Last active
December 10, 2015 14:38
-
-
Save teknogeek0/4448870 to your computer and use it in GitHub Desktop.
A really basic way to block out most of the world from annoying a host of yours. Now with pingdom added.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| ################################################################# | |
| ## | |
| ## START VARIABLES | |
| ## | |
| IPTABLES="/sbin/iptables" | |
| INET_IFACE="eth0" | |
| LO_IFACE="lo" | |
| # these are ports and protocol IPs that shouldn't change. | |
| HTTP_PORT="80" | |
| HTTPS_PORT="443" | |
| SSH_PORT="22" | |
| ## | |
| ## END VARIABLES | |
| ## | |
| ################################################################# | |
| # set default policies for the INPUT, FORWARD and OUTPUT chains | |
| # and then flush them | |
| $IPTABLES -P INPUT DROP | |
| $IPTABLES -P OUTPUT DROP | |
| $IPTABLES -P FORWARD DROP | |
| $IPTABLES -F INPUT | |
| $IPTABLES -F OUTPUT | |
| $IPTABLES -F FORWARD | |
| # Flush and Delete all non builtin chains | |
| $IPTABLES -F icmp_packets | |
| $IPTABLES -F tcp_packets | |
| $IPTABLES -F udpincoming_packets | |
| $IPTABLES -F bad_stuff | |
| $IPTABLES -F pingdom | |
| $IPTABLES -X | |
| # Create separate chains for ICMP, TCP and UDP to traverse | |
| $IPTABLES -N icmp_packets | |
| $IPTABLES -N tcp_packets | |
| $IPTABLES -N udpincoming_packets | |
| $IPTABLES -N bad_stuff | |
| $IPTABLES -N pingdom | |
| # Unlimited traffic on the localhost interface | |
| # Do immediately in case of firewall script errors! | |
| $IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT | |
| $IPTABLES -A OUTPUT -o $LO_IFACE -j ACCEPT | |
| #don't mess around with other chains, if its established or related, we know its ok. | |
| $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| #$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| ################################################################# | |
| ## | |
| ## START DROP/REJ RULES | |
| ## | |
| ## drop invalid stuff because, it's invalid. | |
| $IPTABLES -A INPUT -m state --state INVALID -j DROP | |
| $IPTABLES -A FORWARD -m state --state INVALID -j DROP | |
| $IPTABLES -A OUTPUT -m state --state INVALID -j REJECT | |
| ## pingdom ips | |
| $IPTABLES -A pingdom -s 95.141.32.46 -j ACCEPT | |
| $IPTABLES -A pingdom -s 95.211.217.68 -j ACCEPT | |
| $IPTABLES -A pingdom -s 91.109.115.41 -j ACCEPT | |
| $IPTABLES -A pingdom -s 83.170.113.210 -j ACCEPT | |
| $IPTABLES -A pingdom -s 174.34.224.167 -j ACCEPT | |
| $IPTABLES -A pingdom -s 72.46.140.106 -j ACCEPT | |
| $IPTABLES -A pingdom -s 76.72.172.208 -j ACCEPT | |
| $IPTABLES -A pingdom -s 184.75.210.226 -j ACCEPT | |
| $IPTABLES -A pingdom -s 78.40.124.16 -j ACCEPT | |
| $IPTABLES -A pingdom -s 67.205.67.76 -j ACCEPT | |
| $IPTABLES -A pingdom -s 188.138.118.184 -j ACCEPT | |
| $IPTABLES -A pingdom -s 188.138.124.110 -j ACCEPT | |
| $IPTABLES -A pingdom -s 85.17.156.99 -j ACCEPT | |
| $IPTABLES -A pingdom -s 85.17.156.11 -j ACCEPT | |
| $IPTABLES -A pingdom -s 85.17.156.76 -j ACCEPT | |
| $IPTABLES -A pingdom -s 72.46.153.26 -j ACCEPT | |
| $IPTABLES -A pingdom -s 208.64.28.194 -j ACCEPT | |
| $IPTABLES -A pingdom -s 76.164.194.74 -j ACCEPT | |
| $IPTABLES -A pingdom -s 184.75.210.90 -j ACCEPT | |
| $IPTABLES -A pingdom -s 184.75.208.210 -j ACCEPT | |
| $IPTABLES -A pingdom -s 184.75.209.18 -j ACCEPT | |
| $IPTABLES -A pingdom -s 46.165.195.139 -j ACCEPT | |
| $IPTABLES -A pingdom -s 199.87.228.66 -j ACCEPT | |
| $IPTABLES -A pingdom -s 76.72.167.90 -j ACCEPT | |
| $IPTABLES -A pingdom -s 94.247.174.83 -j ACCEPT | |
| $IPTABLES -A pingdom -s 69.64.56.47 -j ACCEPT | |
| $IPTABLES -A pingdom -s 176.31.228.137 -j ACCEPT | |
| $IPTABLES -A pingdom -s 184.75.210.186 -j ACCEPT | |
| $IPTABLES -A pingdom -s 108.62.115.226 -j ACCEPT | |
| $IPTABLES -A pingdom -s 94.46.4.1 -j ACCEPT | |
| $IPTABLES -A pingdom -s 46.20.45.18 -j ACCEPT | |
| $IPTABLES -A pingdom -s 50.23.94.74 -j ACCEPT | |
| $IPTABLES -A pingdom -s 64.141.100.136 -j ACCEPT | |
| $IPTABLES -A pingdom -s 69.59.28.19 -j ACCEPT | |
| $IPTABLES -A pingdom -s 178.255.154.2 -j ACCEPT | |
| $IPTABLES -A pingdom -s 178.255.153.2 -j ACCEPT | |
| $IPTABLES -A pingdom -s 178.255.155.2 -j ACCEPT | |
| $IPTABLES -A pingdom -s 64.237.55.3 -j ACCEPT | |
| $IPTABLES -A pingdom -s 178.255.152.2 -j ACCEPT | |
| $IPTABLES -A pingdom -s 212.84.74.156 -j ACCEPT | |
| $IPTABLES -A pingdom -s 173.204.85.217 -j ACCEPT | |
| $IPTABLES -A pingdom -s 173.248.147.18 -j ACCEPT | |
| $IPTABLES -A pingdom -s 72.46.130.42 -j ACCEPT | |
| $IPTABLES -A pingdom -s 94.46.240.121 -j ACCEPT | |
| $IPTABLES -A pingdom -s 208.43.68.59 -j ACCEPT | |
| $IPTABLES -A pingdom -s 67.228.213.178 -j ACCEPT | |
| $IPTABLES -A pingdom -s 96.31.66.245 -j ACCEPT | |
| $IPTABLES -A pingdom -s 82.103.128.63 -j ACCEPT | |
| $IPTABLES -A pingdom -s 174.34.156.130 -j ACCEPT | |
| $IPTABLES -A pingdom -s 70.32.40.2 -j ACCEPT | |
| $IPTABLES -A pingdom -s 174.34.162.242 -j ACCEPT | |
| $IPTABLES -A pingdom -s 85.25.176.167 -j ACCEPT | |
| $IPTABLES -A pingdom -s 204.152.200.42 -j ACCEPT | |
| $IPTABLES -A pingdom -s 95.211.87.85 -j ACCEPT | |
| $IPTABLES -A pingdom -s 64.120.6.122 -j ACCEPT | |
| $IPTABLES -A pingdom -s 158.58.173.160 -j ACCEPT | |
| $IPTABLES -A pingdom -s 76.72.171.180 -j ACCEPT | |
| $IPTABLES -A pingdom -s 72.46.140.186 -j ACCEPT | |
| $IPTABLES -A pingdom -s 78.31.69.179 -j ACCEPT | |
| $IPTABLES -A pingdom -s 95.211.198.87 -j ACCEPT | |
| #send things through the pingdom table | |
| $IPTABLES -A INPUT -i $INET_IFACE -j pingdom | |
| ### block all Asian/APNIC IPs (includes NZ, AU) | |
| $IPTABLES -A bad_stuff -s 58.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 59.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 60.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 61.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 110.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 111.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 112.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 113.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 114.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 115.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 116.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 117.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 118.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 119.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 120.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 121.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 122.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 123.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 124.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 125.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 126.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 169.208.0.0/12 -j DROP | |
| $IPTABLES -A bad_stuff -s 175.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 180.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 182.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 183.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 202.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 203.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 210.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 211.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 218.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 219.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 220.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 221.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 222.0.0.0/8 -j DROP | |
| ### block all African(AFRINIC) IPs | |
| $IPTABLES -A bad_stuff -s 41.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 154.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 197.0.0.0/8 -j DROP | |
| ### block off RIPE - europe, africa, middle east | |
| $IPTABLES -A bad_stuff -s 62.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 77.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 78.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 79.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 80.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 81.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 82.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 83.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 84.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 85.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 86.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 87.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 88.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 89.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 90.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 91.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 92.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 93.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 94.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 95.0.0.0/8 -j DROP | |
