dabumana · April 4, 2025 06:41
diff --git a/seti.sh b/seti.sh
 #!/bin/bash
 #
 # Author: @dabumana
 # Copyright BSD
 # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
 #
 # 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
 #
 # 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
 #
 # 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
 #
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

 # Flash the current table
 iptables -P INPUT ACCEPT
 iptables -P FORWARD ACCEPT
 iptables -P OUTPUT ACCEPT
 iptables -F
 # Log current scan
 iptables -A INPUT -j LOG
 iptables -A FORWARD -j LOG
 iptables -A OUTPUT -j LOG
 # Tunneling
 iptables -N TUNNEL
 iptables -N LAYER1
 iptables -N LAYER2
 iptables -N LAYER3
 iptables -N HOSTER
 # Prepare the input
 iptables -A INPUT -i lo -j ACCEPT
 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 # Default filter
 iptables -A INPUT -p tcp --dport 80 -j ACCEPT
 iptables -A INPUT -p tcp --dport 443 -j ACCEPT
 iptables -A INPUT -p tcp --dport 8000 -j ACCEPT
 # Layer streaming
 iptables -A INPUT -j TUNNEL
 # Layer requirement A
 iptables -A LAYER1 -p tcp --dport 1338 -m recent --name REQ1 --set -j DROP
 iptables -A LAYER1 -j DROP
 # Layer requirement B
 iptables -A LAYER2 -m recent --name REQ1 --remove
 iptables -A LAYER2 -p tcp --dport 1339 -m recent --name REQ2 --set -j DROP
 iptables -A LAYER2 -j LAYER1
 # Layer requirement C
 iptables -A LAYER3 -m recent --name REQ2 --remove
 iptables -A LAYER3 -p tcp --dport 1340 -m recent --name REQ3 --set -j DROP
 iptables -A LAYER3 -j LAYER1
 # Layer hoster
 iptables -A HOSTER -m recent --name REQ3 --remove
 iptables -A HOSTER -p tcp --dport 22 -j ACCEPT
 iptables -A HOSTER -j LAYER1
 # Tunneling callback
 iptables -A TUNNEL -m recent --rcheck --seconds 30 --name REQ3 -j HOSTER
 iptables -A TUNNEL -m recent --rcheck --seconds 10 --name REQ2 -j LAYER3
 iptables -A TUNNEL -m recent --rcheck --seconds 10 --name REQ2 -j LAYER2
 iptables -A TUNNEL -j LAYER1
 # Block invalid packets
 iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
 # Block new packets that are not SYN
 iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
 # Block uncommon MSS values
 iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
 # Block packets with Bogus TCP flags
 iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP 
 iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP 
 iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP 
 iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP 
 iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP 
 iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP 
 iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP 
 iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP 
 iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP 
 iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP 
 iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP 
 iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP 
 iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
 # Block ping of death
 iptables -A INPUT -p tcp -m connlimit --connlimit-above 66 -j REJECT --reject-with tcp-reset
 iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT 
 iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
 iptables -t mangle -A PREROUTING -f -j DROP
 iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT 
 iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP
 # Set IP rules
 iptables -A INPUT -p tcp --tcp-flags ALL ALL -j REJECT  --reject-with tcp-reset
 iptables -A INPUT -p tcp --tcp-flags ALL FIN -j REJECT  --reject-with tcp-reset
 iptables -A INPUT -p tcp --tcp-flags ALL NONE -j REJECT --reject-with tcp-reset
 iptables -A INPUT -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j REJECT --reject-with tcp-reset
 iptables -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j REJECT --reject-with tcp-reset
 iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j REJECT --reject-with tcp-reset
 iptables -A INPUT -p tcp --tcp-flags ALL RST -j REJECT --reject-with tcp-reset
 # SYN
 iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
 iptables -A INPUT -p tcp --tcp-flags SYN RST,ACK -j REJECT --reject-with tcp-reset
 iptables -A INPUT -p tcp --tcp-flags SYN,ACK RST,ACK -j REJECT --reject-with tcp-reset
 iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j REJECT --reject-with tcp-reset
 iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j REJECT --reject-with tcp-reset
 # SYN Flood mitigation
 iptables -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack 
 iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460 
 iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
 # RST
 iptables -A INPUT -p tcp --tcp-flags RST,ACK SYN -j REJECT --reject-with tcp-reset
 iptables -A INPUT -p tcp --tcp-flags RST,FIN RST,FIN -j REJECT --reject-with tcp-reset
 iptables -A INPUT -p tcp --tcp-flags RST,SYN RST,SYN -j REJECT --reject-with tcp-reset
 # FIN
 iptables -A INPUT -p tcp --tcp-flags FIN,SYN FIN,SYN -j REJECT --reject-with tcp-reset
 iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j REJECT --reject-with tcp-reset
 iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j REJECT --reject-with tcp-reset
 iptables -A INPUT -p tcp --tcp-flags FIN FIN,ACK -j REJECT --reject-with tcp-reset
 # ACK
 iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j REJECT --reject-with tcp-reset
 iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j REJECT --reject-with tcp-reset
 iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j REJECT --reject-with tcp-reset
 # URG
 iptables -A INPUT -p tcp --tcp-flags URG ACK,URG -j REJECT --reject-with tcp-reset
 # ICMP
 iptables -A INPUT -p icmp -j REJECT
 # Fragment package
 iptables -A INPUT --fragment -j REJECT
 # Zero length requests
 iptables -A INPUT -p tcp -m length --length 0 -j REJECT --reject-with tcp-reset
 # Block from subnet
 iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP 
 iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP 
 iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP 
 iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP 
 iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP 
 iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP 
 iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP 
 iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP 
 iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
 iptables -A INPUT -s 127.0.0.0/32 -j DROP
 # SSH brute force protection
 iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set 
 iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP  
 # Block port scanning
 iptables -N port-scanning 
 iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN 
 iptables -A port-scanning -j DROP
	#!/bin/bash
	#
	# Author: @dabumana
	# Copyright BSD
	# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
	#
	# 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
	#
	# 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
	#
	# 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
	#
	# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

	# Flash the current table
	iptables -P INPUT ACCEPT
	iptables -P FORWARD ACCEPT
	iptables -P OUTPUT ACCEPT
	iptables -F
	# Log current scan
	iptables -A INPUT -j LOG
	iptables -A FORWARD -j LOG
	iptables -A OUTPUT -j LOG
	# Tunneling
	iptables -N TUNNEL
	iptables -N LAYER1
	iptables -N LAYER2
	iptables -N LAYER3
	iptables -N HOSTER
	# Prepare the input
	iptables -A INPUT -i lo -j ACCEPT
	iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
	# Default filter
	iptables -A INPUT -p tcp --dport 80 -j ACCEPT
	iptables -A INPUT -p tcp --dport 443 -j ACCEPT
	iptables -A INPUT -p tcp --dport 8000 -j ACCEPT
	# Layer streaming
	iptables -A INPUT -j TUNNEL
	# Layer requirement A
	iptables -A LAYER1 -p tcp --dport 1338 -m recent --name REQ1 --set -j DROP
	iptables -A LAYER1 -j DROP
	# Layer requirement B
	iptables -A LAYER2 -m recent --name REQ1 --remove
	iptables -A LAYER2 -p tcp --dport 1339 -m recent --name REQ2 --set -j DROP
	iptables -A LAYER2 -j LAYER1
	# Layer requirement C
	iptables -A LAYER3 -m recent --name REQ2 --remove
	iptables -A LAYER3 -p tcp --dport 1340 -m recent --name REQ3 --set -j DROP
	iptables -A LAYER3 -j LAYER1
	# Layer hoster
	iptables -A HOSTER -m recent --name REQ3 --remove
	iptables -A HOSTER -p tcp --dport 22 -j ACCEPT
	iptables -A HOSTER -j LAYER1
	# Tunneling callback
	iptables -A TUNNEL -m recent --rcheck --seconds 30 --name REQ3 -j HOSTER
	iptables -A TUNNEL -m recent --rcheck --seconds 10 --name REQ2 -j LAYER3
	iptables -A TUNNEL -m recent --rcheck --seconds 10 --name REQ2 -j LAYER2
	iptables -A TUNNEL -j LAYER1
	# Block invalid packets
	iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
	# Block new packets that are not SYN
	iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
	# Block uncommon MSS values
	iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
	# Block packets with Bogus TCP flags
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
	iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
	# Block ping of death
	iptables -A INPUT -p tcp -m connlimit --connlimit-above 66 -j REJECT --reject-with tcp-reset
	iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
	iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
	iptables -t mangle -A PREROUTING -f -j DROP
	iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
	iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP
	# Set IP rules
	iptables -A INPUT -p tcp --tcp-flags ALL ALL -j REJECT --reject-with tcp-reset
	iptables -A INPUT -p tcp --tcp-flags ALL FIN -j REJECT --reject-with tcp-reset
	iptables -A INPUT -p tcp --tcp-flags ALL NONE -j REJECT --reject-with tcp-reset
	iptables -A INPUT -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j REJECT --reject-with tcp-reset
	iptables -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j REJECT --reject-with tcp-reset
	iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j REJECT --reject-with tcp-reset
	iptables -A INPUT -p tcp --tcp-flags ALL RST -j REJECT --reject-with tcp-reset
	# SYN
	iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
	iptables -A INPUT -p tcp --tcp-flags SYN RST,ACK -j REJECT --reject-with tcp-reset
	iptables -A INPUT -p tcp --tcp-flags SYN,ACK RST,ACK -j REJECT --reject-with tcp-reset
	iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j REJECT --reject-with tcp-reset
	iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j REJECT --reject-with tcp-reset
	# SYN Flood mitigation
	iptables -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack
	iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
	iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
	# RST
	iptables -A INPUT -p tcp --tcp-flags RST,ACK SYN -j REJECT --reject-with tcp-reset
	iptables -A INPUT -p tcp --tcp-flags RST,FIN RST,FIN -j REJECT --reject-with tcp-reset
	iptables -A INPUT -p tcp --tcp-flags RST,SYN RST,SYN -j REJECT --reject-with tcp-reset
	# FIN
	iptables -A INPUT -p tcp --tcp-flags FIN,SYN FIN,SYN -j REJECT --reject-with tcp-reset
	iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j REJECT --reject-with tcp-reset
	iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j REJECT --reject-with tcp-reset
	iptables -A INPUT -p tcp --tcp-flags FIN FIN,ACK -j REJECT --reject-with tcp-reset
	# ACK
	iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j REJECT --reject-with tcp-reset
	iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j REJECT --reject-with tcp-reset
	iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j REJECT --reject-with tcp-reset
	# URG
	iptables -A INPUT -p tcp --tcp-flags URG ACK,URG -j REJECT --reject-with tcp-reset
	# ICMP
	iptables -A INPUT -p icmp -j REJECT
	# Fragment package
	iptables -A INPUT --fragment -j REJECT
	# Zero length requests
	iptables -A INPUT -p tcp -m length --length 0 -j REJECT --reject-with tcp-reset
	# Block from subnet
	iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
	iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
	iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
	iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
	iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
	iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
	iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP
	iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
	iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
	iptables -A INPUT -s 127.0.0.0/32 -j DROP
	# SSH brute force protection
	iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
	iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
	# Block port scanning
	iptables -N port-scanning
	iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
	iptables -A port-scanning -j DROP