My Iptables Firewall :3

KELAZEDZN

Member
Joined
Mar 23, 2016
Messages
18
Points
38
Location
Germany
Heey,

here is my IPTABLES-Firewall :3

Code:
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RAW-UDP-FILTERING - [0:0]
:RAW-TCP-FILTERING - [0:0]
:DNS - [0:0]
:INITFILTER - [0:0]
:INITFILTER1 - [0:0]
:INITFILTER2 - [0:0]
:MSS-FILTERING - [0:0]
:SYN-FILTERING - [0:0]



-A PREROUTING -m recent --name testtcp --rcheck --seconds 450 -j DROP
-A PREROUTING -m recent --name testtcp --remove
-A OUTPUT -j ACCEPT
-A PREROUTING -i lo -j ACCEPT
-A PREROUTING -f -j DROP
-A PREROUTING -p udp -j RAW-UDP-FILTERING
-A PREROUTING -p tcp -j RAW-TCP-FILTERING
-A PREROUTING -p icmp -j DROP

-A RAW-UDP-FILTERING -m recent --name antibotnet --rcheck --seconds 604800 -j DROP
-A RAW-UDP-FILTERING -m recent --name antiddosudp --rcheck --seconds 60 -j DROP
-A RAW-UDP-FILTERING -m recent --name antibotnet --remove
-A RAW-UDP-FILTERING -m recent --name antiddosudp --remove
-A RAW-UDP-FILTERING -m length ! --length 41:530 -m recent --name antiddosudp --set -j DROP
-A RAW-UDP-FILTERING -p udp -m multiport --dports 22,25,80,110,143,443,10011,25565,30033 -m recent --name antiddosudp --set -j DROP
-A RAW-UDP-FILTERING -p udp -m multiport --sports 4,19,69,111,123,135:139,161,445,520,1433:1456,1900,2055,27015 -m recent --name antiddosudp --set -j DROP
-A RAW-UDP-FILTERING -m hashlimit --hashlimit-above 225000/m --hashlimit-burst 10000 --hashlimit-mode srcip --hashlimit-name antiddosudp -m recent --name antibotnet --set -j DROP
-A RAW-UDP-FILTERING -p udp --sport 53 -j DNS
-A DNS ! -s 8.8.8.8 -m recent --name antiddosudp --set -j DROP
-A DNS -s 8.8.8.8 -m hashlimit --hashlimit-above 5/s --hashlimit-burst 7 --hashlimit-mode srcip --hashlimit-name dnslimit -j DROP
-A RAW-UDP-FILTERING -p udp --dport 9000:9999 -m string --string "TS3INIT1" --algo kmp -m hashlimit --hashlimit-above 3/s --hashlimit-burst 3 --hashlimit-mode srcip --hashlimit-name ts3init1 -m recent --name antiddosudp --set -j DROP


-A RAW-TCP-FILTERING -m recent --name antiddostcp --rcheck --seconds 450 -j DROP
-A RAW-TCP-FILTERING -m recent --name antiddostcp --remove
-A RAW-TCP-FILTERING -p tcp -m multiport --dports 135:139,445,1433:1434,9987 -j DROP
-A RAW-TCP-FILTERING -p tcp -m string --string "WordPress/" --algo bm -m recent --name testtcp --set -j DROP
-A RAW-TCP-FILTERING -p tcp --tcp-flags ACK,FIN FIN -j DROP
-A RAW-TCP-FILTERING -p tcp --tcp-flags ACK,PSH PSH -j DROP
-A RAW-TCP-FILTERING -p tcp --tcp-flags ACK,URG URG -j DROP
-A RAW-TCP-FILTERING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A RAW-TCP-FILTERING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A RAW-TCP-FILTERING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A RAW-TCP-FILTERING -p tcp --tcp-flags ALL ALL -j DROP
-A RAW-TCP-FILTERING -p tcp --tcp-flags ALL NONE -j DROP
-A RAW-TCP-FILTERING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
-A RAW-TCP-FILTERING -p tcp --tcp-flags ACK,RST ACK,RST -j DROP
-A RAW-TCP-FILTERING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
-A RAW-TCP-FILTERING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
-A RAW-TCP-FILTERING -p tcp --tcp-flags SYN,URG SYN,URG -j DROP
-A RAW-TCP-FILTERING -p tcp --tcp-flags SYN,PSH SYN,PSH -j DROP
-A RAW-TCP-FILTERING -p tcp --tcp-flags PSH,ACK,URG PSH,ACK,URG -j DROP
-A RAW-TCP-FILTERING -p tcp --syn -j SYN-FILTERING
-A RAW-TCP-FILTERING -p tcp --tcp-flags ACK,SYN ACK,SYN -j SYN-FILTERING
-A SYN-FILTERING -p tcp --dport 10011 -m hashlimit --hashlimit-above 2/s --hashlimit-burst 2 --hashlimit-mode srcip --hashlimit-name ts3queryblock -m recent --name antiddostcp --set -j DROP
-A RAW-TCP-FILTERING -p tcp --syn -m tcpmss ! --mss 64000:65535 -j MSS-FILTERING
-A MSS-FILTERING -p tcp ! --tcp-option 2 -m recent --name antiddostcp --set -j DROP
-A MSS-FILTERING -p tcp -m tcpmss ! --mss 1360:1500 -m recent --name antiddostcp --set -j DROP


COMMIT



*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:MANGLE-TCP-FILTERING - [0:0]
:MANGLE-UDP-FILTERING - [0:0]

-A OUTPUT -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A PREROUTING -p udp -j MANGLE-UDP-FILTERING
-A PREROUTING -p tcp -j MANGLE-TCP-FILTERING

-A MANGLE-UDP-FILTERING -m conntrack --ctstate INVALID,UNTRACKED -m recent --name antiddosudp --set -j DROP
-A MANGLE-UDP-FILTERING -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A MANGLE-UDP-FILTERING -m conntrack --ctstate NEW -m hashlimit --hashlimit-above 1kb/s --hashlimit-burst 1kb --hashlimit-mode srcip --hashlimit-name SRCIPLIMIT -m recent --name antiddosudp --set -j DROP
-A MANGLE-UDP-FILTERING -m conntrack --ctstate NEW -m string ! --string "TS3INIT1" --algo kmp -m length ! --length 62 -m hashlimit --hashlimit-above 1/s --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name antiddosudp -m recent --name antiddosudp --set -j DROP
-A MANGLE-UDP-FILTERING -p udp --dport 9000:9999 -m string --string "TS3INIT1" --algo kmp -j ACCEPT
-A MANGLE-UDP-FILTERING -j DROP


-A MANGLE-TCP-FILTERING -m conntrack --ctstate INVALID,UNTRACKED -j DROP
-A MANGLE-TCP-FILTERING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
-A MANGLE-TCP-FILTERING -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A MANGLE-TCP-FILTERING -p tcp --syn -j ACCEPT
-A MANGLE-TCP-FILTERING -p tcp --tcp-flags SYN,ACK SYN,ACK -j ACCEPT
-A MANGLE-TCP-FILTERING -j DROP



COMMIT
- KELAZE
 
Last edited:

Top