My iptables script

timodohmen

Member
Joined
Oct 16, 2015
Messages
125
Points
63
Age
29
Code:
nano firewall.sh;chmod 755 firewall.sh;./firewall.sh
Code:
#!/bin/sh
### BEGIN INIT INFO
# Provides:  iptables
# Required-Start:  $local_fs $network
# Required-Stop:  $local_fs $network
# Default-Start:  2 3 4 5
# Default-Stop:  0 1 6
# Short-Description: Firewall Rules for iptables
# Description: EDIT THIS FILE TO YOUR NEEDS BEFORE EXECUTING
### END INIT INFO#!/bin/sh
aptitude install iptables iptables-persistent fail2ban
service fail2ban stop
iptables -F
iptables -X
#DENY
iptables -N DENY
iptables -A DENY -p tcp -m tcp -m limit --limit 30/sec --limit-burst 100 -m comment --comment "Anti-DoS" -j REJECT --reject-with tcp-reset
iptables -A DENY -m limit --limit 30/sec --limit-burst 100 -m comment --comment "Anti-DoS" -j REJECT --reject-with icmp-proto-unreachable
iptables -A DENY -p tcp ! --syn -m state --state NEW -j DROP
iptables -A DENY -f -j DROP
iptables -A DENY -p tcp --tcp-flags ALL ALL -j DROP
iptables -A DENY -p tcp --tcp-flags ALL NONE -j DROP
iptables -A DENY -p icmp --icmp-type echo-request -m limit --limit 1/s -m comment --comment "Limit Ping Flood" -j ACCEPT
#iptables -A DENY -j LOG --log-prefix "PORT DENIED: " --log-level 5 --log-ip-options --log-tcp-options --log-tcp-sequence
iptables -A DENY -p tcp --tcp-flags ALL NONE -m limit --limit 1/h -m comment --comment "Anti-Portscan" -j ACCEPT
iptables -A DENY -p tcp --tcp-flags ALL ALL -m limit --limit 1/h -m comment --comment "Anti-Portscan2" -j ACCEPT
#Drop unusual flags
iptables -A DENY -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A DENY -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A DENY -p tcp --tcp-flags ALL NONE -j DROP
iptables -A DENY -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A DENY -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A DENY -m comment --comment "Ignore everything else" -j DROP
#BLOCKED
iptables -N BLOCKED
#ALLOWED
iptables -N ALLOWED
#iptables -A ALLOWED -s <YOUR IP HERE> -j ACCEPT ###EDIT AND UNCOMMENT THIS LINE!
#SERVICES
iptables -N SERVICES
iptables -A SERVICES -p tcp -m tcp --dport 53 -m comment --comment "Allow: DNS" -j ACCEPT
iptables -A SERVICES -p udp -m udp --dport 53 -m comment --comment "Allow: DNS" -j ACCEPT
iptables -A SERVICES -p tcp -m tcp --dport 22 -m comment --comment "Allow: SSH-Access" -j ACCEPT
iptables -A SERVICES -p tcp -m multiport --dports 80,8080,443 -m comment --comment "Allow: Webserver" -j ACCEPT
iptables -A SERVICES -j RETURN
#TEAMSPEAK
iptables -N TEAMSPEAK
#iptables -A TEAMSPEAK -p tcp -m tcp --dport 2008 -m comment --comment "Allow: TeamSpeak Accounting" -j ACCEPT
iptables -A TEAMSPEAK -p tcp -m tcp --dport 10011 -m comment --comment "Allow: TeamSpeak ServerQuery" -j ACCEPT
iptables -A TEAMSPEAK -p tcp -m multiport --dports 30033 -m comment --comment "Allow: TeamSpeak FileTransfer" -j ACCEPT
iptables -A TEAMSPEAK -p tcp -m tcp --dport 41144 -m comment --comment "Allow: TeamSpeak TSDNS" -j ACCEPT
iptables -A TEAMSPEAK -p udp -m udp --dport 1:65535 -m comment --comment "Allow: TeamSpeak Voiceports" -j ACCEPT
iptables -A TEAMSPEAK -j RETURN
#INPUT
iptables -A INPUT -m comment --comment "Allow Whitelisted IP's" -j ALLOWED
iptables -A INPUT -m comment --comment "Block Blacklisted IP's" -j BLOCKED
iptables -A INPUT -i lo -m comment --comment "Allow: Loopback" -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "Allow: Related and Established Connections" -j ACCEPT
iptables -A INPUT -m comment --comment "Allow Default Services" -j SERVICES
iptables -A INPUT -m comment --comment "Allow TeamSpeak Services" -j TEAMSPEAK
iptables -A INPUT -p icmp -m comment --comment "Allow: ICMP" -j ACCEPT
iptables -A INPUT -m comment --comment "Ignore everything else" -j DENY
iptables -P INPUT DROP
/etc/init.d/iptables-persistent save
service fail2ban start
clear
iptables -L
If you want to easily add or remove entries from the ALLOWED/BLOCKED chain, you can use the following script, created by @Supervisor:
Code:
nano firewall;chmod +x firewall
Code:
#!/bin/sh
case $1 in
block*) iptables -I BLOCKED -s ${2} -j DROP ;;
unblock*) iptables -D BLOCKED -s ${2} -j DROP ;;
allow*) iptables -I ALLOWED -s ${2} -j ACCEPT ;;
disallow*) iptables -D ALLOWED -s ${2} -j ACCEPT ;;
*) printf "Usage: ./firewall 'block|unblock|allow|disallow' IP\n" ;;
esac
exit 1

P.S. I managed to setup iptables with this Tutorial [DE].
IT Blocked the Source list ... and when i upload a pic or something like that i got a conection lost ....
 

dzirikajaki

Member
Joined
Jan 16, 2016
Messages
11
Points
35
Age
58
How to unlock FTP, and sinusbot?

