My iptables script

timodohmen

Member
Oct 16, 2015
125
43
63
Code:
nano firewall.sh;chmod 755 firewall.sh;./firewall.sh
Code:
#!/bin/sh
### BEGIN INIT INFO
# Provides:  iptables
# Required-Start:  $local_fs $network
# Required-Stop:  $local_fs $network
# Default-Start:  2 3 4 5
# Default-Stop:  0 1 6
# Short-Description: Firewall Rules for iptables
# Description: EDIT THIS FILE TO YOUR NEEDS BEFORE EXECUTING
### END INIT INFO#!/bin/sh
aptitude install iptables iptables-persistent fail2ban
service fail2ban stop
iptables -F
iptables -X
#DENY
iptables -N DENY
iptables -A DENY -p tcp -m tcp -m limit --limit 30/sec --limit-burst 100 -m comment --comment "Anti-DoS" -j REJECT --reject-with tcp-reset
iptables -A DENY -m limit --limit 30/sec --limit-burst 100 -m comment --comment "Anti-DoS" -j REJECT --reject-with icmp-proto-unreachable
iptables -A DENY -p tcp ! --syn -m state --state NEW -j DROP
iptables -A DENY -f -j DROP
iptables -A DENY -p tcp --tcp-flags ALL ALL -j DROP
iptables -A DENY -p tcp --tcp-flags ALL NONE -j DROP
iptables -A DENY -p icmp --icmp-type echo-request -m limit --limit 1/s -m comment --comment "Limit Ping Flood" -j ACCEPT
#iptables -A DENY -j LOG --log-prefix "PORT DENIED: " --log-level 5 --log-ip-options --log-tcp-options --log-tcp-sequence
iptables -A DENY -p tcp --tcp-flags ALL NONE -m limit --limit 1/h -m comment --comment "Anti-Portscan" -j ACCEPT
iptables -A DENY -p tcp --tcp-flags ALL ALL -m limit --limit 1/h -m comment --comment "Anti-Portscan2" -j ACCEPT
#Drop unusual flags
iptables -A DENY -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A DENY -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A DENY -p tcp --tcp-flags ALL NONE -j DROP
iptables -A DENY -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A DENY -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A DENY -m comment --comment "Ignore everything else" -j DROP
#BLOCKED
iptables -N BLOCKED
#ALLOWED
iptables -N ALLOWED
#iptables -A ALLOWED -s <YOUR IP HERE> -j ACCEPT ###EDIT AND UNCOMMENT THIS LINE!
#SERVICES
iptables -N SERVICES
iptables -A SERVICES -p tcp -m tcp --dport 53 -m comment --comment "Allow: DNS" -j ACCEPT
iptables -A SERVICES -p udp -m udp --dport 53 -m comment --comment "Allow: DNS" -j ACCEPT
iptables -A SERVICES -p tcp -m tcp --dport 22 -m comment --comment "Allow: SSH-Access" -j ACCEPT
iptables -A SERVICES -p tcp -m multiport --dports 80,8080,443 -m comment --comment "Allow: Webserver" -j ACCEPT
iptables -A SERVICES -j RETURN
#TEAMSPEAK
iptables -N TEAMSPEAK
#iptables -A TEAMSPEAK -p tcp -m tcp --dport 2008 -m comment --comment "Allow: TeamSpeak Accounting" -j ACCEPT
iptables -A TEAMSPEAK -p tcp -m tcp --dport 10011 -m comment --comment "Allow: TeamSpeak ServerQuery" -j ACCEPT
iptables -A TEAMSPEAK -p tcp -m multiport --dports 30033 -m comment --comment "Allow: TeamSpeak FileTransfer" -j ACCEPT
iptables -A TEAMSPEAK -p tcp -m tcp --dport 41144 -m comment --comment "Allow: TeamSpeak TSDNS" -j ACCEPT
iptables -A TEAMSPEAK -p udp -m udp --dport 1:65535 -m comment --comment "Allow: TeamSpeak Voiceports" -j ACCEPT
iptables -A TEAMSPEAK -j RETURN
#INPUT
iptables -A INPUT -m comment --comment "Allow Whitelisted IP's" -j ALLOWED
iptables -A INPUT -m comment --comment "Block Blacklisted IP's" -j BLOCKED
iptables -A INPUT -i lo -m comment --comment "Allow: Loopback" -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "Allow: Related and Established Connections" -j ACCEPT
iptables -A INPUT -m comment --comment "Allow Default Services" -j SERVICES
iptables -A INPUT -m comment --comment "Allow TeamSpeak Services" -j TEAMSPEAK
iptables -A INPUT -p icmp -m comment --comment "Allow: ICMP" -j ACCEPT
iptables -A INPUT -m comment --comment "Ignore everything else" -j DENY
iptables -P INPUT DROP
/etc/init.d/iptables-persistent save
service fail2ban start
clear
iptables -L

