-
Notifications
You must be signed in to change notification settings - Fork 17
/
princeserverguard.ipt
executable file
·225 lines (179 loc) · 10.6 KB
/
princeserverguard.ipt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
#Flush all default rules! Save your existing rules with iptables-saves > backup-rules.txt
# Add comment to iptables -F if you want to preserve your original firewall rules.
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -X
#iptables -Z
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
#Accept all input connection on loopback
iptables -A INPUT -i lo -j ACCEPT
#Drop any spoof on my loopack interface.
iptables -A INPUT ! -i lo -d 127.0.0.1/8 -j DROP
#Allow VMs and network devices to accept forwarded packet. (Router-On-A-Stick)
iptables -A FORWARD -j ACCEPT
#DROP SPOOF, no spoof allowed on this server
iptables -A INPUT -s 224.0.0.0/4 -j DROP
iptables -A INPUT -d 224.0.0.0/4 -j DROP
iptables -A INPUT -s 240.0.0.0/5 -j DROP
iptables -A INPUT -d 240.0.0.0/5 -j DROP
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -d 0.0.0.0/8 -j DROP
iptables -A INPUT -d 239.255.255.0/24 -j DROP
iptables -A INPUT -d 255.255.255.255 -j DROP
#Drop all invalid packet, we know what we do to hacker's crafted, forged packet, we DROP 'em!
iptables -A INPUT -m state --state INVALID -j DROP
#wget -qO - http://infiltrated.net/blacklisted|awk '!/#|[a-z]/&&/./{print "iptables -A INPUT -s "$1" -j DROP"}'
# DROP ATTACKS
#for SMURF attack protection
iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/second -j DROP
# Droping all invalid packets
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
# flooding of RST packets, smurf attack Rejection
iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
# Protecting portscans
# Attacking IP will be locked for 24 hours (3600 x 24 = 86400 Seconds)
iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
# Remove attacking IP after 24 hours
iptables -A INPUT -m recent --name portscan --remove
iptables -A FORWARD -m recent --name portscan --remove
#Add port(s) to be monitored and protected. Below monitored SSH(22), EMAIL(25), SMB (139,445) and ASTERISK/VOIP (5060)
PROTECTED=22,25,139,5060
#Detect and log scanners, add them to the portscan list, and log the attempt.
iptables -A INPUT -p tcp -m tcp -m multiport --dports $PROTECTED -m recent --name portscan --set -j LOG --log-prefix "portscan:"
iptables -A INPUT -p tcp -m tcp -m multiport --dports $PROTECTED -m recent --name portscan --set -j DROP
iptables -A FORWARD -p tcp -m tcp -m multiport --dports $PROTECTED -m recent --name portscan --set -j LOG --log-prefix "portscan:"
iptables -A FORWARD -p tcp -m tcp -m multiport --dports $PROTECTED -m recent --name portscan --set -j DROP
#TRIGGERS, flashes your keyboard LED or Computer LED for any Intruder or Hacking Alert.
#iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-always-blink
#iptables -A INPUT -p tcp --dport 25 -j LED --led-trigger-id smtp --led-always-blink
#iptables -A INPUT -p tcp --dport 139 -j LED --led-trigger-id rpc --led-always-blink
#echo netfilter-ssh >/sys/class/leds/ssh/trigger
#echo netfilter-ssh >/sys/class/leds/rpc/trigger
#echo netfilter-ssh >/sys/class/leds/smtp/trigger
#CREATE TABLE_FUNCTION
iptables -N RouterDATA
iptables -N FireWALLED
iptables -N ACL-WEB
iptables -N ACL-WEB-SECURE
iptables -N BLOCKED-DATA
iptables -N MAIL-ROUTE
iptables -N AUDIT_DROP
#ALLOW CNNECTION THRU ROUTER
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j RouterDATA
iptables -A INPUT -p tcp --dport 9400 -j ACCEPT
#RouterDATA is the gateway, define what rule-set handles what packet coming from the RouterDATA
#iptables -N RouterDATA
iptables -A RouterDATA -p tcp --dport http -j ACL-WEB
iptables -A RouterDATA -p tcp --dport http -j ACL-WEB-SECURE
iptables -A RouterDATA -p udp --sport 67:68 --dport 67:68 -j FireWALLED
iptables -A RouterDATA -p udp --sport 53 --dport 53 -m limit --limit 10/minute -j LOG --log-prefix "Port 53 Possible Exploit Detected :"
iptables -A RouterDATA -m limit --limit 10/minute -j LOG --log-prefix "Router Throutled:"
iptables -A RouterDATA -p tcp -m multiport --dports smtp,smtps,imap,imaps,pop3 -j MAIL-ROUTE
iptables -A RouterDATA -m state --state ESTABLISHED,RELATED -j FireWALLED
iptables -A RouterDATA -j DROP
iptables -A INPUT -j RouterDATA
#Define Administrative Access Level rules, allow certain IP to connect and manages the server.
