My iptables script

Bluscream

Retired Staff
Contributor
Joined
May 8, 2015
Messages
959
Points
171
Location
Germany
Changelog said:
02.09.2015: Translated Comments to english + Added LSBInitScript Comments + Added initial command to create and run the script
08.09.2015: Commented Whitelist line + Edited most ports to default ports.
08.09.2015: Added Supervisors script to easily black-/whitelist a IP.
Code:
sudo nano firewall.sh;sudo chmod 755 firewall.sh;sudo ./firewall.sh
Code:
#!/bin/sh
### BEGIN INIT INFO
# Provides:  iptables
# Required-Start:  $local_fs $network
# Required-Stop:  $local_fs $network
# Default-Start:  2 3 4 5
# Default-Stop:  0 1 6
# Short-Description: Firewall Rules for iptables
# Description: EDIT THIS FILE TO YOUR NEEDS BEFORE EXECUTING
### END INIT INFO#!/bin/sh
aptitude install iptables iptables-persistent fail2ban
service fail2ban stop
iptables -F
iptables -X
#DENY
iptables -N DENY
iptables -A DENY -p tcp -m tcp -m limit --limit 30/sec --limit-burst 100 -m comment --comment "Anti-DoS" -j REJECT --reject-with tcp-reset
iptables -A DENY -m limit --limit 30/sec --limit-burst 100 -m comment --comment "Anti-DoS" -j REJECT --reject-with icmp-proto-unreachable
iptables -A DENY -p tcp ! --syn -m state --state NEW -j DROP
iptables -A DENY -f -j DROP
iptables -A DENY -p tcp --tcp-flags ALL ALL -j DROP
iptables -A DENY -p tcp --tcp-flags ALL NONE -j DROP
iptables -A DENY -p icmp --icmp-type echo-request -m limit --limit 1/s -m comment --comment "Limit Ping Flood" -j ACCEPT
#iptables -A DENY -j LOG --log-prefix "PORT DENIED: " --log-level 5 --log-ip-options --log-tcp-options --log-tcp-sequence
iptables -A DENY -p tcp --tcp-flags ALL NONE -m limit --limit 1/h -m comment --comment "Anti-Portscan" -j ACCEPT
iptables -A DENY -p tcp --tcp-flags ALL ALL -m limit --limit 1/h -m comment --comment "Anti-Portscan2" -j ACCEPT
#Drop unusual flags
iptables -A DENY -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A DENY -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A DENY -p tcp --tcp-flags ALL NONE -j DROP
iptables -A DENY -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A DENY -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A DENY -m comment --comment "Ignore everything else" -j DROP
#BLOCKED
iptables -N BLOCKED
#ALLOWED
iptables -N ALLOWED
#iptables -A ALLOWED -s <YOUR IP HERE> -j ACCEPT ###EDIT AND UNCOMMENT THIS LINE!
#SERVICES
iptables -N SERVICES
iptables -A SERVICES -p tcp -m tcp --dport 53 -m comment --comment "Allow: DNS" -j ACCEPT
iptables -A SERVICES -p udp -m udp --dport 53 -m comment --comment "Allow: DNS" -j ACCEPT
iptables -A SERVICES -p tcp -m tcp --dport 22 -m comment --comment "Allow: SSH-Access" -j ACCEPT
iptables -A SERVICES -p tcp -m multiport --dports 80,8080,443 -m comment --comment "Allow: Webserver" -j ACCEPT
iptables -A SERVICES -j RETURN
#TEAMSPEAK
iptables -N TEAMSPEAK
#iptables -A TEAMSPEAK -p tcp -m tcp --dport 2008 -m comment --comment "Allow: TeamSpeak Accounting" -j ACCEPT
iptables -A TEAMSPEAK -p tcp -m tcp --dport 10011 -m comment --comment "Allow: TeamSpeak ServerQuery" -j ACCEPT
iptables -A TEAMSPEAK -p tcp -m multiport --dports 30033 -m comment --comment "Allow: TeamSpeak FileTransfer" -j ACCEPT
iptables -A TEAMSPEAK -p tcp -m tcp --dport 41144 -m comment --comment "Allow: TeamSpeak TSDNS" -j ACCEPT
iptables -A TEAMSPEAK -p udp -m udp --dport 1:65535 -m comment --comment "Allow: TeamSpeak Voiceports" -j ACCEPT
iptables -A TEAMSPEAK -j RETURN
#INPUT
iptables -A INPUT -m comment --comment "Allow Whitelisted IP's" -j ALLOWED
iptables -A INPUT -m comment --comment "Block Blacklisted IP's" -j BLOCKED
iptables -A INPUT -i lo -m comment --comment "Allow: Loopback" -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "Allow: Related and Established Connections" -j ACCEPT
iptables -A INPUT -m comment --comment "Allow Default Services" -j SERVICES
iptables -A INPUT -m comment --comment "Allow TeamSpeak Services" -j TEAMSPEAK
iptables -A INPUT -p icmp -m comment --comment "Allow: ICMP" -j ACCEPT
iptables -A INPUT -m comment --comment "Ignore everything else" -j DENY
iptables -P INPUT DROP
/etc/init.d/iptables-persistent save
service fail2ban start
clear
iptables -L
If you want to easily add or remove entries from the ALLOWED/BLOCKED chain, you can use the following script, created by @Supervisor:
Code:
sudo nano firewall;sudo chmod +x firewall
Code:
#!/bin/sh
case $1 in
block*) iptables -I BLOCKED -s ${2} -j DROP ;;
unblock*) iptables -D BLOCKED -s ${2} -j DROP ;;
allow*) iptables -I ALLOWED -s ${2} -j ACCEPT ;;
disallow*) iptables -D ALLOWED -s ${2} -j ACCEPT ;;
*) printf "Usage: ./firewall 'block|unblock|allow|disallow' IP\n" ;;
esac
exit 1
Usage example said:
./firewall block IP
./firewall unblock IP
./firewall allow IP
./firewall disallow IP
P.S. I managed to setup iptables with this Tutorial [DE].
 
Last edited:

Bluscream

Retired Staff
Contributor
Joined
May 8, 2015
Messages
959
Points
171
Location
Germany
There is something wrong with yor VPS, i cannot help you with operating system related issues, please use Google.
 

Kirill

Member
Joined
Aug 30, 2015
Messages
60
Points
53
Thanks a lot for these scripts! Everything is working fine.
 

_w00t_

VIP
Joined
Jul 28, 2015
Messages
236
Points
64
good script but waiting for automated thing as you said.
 

Supervisor

Administrator
Joined
Apr 27, 2015
Messages
1,737
Points
295
Location
Germany
I just merged all of the above to one script. I think thats easier to handle :)
  1. nano firewall and chmod +x firewall
  2. Code:
    #!/bin/sh
    case $1 in
    block*)     iptables -I BLOCKED -s  ${2} -j DROP                 ;;
    unblock*)   iptables -D BLOCKED -s  ${2} -j DROP                 ;;
    allow*)     iptables -I ALLOWED -s  ${2} -j ACCEPT                 ;;
    disallow*)   iptables -D ALLOWED -s  ${2} -j ACCEPT                 ;;
    *)       printf "Usage: ./firewall 'block|unblock|allow|disallow' IP\n"     ;;
    esac
    exit 1
 

Qraktzyl

Retired Staff
Joined
Nov 2, 2015
Messages
979
Points
161
Age
29
I just want to understand something... Blocking port 2008 access means the license is valid and cannot check if its cracked, but if teamspeak can't access your port 2008 then they know you have a cracked version...?
 

Supervisor

Administrator
Joined
Apr 27, 2015
Messages
1,737
Points
295
Location
Germany
nope. All it will do is drop the connection to port 2008.
Lets assume you would not have a cracked license and therefore no Accounting server... There would be no process listening to port 2008, thereby the connection would timeout just like it does timeout with the iptables.
 

Qraktzyl

Retired Staff
Joined
Nov 2, 2015
Messages
979
Points
161
Age
29
There would be no process listening to port 2008, thereby the connection would timeout just like it does timeout with the iptables.
I am 100% sure you know this more than me, but there is something I don't get.

TeamSpeak server will listen on 2008 when having a legitimate ATHP license, which would be the reason the server shutdowns when there is no connection to port 2008 without the emulator. no?
 

Supervisor

Administrator
Joined
Apr 27, 2015
Messages
1,737
Points
295
Location
Germany
Well, there is one more thing you have to know: The Accounting server happens to listen to port 2008, too!
So here is the overview:
TeamSpeak server:
outgoing connection port to Acc server: ?/2008
incoming connection port from Acc server: 2008
Accounting server:
outgoing connection port to teamspeak server: ? (not really important, I guess thats random for the official one, and it does not matter for the cracked one. If I'd have to guess: 2008 :p)
incoming connection port from TS server: 2008

The official way (AccServer and TSServer on different servers):
- TSServer(?/2008) calls AccServer(2008).
- AccServer checks license and sends back the answer
- AccServer(?/2008) sends and approve/deny message to the TSServer(2008)
-> incoming Port 2008 has to be open for the TSServer, but: the TSServer ignores all packages wich are not send from the AccServer !!!!
-
> Port 2008 needs to be open for incoming and outgoing connections.

Cracked way (AccServer and TSServer on the same server):
- TSServer(?/2008) calls AccServer(2008).
- AccServer checks license and sends back the answer
- AccServer(?/2008) sends and approve/deny message to the TSServer(2008)
- now, the cracked AccServer is "stupid". It will send a DENY for all invalid requests (including those ones not even beeing a license request but a "normal" ping request)
-> incoming Port 2008 does need to be closed, otherwise you will get an answer from the AccServer.
-> Port 2008 only needs to be open withing the local network. Outgoing ~, and incoming connections are not required.

Having this said, it should be obvious that you should close Port 2008 for incoming connections when having a cracked server.
If not, ask me :p

/edit:
Now, lets say you ping to a server on port 2008, and it answers: simply analyse the message it sends back: is it an approve/deny answer? Yes? Well, there is an AccServer running on this server. So - the license is cracked with a very high posibillity :p (no need to run an AccServer with a valid license :p)
 
Last edited:

Top