| ### block all Latin America/LACNIC IPs | |
| $IPTABLES -A bad_stuff -s 186.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 187.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 189.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 190.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 200.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 201.0.0.0/8 -j DROP | |
| ### block all US mill and DOD, and private company registered Anets | |
| $IPTABLES -A bad_stuff -s 3.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 6.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 7.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 8.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 11.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 13.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 15.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 16.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 17.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 19.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 20.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 21.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 22.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 25.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 28.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 29.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 30.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 33.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 34.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 35.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 38.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 40.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 48.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 51.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 52.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 53.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 55.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 56.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 57.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 214.0.0.0/8 -j DROP | |
| $IPTABLES -A bad_stuff -s 215.0.0.0/8 -j DROP | |
| #send things through the bad_stuff table | |
| $IPTABLES -A INPUT -i $INET_IFACE -j bad_stuff | |
| #$IPTABLES -A FORWARD -i $INET_IFACE -j bad_stuff | |
| ## | |
| ## END DROP/REJ RULES | |
| ## | |
| ################################################################# | |
| ################################################################# | |
| ## | |
| ## START shared ICMP rules | |
| ## | |
| ## ICMP rules | |
| $IPTABLES -A icmp_packets -p ICMP --icmp-type 0 -j ACCEPT | |
| $IPTABLES -A icmp_packets -p ICMP --icmp-type 3 -j ACCEPT | |
| $IPTABLES -A icmp_packets -p ICMP --icmp-type 5 -j ACCEPT | |
| $IPTABLES -A icmp_packets -p ICMP --icmp-type 8 -j ACCEPT | |
| $IPTABLES -A icmp_packets -p ICMP --icmp-type 11 -j ACCEPT | |
| $IPTABLES -A icmp_packets -p ICMP --icmp-type 12 -j ACCEPT | |
| ## | |
| ## END shared ICMP rules | |
| ## | |
| ################################################################# | |
| ################################################################# | |
| ## | |
| ## START this host's rules | |
| ## | |
| ## TCP rules for inbound | |
| $IPTABLES -A tcp_packets -p TCP --dport $HTTP_PORT -m state --state NEW -j ACCEPT ## http | |
| $IPTABLES -A tcp_packets -p TCP --dport $HTTPS_PORT -m state --state NEW -j ACCEPT ## https | |
| $IPTABLES -A tcp_packets -p TCP --dport $SSH_PORT -m state --state NEW -j ACCEPT ## ssh | |
| ## UDP rules for inbound | |
| $IPTABLES -A udpincoming_packets -p udp --source-port 32769:65535 --destination-port 33434:33523 -j ACCEPT #for traceroute | |
| ## for each protocol, jump to specific chain | |
| $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets | |
| $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets | |
| $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets | |
| #sets the output rule to accept for all. | |
| $IPTABLES -A OUTPUT -p ALL -j ACCEPT | |
| ## | |
| ## END this host's rules | |
| ## | |
| ################################################################# |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment