CyberFlameGO · July 5, 2021 00:17
diff --git a/proxy_basic_iptable_rules.sh b/proxy_basic_iptable_rules.sh
 ### Recommended BASIC IPTables firewall rules for Bungeecord networks ###
 # Anything containing 'OPTIONAL' may cause network issues on some server setups. Use at your own risk (Can obviously be removed #

 ### 1: Drop invalid packets ###
 /sbin/iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP

 ### 2: Drop TCP packets that are new and are not SYN ###
 /sbin/iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP

 ### 4: Block packets with bogus TCP flags ###
 /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
 /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
 /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
 /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
 /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
 /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
 /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
 /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
 /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
 /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
 /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
 /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
 /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
 /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

 ### 7: Drop fragments in all chains ###
 /sbin/iptables -t mangle -A PREROUTING -f -j DROP

 ### 8: Limit connections per source IP ### !!!OPTIONAL, DO NOT USE THIS IF IT CAUSES ISSUES!!!
 /sbin/iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset

 ### 9: Limit RST packets ### !!!OPTIONAL, DO NOT USE IF THIS CAUSES ISSUE (Unlikely)!!!
 /sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
 /sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP

 ### 10: Limit new TCP connections per second per source IP ###
 /sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 30/s --limit-burst 10 -j ACCEPT
 /sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP

 ### SSH brute-force protection ### (Useful for more then just SSH issues...)
 /sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
 /sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
	### Recommended BASIC IPTables firewall rules for Bungeecord networks ###
	# Anything containing 'OPTIONAL' may cause network issues on some server setups. Use at your own risk (Can obviously be removed #

	### 1: Drop invalid packets ###
	/sbin/iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP

	### 2: Drop TCP packets that are new and are not SYN ###
	/sbin/iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP

	### 4: Block packets with bogus TCP flags ###
	/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
	/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
	/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
	/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
	/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
	/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
	/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
	/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
	/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
	/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
	/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
	/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
	/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
	/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

	### 7: Drop fragments in all chains ###
	/sbin/iptables -t mangle -A PREROUTING -f -j DROP

	### 8: Limit connections per source IP ### !!!OPTIONAL, DO NOT USE THIS IF IT CAUSES ISSUES!!!
	/sbin/iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset

	### 9: Limit RST packets ### !!!OPTIONAL, DO NOT USE IF THIS CAUSES ISSUE (Unlikely)!!!
	/sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
	/sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP

	### 10: Limit new TCP connections per second per source IP ###
	/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 30/s --limit-burst 10 -j ACCEPT
	/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP

	### SSH brute-force protection ### (Useful for more then just SSH issues...)
	/sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
	/sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP