m5r · March 10, 2017 15:19
diff --git a/iptables.sh b/iptables.sh
 #!/usr/bin/env bash
 set -e # Exit on errors

 # A configurable, strict IPTables firewall
 # Save this to /usr/local/bin and modify to your needs

 # Config - edit this!
 ETH_INTERFACE="eth0"
 ALLOW_PORTS="22 80 443"

 # Do not edit below unless you know what you are doing

 # Check if we are root
 [ $EUID == 0 ] || { echo "This script must be run as root"; exit 1; }

 # Support both space and comma delimited configuration strings
 ALLOW_PORTS=${ALLOW_PORTS// /,}

 # Clear ALL iptables settings
 iptables -F
 iptables -X

 # Drop all connections by default
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
 iptables -P OUTPUT DROP

 # Allow inter-communication
 iptables -A INPUT -i lo -j ACCEPT

 # Allow incoming connections if we initiated them
 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

 # Allow access to some ports
 iptables -A INPUT -i $ETH_INTERFACE -p tcp -m multiport --dports $ALLOW_PORTS -j ACCEPT

 # If someone connects to SSH 6 times in 3 minutes, drop them for 3 minutes
 iptables -I INPUT -p tcp --dport 22 -i $ETH_INTERFACE -m conntrack --ctstate NEW -m recent --set
 iptables -I INPUT -p tcp --dport 22 -i $ETH_INTERFACE -m conntrack --ctstate NEW -m recent --update --seconds 180 --hitcount 6 -j DROP

 ## Allow outgoing ping request
 iptables -A OUTPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
 iptables -A INPUT -p icmp --icmp-type 0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

 # Allow incoming ping request
 iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
 iptables -A OUTPUT -p icmp --icmp-type 0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

 # Drop connections from private IP addresses except ours
 iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
 iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
 iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
 iptables -A INPUT -i eth0 -s 224.0.0.0/4 -j DROP
 iptables -A INPUT -i eth0 -s 240.0.0.0/5 -j DROP
 iptables -A INPUT -i eth0 -s 192.168.0.50 -j ACCEPT

 # Log outgoing SSH authentication
 iptables -I OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j LOG --log-prefix "Outgoing SSH connection"

 # http://stackoverflow.com/questions/1521462/looping-through-the-content-of-a-file-in-bash
 # Block TOR IP addresses
 wget https://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv
 while read line; do
  echo $line
 done < Tor_ip_list_ALL.csv
 rm Tor_ip_list_ALL.csv

 # http://serverfault.com/questions/410604/iptables-rules-to-counter-the-most-common-dos-attacks
 # Stop smurf attacks
 iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
 iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
 iptables -A INPUT -p icmp -m icmp -j DROP

 # Drop all invalid packets
 iptables -A INPUT -m state --state INVALID -j DROP
 iptables -A OUTPUT -m state --state INVALID -j DROP

 # Drop excessive RST packets to avoid smurf attacks
 iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT

 # Attempt to block portscans
 # Anyone who tried to portscan us is locked out for an entire day.
 iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP

 # Once the day has passed, remove them from the portscan list
 iptables -A INPUT -m recent --name portscan --remove

 # These rules add scanners to the portscan list, and log the attempt.
 iptables -A INPUT -p tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
 iptables -A INPUT -p tcp --dport 139 -m recent --name portscan --set -j DROP

 # https://blog.axopen.com/2014/03/geopip-iptables-firewall-ddos/
 # Block Chinese IP addresses
 iptables -A INPUT -m geoip --src-cc RU,CN -j DROP

 echo -e "\nDone! Use one of the following commands to save your new setup:"
 echo -e "CentOS 7:\t service iptables save"
 echo -e "Arch:\t\t iptables-save > /etc/iptables/iptables.rules"
 echo -e "Debian 7/8:\t apt-get install iptables-persistent; /etc/init.d/iptables-persistent save"
 echo -e "Ubuntu 12/14:\t Same as Debian 7/8"
 echo -e "CentOS 6:\t /etc/init.d/iptables save"
	#!/usr/bin/env bash
	set -e # Exit on errors

	# A configurable, strict IPTables firewall
	# Save this to /usr/local/bin and modify to your needs

	# Config - edit this!
	ETH_INTERFACE="eth0"
	ALLOW_PORTS="22 80 443"

	# Do not edit below unless you know what you are doing

	# Check if we are root
	[ $EUID == 0 ] \|\| { echo "This script must be run as root"; exit 1; }

	# Support both space and comma delimited configuration strings
	ALLOW_PORTS=${ALLOW_PORTS// /,}

	# Clear ALL iptables settings
	iptables -F
	iptables -X

	# Drop all connections by default
	iptables -P INPUT DROP
	iptables -P FORWARD DROP
	iptables -P OUTPUT DROP

	# Allow inter-communication
	iptables -A INPUT -i lo -j ACCEPT

	# Allow incoming connections if we initiated them
	iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

	# Allow access to some ports
	iptables -A INPUT -i $ETH_INTERFACE -p tcp -m multiport --dports $ALLOW_PORTS -j ACCEPT

	# If someone connects to SSH 6 times in 3 minutes, drop them for 3 minutes
	iptables -I INPUT -p tcp --dport 22 -i $ETH_INTERFACE -m conntrack --ctstate NEW -m recent --set
	iptables -I INPUT -p tcp --dport 22 -i $ETH_INTERFACE -m conntrack --ctstate NEW -m recent --update --seconds 180 --hitcount 6 -j DROP

	## Allow outgoing ping request
	iptables -A OUTPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
	iptables -A INPUT -p icmp --icmp-type 0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

	# Allow incoming ping request
	iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
	iptables -A OUTPUT -p icmp --icmp-type 0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

	# Drop connections from private IP addresses except ours
	iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
	iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
	iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
	iptables -A INPUT -i eth0 -s 224.0.0.0/4 -j DROP
	iptables -A INPUT -i eth0 -s 240.0.0.0/5 -j DROP
	iptables -A INPUT -i eth0 -s 192.168.0.50 -j ACCEPT

	# Log outgoing SSH authentication
	iptables -I OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j LOG --log-prefix "Outgoing SSH connection"

	# http://stackoverflow.com/questions/1521462/looping-through-the-content-of-a-file-in-bash
	# Block TOR IP addresses
	wget https://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv
	while read line; do
	echo $line
	done < Tor_ip_list_ALL.csv
	rm Tor_ip_list_ALL.csv

	# http://serverfault.com/questions/410604/iptables-rules-to-counter-the-most-common-dos-attacks
	# Stop smurf attacks
	iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
	iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
	iptables -A INPUT -p icmp -m icmp -j DROP

	# Drop all invalid packets
	iptables -A INPUT -m state --state INVALID -j DROP
	iptables -A OUTPUT -m state --state INVALID -j DROP

	# Drop excessive RST packets to avoid smurf attacks
	iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT

	# Attempt to block portscans
	# Anyone who tried to portscan us is locked out for an entire day.
	iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP

	# Once the day has passed, remove them from the portscan list
	iptables -A INPUT -m recent --name portscan --remove

	# These rules add scanners to the portscan list, and log the attempt.
	iptables -A INPUT -p tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
	iptables -A INPUT -p tcp --dport 139 -m recent --name portscan --set -j DROP

	# https://blog.axopen.com/2014/03/geopip-iptables-firewall-ddos/
	# Block Chinese IP addresses
	iptables -A INPUT -m geoip --src-cc RU,CN -j DROP

	echo -e "\nDone! Use one of the following commands to save your new setup:"
	echo -e "CentOS 7:\t service iptables save"
	echo -e "Arch:\t\t iptables-save > /etc/iptables/iptables.rules"
	echo -e "Debian 7/8:\t apt-get install iptables-persistent; /etc/init.d/iptables-persistent save"
	echo -e "Ubuntu 12/14:\t Same as Debian 7/8"
	echo -e "CentOS 6:\t /etc/init.d/iptables save"