Skip to content

Instantly share code, notes, and snippets.

@kengos

kengos/iptables.sh

Created April 21, 2014 15:24
Show Gist options
  • Save kengos/11145870 to your computer and use it in GitHub Desktop.
Save kengos/11145870 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
iptables.sh
#!/bin/bash
PATH=/sbin:/usr/sbin:/bin:/usr/bin
SSH=33843
HTTP=80,443
IDENT=113
NTP=123
MYSQL=3306
DHCP=67,68
initialize()
{
iptables -F # テーブル初期化
iptables -X # チェーンを削除
iptables -Z # パケットカウンタ・バイトカウンタをクリア
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
}
finailize()
{
/etc/init.d/iptables save && # 設定の保存
/etc/init.d/iptables restart && # 保存したもので再起動してみる
return 0
return 1
}
initialize
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT # SELF -> SELF
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
# Security Setting
## Deny hosts
#iptables -A INPUT -s ip -m limit --limit 1/s -j LOG --log-prefix "DENY_HOST: "
#iptables -A INPUT -s ip -j DROP
## Stealth Scan
iptables -N STEALTH_SCAN
iptables -A STEALTH_SCAN -j LOG --log-prefix "STEALTH SCAN: "
iptables -A STEALTH_SCAN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j STEALTH_SCAN
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j STEALTH_SCAN
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j STEALTH_SCAN
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j STEALTH_SCAN
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j STEALTH_SCAN
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j STEALTH_SCAN
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j STEALTH_SCAN
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j STEALTH_SCAN
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j STEALTH_SCAN
## Fragment Packet
iptables -A INPUT -f -j LOG --log-prefix 'FRAGMENT PACKET: '
iptables -A INPUT -f -j DROP
## Ping of Death
iptables -N ping-death
iptables -A ping-death -m limit --limit 1/s --limit-burst 4 -j ACCEPT
iptables -A ping-death -j LOG --log-prefix "PING OF DEATH: "
iptables -A ping-death -j DROP
iptables -A INPUT -p icmp --icmp-type echo-request -j ping-death
## Synflood
iptables -N drop_synflood
iptables -A drop_synflood -m limit --limit 10/s --limit-burst 10 -j RETURN
iptables -A drop_synflood -j LOG --log-prefix "SYNFLOOD: " -m limit --limit 1/s --limit-burst 10
iptables -A drop_synflood -j DROP
## Http DoS/DDoS
iptables -N HTTP_DOS
iptables -A HTTP_DOS -p tcp -m multiport --dports $HTTP \
-m hashlimit \
--hashlimit 10/s \
--hashlimit-burst 30 \
--hashlimit-htable-expire 3000000 \
--hashlimit-mode srcip \
--hashlimit-name t_HTTP_DOS \
-j RETURN
iptables -A HTTP_DOS -j LOG --log-prefix "HTTP DOS: "
iptables -A HTTP_DOS -j DROP
iptables -A INPUT -p tcp -m multiport --dports $HTTP -j HTTP_DOS
## IDENT scan
iptables -A INPUT -p tcp -m multiport --dports $IDENT -j REJECT --reject-with tcp-reset
# Settings
## ICMP
iptables -A INPUT -p icmp -j ACCEPT
## HTTP, HTTPS
iptables -A INPUT -p tcp -m multiport --dports $HTTP -j ACCEPT
## HTTP
iptables -A INPUT -p tcp -m multiport --dports $SSH -j ACCEPT
## DNS
iptables -A INPUT -p tcp -m multiport --sports 53 -j ACCEPT
iptables -A INPUT -p udp -m multiport --sports 53 -j ACCEPT
## NTP
iptables -A INPUT -p udp --dport 123 -j ACCEPT
# Output
iptables -A OUTPUT -j ACCEPT
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment