp -m udp -m string --algo bm --from 28 --to 29 --string "0123456789ABCDE" -j DROP

#block all packets from ips ending in .0.0
iptables -A INPUT -m u32 --u32 "12&0xFFFF=0" -j DROP

#block Source Split Packets
iptables -A INPUT -p udp -m u32 --u32 "26&0xFFFFFFFF=0xfeff" -j DROP

#block udp containing "0123456789"
iptables -A INPUT -p udp -m udp -m string --algo bm --from 44 --to 45 --string "0123456789" -j DROP

#block udp containing "a cat is fine too"
iptables -A INPUT -p udp -m udp -m string --algo bm --from 28 --to 29 --string "A cat is fine too" -j DROP

#block udp containing "flood"
iptables -A INPUT -p udp -m udp -m string --algo bm --from 28 --to 29 --string "flood" -j DROP

#block udp containing "q00000000000000"
iptables -A INPUT -m string --algo bm --from 32 --to 33 --string "q00000000000000" -j DROP

#block udp containing "statusResponse"
iptables -A INPUT -m string --algo bm --from 32 --to 33 --string "statusResponse" -j DROP

#block icmp
iptables -A INPUT -p icmp -j DROP

#block udp methode "NTP"
iptables -A INPUT -i lo -p udp --destination-port 123 -j DROP
iptables -A INPUT -p udp --source-port 123:123 -m state --state ESTABLISHED -j DROP

#block udp methode "CODE"
iptables -I INPUT -p udp -m udp -m string --hex-string "|ffffffff6765746368616c6c656e676520302022|" --algo kmp -j DROP

#block udp methode "SSDP"
iptables -I INPUT -p udp --dport 16000:29000 -m string --to 75 --algo bm --string 'HTTP/1.1 200 OK' -j DROP

#block protocols other than tcp, udp, and icmp [block all traffic]
iptables -A INPUT -p udp -m u32 --u32 "6&0xFF=0,2:5,7:16,18:255" -j DROP


#unlimited 
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
 
# DROP all incomming traffic
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP

iptables -P OUTPUT ACCEPT

# block all bad ips
for ip in $BADIPS
do
    $IPT -A INPUT -s $ip -j DROP
    $IPT -A OUTPUT -d $ip -j DROP
done
 
# sync
$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW  -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Syn"
 
 
$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP
 
# Fragments
$IPT -A INPUT -i ${PUB_IF} -f  -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets"
$IPT -A INPUT -i ${PUB_IF} -f -j DROP
 
 
# block bad stuff
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP
 
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
 
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
 
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
 
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
 
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
 
 
# Allow full outgoing connection but no incomming stuff
$IPT -A INPUT -i venet0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -o venet0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 
# allow ssh only
$IPT -A INPUT -p tcp --destination-port 22 -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 22 -j ACCEPT

# allow teamspeak ports
$IPT -A INPUT -p udp --destination-port 9987 -j ACCEPT
$IPT -A OUTPUT -p udp --sport 9987 -j ACCEPT
$IPT -A INPUT -p tcp --destination-port 10011 -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 10011 -j ACCEPT
$IPT -A INPUT -p tcp --destination-port 30033 -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 30033 -j ACCEPT

# allow incoming ICMP ping pong stuff
$IPT -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# No smb/windows sharing packets - too much logging
$IPT -A INPUT -p tcp -i venet0     --dport 137:139 -j REJECT
$IPT -A INPUT -p udp -i venet0 --dport 137:139 -j REJECT
 
# Log everything else
# *** Required for psad ****
$IPT -A INPUT -j LOG 
$IPT -A FORWARD -j LOG 
$IPT -A INPUT -j DROP
 
###############
# KERNEL PARAMETER CONFIGURATION

# PREVENT YOU SYSTEM FROM ANSWERING ICMP ECHO REQUESTS
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

# DROP ICMP ECHO-REQUEST MESSAGES SENT TO BROADCAST OR MULTICAST ADDRESSES
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# DONT ACCEPT ICMP REDIRECT MESSAGES
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# DONT SEND ICMP REDIRECT MESSAGES
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# DROP SOURCE ROUTED PACKETS
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# ENABLE TCP SYN COOKIE PROTECTION FROM SYN FLOODS
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# ENABLE SOURCE ADDRESS SPOOFING PROTECTION
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# LOG PACKETS WITH IMPOSSIBLE ADDRESSES (DUE TO WRONG ROUTES) ON YOUR NETWORK
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# DISABLE IPV4 FORWARDING
echo 0 > /proc/sys/net/ipv4/ip_forward