If you want to easily add or remove entries from the ALLOWED/BLOCKED chain, you can use the following script, created by @Supervisor:
Code:
nano firewall;chmod +x firewall
Code:
#!/bin/sh
case $1 in
block*) iptables -I BLOCKED -s ${2} -j DROP ;;
unblock*) iptables -D BLOCKED -s ${2} -j DROP ;;
allow*) iptables -I ALLOWED -s ${2} -j ACCEPT ;;
disallow*) iptables -D ALLOWED -s ${2} -j ACCEPT ;;
*) printf "Usage: ./firewall 'block|unblock|allow|disallow' IP\n" ;;
esac
exit 1


P.S. I managed to setup iptables with this Tutorial [DE].
IT Blocked the Source list ... and when i upload a pic or something like that i got a conection lost ....
 

Bluscream

Retired Staff
Contributor
May 8, 2015
967
934
211
Search the for "FTP ports" and "sinusbot ports" ON Google and add them to the script before executing it.
 

dzirikajaki

Member
Jan 16, 2016
11
1
35
This vsftpd FTP (port 21) and Sinusbot stream port 80
Adding these lines:
iptables -A SERVICES -p tcp -m tcp --dport 21 -m comment --comment "Allow: SSH-Access" -j ACCEPT
iptables -A SERVICES -p tcp -m tcp --dport 80 -m comment --comment "Allow: SSH-Access" -j ACCEPT
iptables -A ALLOWED -s 195.xxx.xxx.xxx -j ACCEPT

It does not work even restart VPS gives nothing
 

Santiago

Member
May 9, 2015
19
16
41
This vsftpd FTP (port 21) and Sinusbot stream port 80
Adding these lines:
iptables -A SERVICES -p tcp -m tcp --dport 21 -m comment --comment "Allow: SSH-Access" -j ACCEPT
iptables -A SERVICES -p tcp -m tcp --dport 80 -m comment --comment "Allow: SSH-Access" -j ACCEPT
iptables -A ALLOWED -s 195.xxx.xxx.xxx -j ACCEPT

It does not work even restart VPS gives nothing

Use "/sbin/service iptables save " :)
 

Santiago

Member
May 9, 2015
19
16
41
These can be saved in a file with the command iptables-save for IPv4.

Debian/Ubuntu: iptables-save > /etc/iptables/rules.v4
RHEL/CentOS: iptables-save > /etc/sysconfig/iptables

These files can be loaded again with the command iptables-restore for IPv4.

Debian/Ubuntu: iptables-restore < /etc/iptables/rules.v4
RHEL/CentOS: iptables-restore < /etc/sysconfig/iptables

If you would also like to use IPv6 rules, these can be stored in a separate file.

Debian/Ubuntu: ip6tables-save > /etc/iptables/rules.v6
RHEL/CentOS: ip6tables-save > /etc/sysconfig/ip6tables
 

Magic

Member
Oct 23, 2015
59
9
40
After installing this no one even bots can do anything in query+banners dont appear.
Please help how to get rid of it.
 

BrazaNATOR

Member
Apr 30, 2016
24
3
40
It can filter the connections so yes but not a lot of it .. >D
Thanks mate.
I know the question i am going to ask is not related with this thread but i am really in doubt of what im going to do at momment.
I manage a Battlefield 4 clan that has arround 60 - 65 members, we have the NPL on our TeamSpeak, but we have been suffering from DDOS attacks lately, we run our whole system, website/teamspeak everything on our OVH cloud, and it seems the cloud firewall (OVH PRO) is totally unefficient to protect our network and they only can provide protection if i buy the gaming cloud that are very expensive for me now.
So i have been thinking lately to move from OVH to BLAZINGFAST.IO or NFO SERVERS because they have a really cheap VPS's with Mitigation protection.

May i ask you where do you host your teamspeaks? or even what provider do you recommend for me to use?

Thanks,
Best regards.
 
Last edited by a moderator:

JoKeR

Member
Apr 21, 2016
73
36
53
Thanks mate.
I know the question i am going to ask is not related with this thread but i am really in doubt of what im going to do at momment.
I manage a Battlefield 4 clan that has arround 60 - 65 members, we have the NPL on our TeamSpeak, but we have been suffering from DDOS attacks lately, we run our whole system, website/teamspeak everything on our OVH cloud, and it seems the cloud firewall (OVH PRO) is totally unefficient to protect our network and they only can provide protection if i buy the gaming cloud that are very expensive for me now.
So i have been thinking lately to move from OVH to BLAZINGFAST.IO or NFO SERVERS because they have a really cheap VPS's with Mitigation protection.

May i ask you where do you host your teamspeaks? or even what provider do you recommend for me to use?

Thanks,
Best regards.
First at all I would never run webserver, gameserver and teamspeak on one system. Teamspeak is a ddos magnet you should move it to a separate node or use an external teamspeak provider.
 
Top