-
Notifications
You must be signed in to change notification settings - Fork 2
/
setup-iptables.sh
executable file
·52 lines (42 loc) · 1.46 KB
/
setup-iptables.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
#!/bin/sh
if [ "$(id -u)" -ne "0" ]; then
echo "Please run as root"
exit
fi
ipt()
{
iptables "$@"
ip6tables "$@"
}
# delete all rules
ipt -P INPUT ACCEPT
ipt -P FORWARD ACCEPT
ipt -P OUTPUT ACCEPT
ipt -F
ipt -X
# drop hostile ips
#ipt -A INPUT -s 1.2.3.4 -j DROP
# drop teeworlds serverinfo and 0.7 new connection requests
ipt -N TWSERVERINFO
#ipt -A INPUT -p udp --dport 8303:8350 -m string --algo bm --from 34 --to 54 --hex-string '|FF FF FF FF|gie3' -j TWSERVERINFO
#ipt -A INPUT -p udp --dport 8303:8350 -m string --algo bm --from 34 --to 54 --hex-string '|FF FF FF FF|fstd' -j TWSERVERINFO
ipt -A INPUT -p udp --dport 8303:8350 -m u32 --u32 "0x26=0x67696533" -j TWSERVERINFO
ipt -A INPUT -p udp --dport 8303:8350 -m u32 --u32 "0x26=0x66737464" -j TWSERVERINFO
ipt -A INPUT -p udp --dport 8303:8350 -m u32 --u32 "0x20=0x544b454e" -j TWSERVERINFO
ipt -A TWSERVERINFO \
-m hashlimit --hashlimit-upto 10/s --hashlimit-burst 60 --hashlimit-mode srcip --hashlimit-name twserverinfo \
-m limit --limit 100/s --limit-burst 60 -j ACCEPT
ipt -A TWSERVERINFO -m limit --limit 1/m -j LOG --log-prefix "iptables drop TWSERVERINFO: "
ipt -A TWSERVERINFO -j DROP
# list rules
ipt -L
echo ""
echo "======================="
if ! dpkg-query -s iptables-persistent >/dev/null 2>&1; then
echo "Please install iptables-persistent"
echo "apt-get install iptables-persistent"
exit
fi
echo "Saving rules"
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6