# DROP INVALID
$IPT -A INPUT -m state --state INVALID -j DROP

# ALLOW ONLY ESTABLISHED, RELATED
$IPT -A INPUT -p tcp -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p udp -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT

# DROP INVALID SYN PACKETS
$IPT -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# MAKE SURE NEW INCOMING TCP CONNECTIONS ARE SYN PACKETS; OTHERWISE WE NEED TO DROP THEM 
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK RESULT INTO LINUX SERVER PANIC SUCH DATA LOSS
$IPT -A INPUT -f -j DROP

# DROP INCOMING MALFORMED XMAS PACKETS
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

# DROP INCOMING MALFORMED NULL PACKETS
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

###############
# OUTPUT

# DROP INVALID
$IPT -A OUTPUT -m state --state INVALID -j DROP

# DROP INVALID SYN PACKETS
$IPT -A OUTPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$IPT -A OUTPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A OUTPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# MAKE SURE NEW OUTGOING TCP CONNECTIONS ARE SYN PACKETS; OTHERWISE WE NEED TO DROP THEM 
$IPT -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP

# DROP PACKETS WITH OUTGOING FRAGMENTS. THIS ATTACK RESULT INTO LINUX SERVER PANIC SUCH DATA LOSS
$IPT -A OUTPUT -f -j DROP

# DROP OUTGOING MALFORMED XMAS PACKETS
$IPT -A OUTPUT -p tcp --tcp-flags ALL ALL -j DROP

# DROP OUTGOING MALFORMED NULL PACKETS
$IPT -A OUTPUT -p tcp --tcp-flags ALL NONE -j DROP

exit 0
 
Last edited:

dufham21

Member
Joined
Mar 5, 2016
Messages
4
Points
38
Age
22
i have entered the rules of this article but ssh is not connected
Hello, I'm realease a little homemade firewall to simply protect a simple Debian VPS / Ubuntu server.
this works well on ovh server.


/!\ WARNING /!\

stay in the root folder to test the firewall otherwise you can meter your server in danger!

Command 0 : cd /root

Tools : vi, vim, nano :

Command 1 : vim firewall_testroot

Indicator :

XXX = select you port | speed looking ctrl + f : XXX ;)

# = is not actived
Code:
#!/bin/sh

echo "
______ ___________ _____ _    _  ___  _     _
|  ___|_   _| ___ |  ___| |  | |/ _ \| |   | |
| |_    | | | |_/ | |__ | |  | / /_\ | |   | |
|  _|   | | |    /|  __|| |/\| |  _  | |   | |
| |    _| |_| |\ \| |___\  /\  | | | | |___| |____
\_|    \___/\_| \_\____/ \/  \/\_| |_\_____\_____/"

# CLEAR RULES

iptables -t filter -F
iptables -t filter -X



# DENY ALL ACCESS

iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP


# READY ACCEPT

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# loop-back (localhost)

iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT

# STOP PING CMD

iptables -t filter -A INPUT -p icmp -j REJECT
iptables -t filter -A OUTPUT -p icmp -j REJECT

# SSH ACCEPT

iptables -t filter -A INPUT -p tcp --dport XXX -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport XXX -j ACCEPT

   # Active Localhost OPENVPN SECURITY
  #iptables -t filter -A INPUT -p tcp --dport 22 -s 100:100:100:100 -j ACCEPT


# HTTP WEB

#iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
#iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT



   #HTTPS



    #iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT

    #iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT

    #iptables -t filter -A INPUT -p udp --dport 443 -j ACCEPT

    #iptables -t filter -A OUTPUT -p udp --dport 443 -j ACCEPT



#SMTP MAIL



#iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT

#iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT

#iptables -t filter -A INPUT -p tcp --dport 587 -j ACCEPT

#iptables -t filter -A OUTPUT -p tcp --dport 587 -j ACCEPT

#iptables -t filter -A INPUT -p tcp --dport 465 -j ACCEPT

#iptables -t filter -A OUTPUT -p tcp --dport 465 -j ACCEPT



# DNS

iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT

iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT

iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT

iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT



# NTP

iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT





# ANTI DDOS

iptables -A FORWARD -p tcp --syn -m limit --limit 1/second -j ACCEPT

iptables -A FORWARD -p udp -m limit --limit 1/second -j ACCEPT

iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT

iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT



# Reject spoofed packets

iptables -A INPUT -s 10.0.0.0/8 -j DROP

iptables -A INPUT -s 169.254.0.0/16 -j DROP

iptables -A INPUT -s 172.16.0.0/12 -j DROP

iptables -A INPUT -s 127.0.0.0/8 -j DROP



iptables -A INPUT -s 224.0.0.0/4 -j DROP

iptables -A INPUT -d 224.0.0.0/4 -j DROP

iptables -A INPUT -s 240.0.0.0/5 -j DROP

iptables -A INPUT -d 240.0.0.0/5 -j DROP

iptables -A INPUT -s 0.0.0.0/8 -j DROP

iptables -A INPUT -d 0.0.0.0/8 -j DROP

iptables -A INPUT -d 239.255.255.0/24 -j DROP

iptables -A INPUT -d 255.255.255.255 -j DROP



# Drop all invalid packets

iptables -A INPUT -m state --state INVALID -j DROP

iptables -A FORWARD -m state --state INVALID -j DROP

iptables -A OUTPUT -m state --state INVALID -j DROP



# Drop excessive RST packets to avoid smurf attacks

iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT



# Attempt to block portscans

# Anyone who tried to portscan us is locked out for an entire day.

iptables -A INPUT   -m recent --name portscan --rcheck --seconds 86400 -j DROP

iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP



# Once the day has passed, remove them from the portscan list

iptables -A INPUT   -m recent --name portscan --remove

iptables -A FORWARD -m recent --name portscan --remove



# These rules add scanners to the portscan list, and log the attempt.

iptables -A INPUT   -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"

iptables -A INPUT   -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP



iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"

iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP



# Drop all invalid packets

iptables -A INPUT -m state --state INVALID -j DROP

iptables -A FORWARD -m state --state INVALID -j DROP

iptables -A OUTPUT -m state --state INVALID -j DROP


# Conf 2

iptables -A INPUT -p tcp --syn -m limit --limit 2/s --limit-burst 30 -j ACCEPT

iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

iptables -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 1/h -j ACCEPT

iptables -A INPUT -p tcp --tcp-flags ALL ALL -m limit --limit 1/h -j ACCEPT


# MYSQL

iptables -t filter -A INPUT -p tcp --dport 3306 -j ACCEPT

iptables -t filter -A INPUT -p udp --dport 3306 -j ACCEPT


# TS APPS

iptables -t filter -A OUTPUT -p tcp --dport 41144 -j ACCEPT

iptables -t filter -A INPUT -p tcp --dport 41144 -j ACCEPT



# QUERY


iptables -t filter -A OUTPUT -p tcp --dport 10011-j ACCEPT

iptables -t filter -A INPUT -p tcp --dport 10011 -j ACCEPT

iptables -t filter -A OUTPUT -p tcp --dport 30033 -j ACCEPT

iptables -t filter -A INPUT -p tcp --dport 30033 -j ACCEPT



# Account



iptables -t filter -A OUTPUT -p udp --dport 587 -j ACCEPT

iptables -t filter -A INPUT -p udp --dport 587 -j ACCEPT


iptables -t filter -A OUTPUT -p udp --dport 587 -j ACCEPT

iptables -t filter -A INPUT -p udp --dport 587 -j ACCEPT



# ALL TS SERVER

iptables -t filter -A OUTPUT -p udp --dport XXX -j ACCEPT

iptables -t filter -A INPUT -p udp --dport XXX -j ACCEPT
   

# ANTI DDOS Production Server WEB



#iptables -N http-flood

#iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 1 -j http-flood

#iptables -A INPUT -p tcp --syn --dport 443 -m connlimit --connlimit-above 1 -j http-flood

#iptables -A http-flood -m limit --limit 10/s --limit-burst 10 -j RETURN

#iptables -A http-flood -m limit --limit 1/s --limit-burst 10 -j LOG --log-prefix "HTTP-FLOOD "

#iptables -A http-flood -j DROP


#iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 -j DROP

#iptables -A INPUT -p tcp --syn --dport 443 -m connlimit --connlimit-above 20 -j DROP

#iptables -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set

#iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 10 --hitcount 20 -j DROP

#iptables -A INPUT -p tcp --dport 443 -i eth0 -m state --state NEW -m recent --set

#iptables -I INPUT -p tcp --dport 443 -m state --state NEW -m recent --update --seconds 10 --hitcount 20 -j DROP

#iptables -A INPUT -p tcp --syn -m limit --limit 10/s --limit-burst 13 -j DROP

#iptables -N flood

#iptables -A flood -j LOG --log-prefix "FLOOD "

#iptables -A flood -j DROP


iptables -t filter -N syn-flood

iptables -t filter -A INPUT -i eth0 -p tcp --syn -j syn-flood

iptables -t filter -A syn-flood -m limit --limit 1/sec --limit-burst 4 -j RETURN

iptables -t filter -A syn-flood -j LOG \

--log-prefix "IPTABLES SYN-FLOOD:"

iptables -t filter -A syn-flood -j DROP


iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP

iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP

iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP

iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP

iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP

iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP

iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP

iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP

iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP

iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP

iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP

iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP

iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

iptables -t mangle -A PREROUTING -p icmp -j DROP

iptables -A INPUT -p tcp -m connlimit --connlimit-above 80 -j REJECT --reject-with tcp-reset

iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT

iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP

iptables -t mangle -A PREROUTING -f -j DROP

iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT

iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP

iptables -N port-scanning

iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN

iptables -A port-scanning -j DROP



#OPENVPN Is not actived



#iptables -t filter -A INPUT -p udp --dport 1194 -j ACCEPT

#iptables -t filter -A INPUT -p tcp --dport 1194 -j ACCEPT

#iptables -t filter -A OUTPUT -p udp --dport 1194 -j ACCEPT

#iptables -t filter -A OUTPUT -p tcp --dport 1194 -j ACCEPT



#Accepter le flux entrant depuis le tunnel vpn vers le réseau interne pour les ports 80 et 443 en TCP :

#iptables -t filter -A FORWARD -p tcp --dport 80 -j ACCEPT -i tun0

#iptables -t filter -A FORWARD -p tcp --dport 443 -j ACCEPT -i tun0



#Accepter n'importe quel flux vers le tunnel vpn

#iptables -t filter -A FORWARD -j ACCEPT -o tun0



#iptables -A FORWARD -o eth0 -i tun0 -s 192.168.2.0/24 -m conntrack --ctstate NEW -j ACCEPT

#iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

#iptables -t nat -F POSTROUTING

#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#sudo iptables -t nat -A POSTROUTING -s 10/8 -o eth0 -j MASQUERADE

Command 2 : chmod 777 ./firewall_testroot
Command 2.1 : ./firewall_testroot

ERROR 1 : Is not run, Verif firewall conf
ERROR 2 : SERVER CRASHED SSH CLOSED, Restart you vps by pannels admin hosting.


IS OK ? :

Command 3 : mv firewall_testroot /etc/init.d//firewall

Command 4 : cd /etc/init.d/

Command 5 : sudo chmod +x firewall

Command 6 : sudo update-rc.d firewall defaults

Finish, Thanks for reading my post and hope this helped you! ;)


i have entered the rules of this article but ssh is not connected
 

AgustinZinola

New Member
Joined
Nov 6, 2017
Messages
8
Points
15
Age
21
where should i put my other apps ports ? for example i want to add ports like 28960 and 28961 , and many others , and where should i put the ports of ts3 too?
 

Top