EDIT:

Anyone know?
 
Last edited:

Bluscream

Retired Staff
Contributor
Joined
May 8, 2015
Messages
959
Points
171
Location
Germany
Search the for "FTP ports" and "sinusbot ports" ON Google and add them to the script before executing it.
 

dzirikajaki

Member
Joined
Jan 16, 2016
Messages
11
Points
35
Age
58
This vsftpd FTP (port 21) and Sinusbot stream port 80
Adding these lines:
iptables -A SERVICES -p tcp -m tcp --dport 21 -m comment --comment "Allow: SSH-Access" -j ACCEPT
iptables -A SERVICES -p tcp -m tcp --dport 80 -m comment --comment "Allow: SSH-Access" -j ACCEPT
iptables -A ALLOWED -s 195.xxx.xxx.xxx -j ACCEPT

It does not work even restart VPS gives nothing
 

Santiago

Member
Joined
May 9, 2015
Messages
17
Points
41
Age
25
Location
Brasil
This vsftpd FTP (port 21) and Sinusbot stream port 80
Adding these lines:
iptables -A SERVICES -p tcp -m tcp --dport 21 -m comment --comment "Allow: SSH-Access" -j ACCEPT
iptables -A SERVICES -p tcp -m tcp --dport 80 -m comment --comment "Allow: SSH-Access" -j ACCEPT
iptables -A ALLOWED -s 195.xxx.xxx.xxx -j ACCEPT

It does not work even restart VPS gives nothing
Use "/sbin/service iptables save " :)
 

Santiago

Member
Joined
May 9, 2015
Messages
17
Points
41
Age
25
Location
Brasil
These can be saved in a file with the command iptables-save for IPv4.

Debian/Ubuntu: iptables-save > /etc/iptables/rules.v4
RHEL/CentOS: iptables-save > /etc/sysconfig/iptables

These files can be loaded again with the command iptables-restore for IPv4.

Debian/Ubuntu: iptables-restore < /etc/iptables/rules.v4
RHEL/CentOS: iptables-restore < /etc/sysconfig/iptables

If you would also like to use IPv6 rules, these can be stored in a separate file.

Debian/Ubuntu: ip6tables-save > /etc/iptables/rules.v6
RHEL/CentOS: ip6tables-save > /etc/sysconfig/ip6tables
 

Magic

Member
Joined
Oct 23, 2015
Messages
59
Points
40
Age
45
How to remove all the firewall this script setup, specific please
 

Magic

Member
Joined
Oct 23, 2015
Messages
59
Points
40
Age
45
After installing this no one even bots can do anything in query+banners dont appear.
Please help how to get rid of it.
 

BrazaNATOR

Member
Joined
Apr 30, 2016
Messages
24
Points
40
Location
127.0.0.1:localhost
It can filter the connections so yes but not a lot of it .. >D
Thanks mate.
I know the question i am going to ask is not related with this thread but i am really in doubt of what im going to do at momment.
I manage a Battlefield 4 clan that has arround 60 - 65 members, we have the NPL on our TeamSpeak, but we have been suffering from DDOS attacks lately, we run our whole system, website/teamspeak everything on our OVH cloud, and it seems the cloud firewall (OVH PRO) is totally unefficient to protect our network and they only can provide protection if i buy the gaming cloud that are very expensive for me now.
So i have been thinking lately to move from OVH to BLAZINGFAST.IO or NFO SERVERS because they have a really cheap VPS's with Mitigation protection.

May i ask you where do you host your teamspeaks? or even what provider do you recommend for me to use?

Thanks,
Best regards.
 
Last edited by a moderator:

JoKeR

Member
Joined
Apr 21, 2016
Messages
73
Points
53
Age
26
Thanks mate.
I know the question i am going to ask is not related with this thread but i am really in doubt of what im going to do at momment.
I manage a Battlefield 4 clan that has arround 60 - 65 members, we have the NPL on our TeamSpeak, but we have been suffering from DDOS attacks lately, we run our whole system, website/teamspeak everything on our OVH cloud, and it seems the cloud firewall (OVH PRO) is totally unefficient to protect our network and they only can provide protection if i buy the gaming cloud that are very expensive for me now.
So i have been thinking lately to move from OVH to BLAZINGFAST.IO or NFO SERVERS because they have a really cheap VPS's with Mitigation protection.

May i ask you where do you host your teamspeaks? or even what provider do you recommend for me to use?

Thanks,
Best regards.
First at all I would never run webserver, gameserver and teamspeak on one system. Teamspeak is a ddos magnet you should move it to a separate node or use an external teamspeak provider.
 

Top