My iptables script

Joined
Oct 16, 2015
Messages
125
Likes
43
Points
63
Age
28
#21
Code:
nano firewall.sh;chmod 755 firewall.sh;./firewall.sh
Code:
#!/bin/sh
### BEGIN INIT INFO
# Provides:  iptables
# Required-Start:  $local_fs $network
# Required-Stop:  $local_fs $network
# Default-Start:  2 3 4 5
# Default-Stop:  0 1 6
# Short-Description: Firewall Rules for iptables
# Description: EDIT THIS FILE TO YOUR NEEDS BEFORE EXECUTING
### END INIT INFO#!/bin/sh
aptitude install iptables iptables-persistent fail2ban
service fail2ban stop
iptables -F
iptables -X
#DENY
iptables -N DENY
iptables -A DENY -p tcp -m tcp -m limit --limit 30/sec --limit-burst 100 -m comment --comment "Anti-DoS" -j REJECT --reject-with tcp-reset
iptables -A DENY -m limit --limit 30/sec --limit-burst 100 -m comment --comment "Anti-DoS" -j REJECT --reject-with icmp-proto-unreachable
iptables -A DENY -p tcp ! --syn -m state --state NEW -j DROP
iptables -A DENY -f -j DROP
iptables -A DENY -p tcp --tcp-flags ALL ALL -j DROP
iptables -A DENY -p tcp --tcp-flags ALL NONE -j DROP
iptables -A DENY -p icmp --icmp-type echo-request -m limit --limit 1/s -m comment --comment "Limit Ping Flood" -j ACCEPT
#iptables -A DENY -j LOG --log-prefix "PORT DENIED: " --log-level 5 --log-ip-options --log-tcp-options --log-tcp-sequence
iptables -A DENY -p tcp --tcp-flags ALL NONE -m limit --limit 1/h -m comment --comment "Anti-Portscan" -j ACCEPT
iptables -A DENY -p tcp --tcp-flags ALL ALL -m limit --limit 1/h -m comment --comment "Anti-Portscan2" -j ACCEPT
#Drop unusual flags
iptables -A DENY -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A DENY -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A DENY -p tcp --tcp-flags ALL NONE -j DROP
iptables -A DENY -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A DENY -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A DENY -m comment --comment "Ignore everything else" -j DROP
#BLOCKED
iptables -N BLOCKED
#ALLOWED
iptables -N ALLOWED
#iptables -A ALLOWED -s <YOUR IP HERE> -j ACCEPT ###EDIT AND UNCOMMENT THIS LINE!
#SERVICES
iptables -N SERVICES
iptables -A SERVICES -p tcp -m tcp --dport 53 -m comment --comment "Allow: DNS" -j ACCEPT
iptables -A SERVICES -p udp -m udp --dport 53 -m comment --comment "Allow: DNS" -j ACCEPT
iptables -A SERVICES -p tcp -m tcp --dport 22 -m comment --comment "Allow: SSH-Access" -j ACCEPT
iptables -A SERVICES -p tcp -m multiport --dports 80,8080,443 -m comment --comment "Allow: Webserver" -j ACCEPT
iptables -A SERVICES -j RETURN
#TEAMSPEAK
iptables -N TEAMSPEAK
#iptables -A TEAMSPEAK -p tcp -m tcp --dport 2008 -m comment --comment "Allow: TeamSpeak Accounting" -j ACCEPT
iptables -A TEAMSPEAK -p tcp -m tcp --dport 10011 -m comment --comment "Allow: TeamSpeak ServerQuery" -j ACCEPT
iptables -A TEAMSPEAK -p tcp -m multiport --dports 30033 -m comment --comment "Allow: TeamSpeak FileTransfer" -j ACCEPT
iptables -A TEAMSPEAK -p tcp -m tcp --dport 41144 -m comment --comment "Allow: TeamSpeak TSDNS" -j ACCEPT
iptables -A TEAMSPEAK -p udp -m udp --dport 1:65535 -m comment --comment "Allow: TeamSpeak Voiceports" -j ACCEPT
iptables -A TEAMSPEAK -j RETURN
#INPUT
iptables -A INPUT -m comment --comment "Allow Whitelisted IP's" -j ALLOWED
iptables -A INPUT -m comment --comment "Block Blacklisted IP's" -j BLOCKED
iptables -A INPUT -i lo -m comment --comment "Allow: Loopback" -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "Allow: Related and Established Connections" -j ACCEPT
iptables -A INPUT -m comment --comment "Allow Default Services" -j SERVICES
iptables -A INPUT -m comment --comment "Allow TeamSpeak Services" -j TEAMSPEAK
iptables -A INPUT -p icmp -m comment --comment "Allow: ICMP" -j ACCEPT
iptables -A INPUT -m comment --comment "Ignore everything else" -j DENY
iptables -P INPUT DROP
/etc/init.d/iptables-persistent save
service fail2ban start
clear
iptables -L
If you want to easily add or remove entries from the ALLOWED/BLOCKED chain, you can use the following script, created by @Supervisor:
Code:
nano firewall;chmod +x firewall
Code:
#!/bin/sh
case $1 in
block*) iptables -I BLOCKED -s ${2} -j DROP ;;
unblock*) iptables -D BLOCKED -s ${2} -j DROP ;;
allow*) iptables -I ALLOWED -s ${2} -j ACCEPT ;;
disallow*) iptables -D ALLOWED -s ${2} -j ACCEPT ;;
*) printf "Usage: ./firewall 'block|unblock|allow|disallow' IP\n" ;;
esac
exit 1

P.S. I managed to setup iptables with
You do not have permission to view link Log in or register now.
.
IT Blocked the Source list ... and when i upload a pic or something like that i got a conection lost ....
 

Bluscream

Retired Staff
Contributor
Joined
May 8, 2015
Messages
924
Likes
888
Points
160
Location
Germany
#27
Search the for "FTP ports" and "sinusbot ports" ON Google and add them to the script before executing it.
 
Joined
Jan 16, 2016
Messages
11
Likes
1
Points
35
Age
58
#28
This vsftpd FTP (port 21) and Sinusbot stream port 80
Adding these lines:
iptables -A SERVICES -p tcp -m tcp --dport 21 -m comment --comment "Allow: SSH-Access" -j ACCEPT
iptables -A SERVICES -p tcp -m tcp --dport 80 -m comment --comment "Allow: SSH-Access" -j ACCEPT
iptables -A ALLOWED -s 195.xxx.xxx.xxx -j ACCEPT

It does not work even restart VPS gives nothing
 
Joined
May 9, 2015
Messages
17
Likes
6
Points
41
Age
25
Location
Brasil
#29
This vsftpd FTP (port 21) and Sinusbot stream port 80
Adding these lines:
iptables -A SERVICES -p tcp -m tcp --dport 21 -m comment --comment "Allow: SSH-Access" -j ACCEPT
iptables -A SERVICES -p tcp -m tcp --dport 80 -m comment --comment "Allow: SSH-Access" -j ACCEPT
iptables -A ALLOWED -s 195.xxx.xxx.xxx -j ACCEPT

It does not work even restart VPS gives nothing
Use "/sbin/service iptables save " :)
 
Joined
May 9, 2015
Messages
17
Likes
6
Points
41
Age
25
Location
Brasil
#31
These can be saved in a file with the command iptables-save for IPv4.

Debian/Ubuntu: iptables-save > /etc/iptables/rules.v4
RHEL/CentOS: iptables-save > /etc/sysconfig/iptables

These files can be loaded again with the command iptables-restore for IPv4.

Debian/Ubuntu: iptables-restore < /etc/iptables/rules.v4
RHEL/CentOS: iptables-restore < /etc/sysconfig/iptables

If you would also like to use IPv6 rules, these can be stored in a separate file.

Debian/Ubuntu: ip6tables-save > /etc/iptables/rules.v6
RHEL/CentOS: ip6tables-save > /etc/sysconfig/ip6tables
 
Joined
Oct 23, 2015
Messages
59
Likes
9
Points
40
Age
45
#36
After installing this no one even bots can do anything in query+banners dont appear.
Please help how to get rid of it.
 
Joined
Apr 30, 2016
Messages
30
Likes
3
Points
40
Location
127.0.0.1:localhost
#39
It can filter the connections so yes but not a lot of it .. >D
Thanks mate.
I know the question i am going to ask is not related with this thread but i am really in doubt of what im going to do at momment.
I manage a Battlefield 4 clan that has arround 60 - 65 members, we have the NPL on our TeamSpeak, but we have been suffering from DDOS attacks lately, we run our whole system, website/teamspeak everything on our OVH cloud, and it seems the cloud firewall (OVH PRO) is totally unefficient to protect our network and they only can provide protection if i buy the gaming cloud that are very expensive for me now.
So i have been thinking lately to move from OVH to BLAZINGFAST.IO or NFO SERVERS because they have a really cheap VPS's with Mitigation protection.

May i ask you where do you host your teamspeaks? or even what provider do you recommend for me to use?

Thanks,
Best regards.
 
Last edited by a moderator:
Joined
Apr 21, 2016
Messages
73
Likes
35
Points
53
Age
26
#40
Thanks mate.
I know the question i am going to ask is not related with this thread but i am really in doubt of what im going to do at momment.
I manage a Battlefield 4 clan that has arround 60 - 65 members, we have the NPL on our TeamSpeak, but we have been suffering from DDOS attacks lately, we run our whole system, website/teamspeak everything on our OVH cloud, and it seems the cloud firewall (OVH PRO) is totally unefficient to protect our network and they only can provide protection if i buy the gaming cloud that are very expensive for me now.
So i have been thinking lately to move from OVH to BLAZINGFAST.IO or NFO SERVERS because they have a really cheap VPS's with Mitigation protection.

May i ask you where do you host your teamspeaks? or even what provider do you recommend for me to use?

Thanks,
Best regards.
First at all I would never run webserver, gameserver and teamspeak on one system. Teamspeak is a ddos magnet you should move it to a separate node or use an external teamspeak provider.
 

Top