Cvar1984 · August 17, 2023 05:11
diff --git a/chains.sh b/chains.sh
 #!/usr/bin/bash

 # NEW state matches a packet creating a new connection or is part of a two-way connection that has not seen packets in both directions.
 # ESTABLISHED his state indicates that the packet’s linked to a connection that has seen packets in both directions.
 # RELATED state means that the packet’s starting a new connection, but is associated with an existing connection.

 # Reset all chains
 iptables -F
 iptables -X LOGGING

 # Allow Loopback Connections
 iptables -A INPUT -i lo -j ACCEPT
 iptables -A OUTPUT -o lo -j ACCEPT

 # Allow established-related connections
 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

 # DNS Resolver
 iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
 iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

 # SSH Shell
 iptables -A INPUT -p tcp --dport 40141 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
 iptables -A OUTPUT -p tcp --sport 40141 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

 # Socks proxy
 iptables -A INPUT -p tcp --dport socks -s 96.9.87.183 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
 iptables -A OUTPUT -p tcp --dport socks -s 96.9.87.183  -m conntrack --ctstate ESTABLISHED -j ACCEPT


 # HTTP/HTTPS
 iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
 iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
 iptables -A INPUT -p tcp --dport 8080 -m conntrack --ctstate ESTABLISHED -j ACCEPT
 iptables -A OUTPUT -p tcp --dport 8080 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

 # Email services
 iptables -A INPUT -p tcp -m multiport --dports 25,26,995,993,143,110,465 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
 iptables -A OUTPUT -p tcp -m multiport --dports 25,26,995,993,143,110,465 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

 # Outgoing ICMP
 iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED --icmp-type echo-reply -j ACCEPT
 iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED --icmp-type echo-request -j ACCEPT

 # Incoming ICMP
 iptables -A INPUT -p icmp -m state --state ESTABLISHED --icmp-type echo-request -j ACCEPT
 iptables -A INPUT -p icmp -m state --state ESTABLISHED --icmp-type echo-reply -j ACCEPT

 # Github
 iptables -A INPUT -p tcp --dport 9418 -m state --state ESTABLISHED -j ACCEPT # git://
 iptables -A OUTPUT -p tcp --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT # git://
 iptables -A INPUT -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT # ssh://
 iptables -A OUTPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT # ssh://

 # Minecraft server
 iptables -A INPUT -p tcp --dport 25565 -j ACCEPT # java ipv4
 iptables -A INPUT -p udp --dport 19132 -j ACCEPT # bedrock ipv4
 iptables -A INPUT -p udp --dport 19133 -j ACCEPT # bedrock ipv6
 iptables -A INPUT -p udp --dport 24454 -j ACCEPT # java VoIP chat

 # Block invalid packets
 iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
 iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP

 # Block uncommon mss values
 iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP

 # Block packets with bogus TCP flags
 iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
 iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
 iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
 iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
 iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
 iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
 iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP

 # Block packets from private subnets (spoofing)
 iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP 
 iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP 
 iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP 
 iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP 
 iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP 
 iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP 
 iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP 
 iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP 
 iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP

 # Logging
 iptables -N LOGGING
 iptables -A INPUT -j DROP # drop unwanted incoming to LOGGING
 iptables -A OUTPUT -j DROP # drop unwanted outgoing to LOGGING
 iptables -A FORWARD -j DROP # drop unused chain
 iptables -A LOGGING -j LOG --log-prefix  "ipt denied: " --log-level 4 # /usr/include/syslog.h
 iptables -A LOGGING -j DROP # close anything forwarded to logging

 # Save configurations
 iptables-save
	#!/usr/bin/bash

	# NEW state matches a packet creating a new connection or is part of a two-way connection that has not seen packets in both directions.
	# ESTABLISHED his state indicates that the packet’s linked to a connection that has seen packets in both directions.
	# RELATED state means that the packet’s starting a new connection, but is associated with an existing connection.

	# Reset all chains
	iptables -F
	iptables -X LOGGING

	# Allow Loopback Connections
	iptables -A INPUT -i lo -j ACCEPT
	iptables -A OUTPUT -o lo -j ACCEPT

	# Allow established-related connections
	iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
	iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
	iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

	# DNS Resolver
	iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
	iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

	# SSH Shell
	iptables -A INPUT -p tcp --dport 40141 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
	iptables -A OUTPUT -p tcp --sport 40141 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

	# Socks proxy
	iptables -A INPUT -p tcp --dport socks -s 96.9.87.183 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
	iptables -A OUTPUT -p tcp --dport socks -s 96.9.87.183 -m conntrack --ctstate ESTABLISHED -j ACCEPT


	# HTTP/HTTPS
	iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
	iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
	iptables -A INPUT -p tcp --dport 8080 -m conntrack --ctstate ESTABLISHED -j ACCEPT
	iptables -A OUTPUT -p tcp --dport 8080 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

	# Email services
	iptables -A INPUT -p tcp -m multiport --dports 25,26,995,993,143,110,465 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
	iptables -A OUTPUT -p tcp -m multiport --dports 25,26,995,993,143,110,465 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

	# Outgoing ICMP
	iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED --icmp-type echo-reply -j ACCEPT
	iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED --icmp-type echo-request -j ACCEPT

	# Incoming ICMP
	iptables -A INPUT -p icmp -m state --state ESTABLISHED --icmp-type echo-request -j ACCEPT
	iptables -A INPUT -p icmp -m state --state ESTABLISHED --icmp-type echo-reply -j ACCEPT

	# Github
	iptables -A INPUT -p tcp --dport 9418 -m state --state ESTABLISHED -j ACCEPT # git://
	iptables -A OUTPUT -p tcp --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT # git://
	iptables -A INPUT -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT # ssh://
	iptables -A OUTPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT # ssh://

	# Minecraft server
	iptables -A INPUT -p tcp --dport 25565 -j ACCEPT # java ipv4
	iptables -A INPUT -p udp --dport 19132 -j ACCEPT # bedrock ipv4
	iptables -A INPUT -p udp --dport 19133 -j ACCEPT # bedrock ipv6
	iptables -A INPUT -p udp --dport 24454 -j ACCEPT # java VoIP chat

	# Block invalid packets
	iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
	iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP

	# Block uncommon mss values
	iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP

	# Block packets with bogus TCP flags
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP

	# Block packets from private subnets (spoofing)
	iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
	iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
	iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
	iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
	iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
	iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
	iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP
	iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
	iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP

	# Logging
	iptables -N LOGGING
	iptables -A INPUT -j DROP # drop unwanted incoming to LOGGING
	iptables -A OUTPUT -j DROP # drop unwanted outgoing to LOGGING
	iptables -A FORWARD -j DROP # drop unused chain
	iptables -A LOGGING -j LOG --log-prefix "ipt denied: " --log-level 4 # /usr/include/syslog.h
	iptables -A LOGGING -j DROP # close anything forwarded to logging

	# Save configurations
	iptables-save