iptables -N ACL-16
#iptables -A ACL-16 -p tcp --dport 1234 -j RETURN
#iptables -A ACL-16 -s xxx.xxx.xxx.xxx -j RETURN
#iptables -A ACL-16 -s xxx.xxx.xxx.xxx -j RETURN
#iptables -A ACL-16 -s xxx.xxx.xxx.xxx -j RETURN
iptables -A ACL-16 -j RouterDATA
iptables -A ACL-16 -j DROP
#Allow administrative IP to go thru ACL-16
iptables -A INPUT -j ACL-16
#GET SYN FLOOD PROTECTION
iptables -N SYN-FLOOD
iptables -A SYN-FLOOD -m limit --limit 1/s --limit-burst 4 -j LOG --log-prefix "PUNK! YOUR SYN-FLOOD IS LOGGED :"
iptables -A SYN-FLOOD -j REJECT
iptables -A INPUT -p tcp --syn -j SYN-FLOOD
#DEFINE WHAT GOES THROUGH FIREWALL
iptables -N FireWALLED
iptables -A FireWALLED -m state --state NEW -j REJECT
iptables -A FireWALLED -m state --state INVALID -j REJECT
iptables -A FireWALLED -m limit --limit 15/minute -j LOG --log-prefix "You are FireWALLED: "
iptables -A FireWALLED -p tcp --dport http -j ACL-WEB
#iptables -A FireWALLED -p tcp -m multiport --dports smtp,smtps,imap,imaps,pop3 -j MAIL-ROUTE
iptables -A FireWALLED -p tcp --dport https -j ACL-WEB-SECURE
iptables -A FireWALLED -m recent --name INTRUDER --rcheck --seconds 60 -j REJECT
iptables -A FireWALLED -p tcp --dport 139 -m recent --name INTRUDER --set -j REJECT
iptables -A FireWALLED -p tcp --dport 137 -m recent --name INTRUDER --set -j REJECT
iptables -A FireWALLED -m recent --name INTRUDER --rcheck --seconds 60 -j REJECT
iptables -A FireWALLED -p tcp --dport 22 -m recent --name INTRUDER --set -j REJECT
#WE NEED EMAIL TO WORK AND PROTECTED, HERE YOU GO
#If you receive more than 5 emails in 1 minutes, it's spamming, log it and filter out for auto blocking .
iptables -A MAIL-ROUTE -p tcp -m limit --limit 3/minute -j LOG --log-prefix "Damn Spammer! :"
iptables -A MAIL-ROUTE -p tcp -m multiport --dports smtp,smtps,imap,imaps,pop3 -j ACCEPT
iptables -A MAIL-ROUTE -j DROP
#SETUP AN AUDITOR
iptables -N AUDIT_DROP
iptables -A AUDIT_DROP -j AUDIT --type drop
iptables -A AUDIT_DROP -j DROP
iptables -A INPUT -j AUDIT_DROP
#TRIGGERS
iptables -A FireWALLED -p tcp --dport 22 -j LED --led-trigger-id ssh --led-always-blink
iptables -A FireWALLED -p tcp --dport 25 -j LED --led-trigger-id smtp --led-always-blink
iptables -A FireWALLED -p tcp --dport 139 -j LED --led-trigger-id rpc
iptables -A FireWALLED -p tcp --dport 80 -m string --algo bm --string 'GET /index.html' -j LOG
#RESTRICt CONNECTION PER CLIENT to avoid BOTNET Throuthling
iptables -A FireWALLED -p tcp --syn -m connlimit --connlimit-above 11 --connlimit-mask 24 -j REJECT
iptables -A FireWALLED -p tcp --syn --dport 80 -m connlimit --connlimit-above 10 --connlimit-mask 24 -j REJECT
iptables -A FireWALLED -p tcp --syn --dport 25 -m connlimit --connlimit-above 2 --connlimit-mask 24 -j REJECT
iptables -A FireWALLED -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 --connlimit-mask 24 -j REJECT
#iptables -A FireWALLED -p tcp --syn --dport 9400 -m connlimit --connlimit-above 3 --connlimit-mask 24 -j REJECT
#ACCEPT ONLY CONNECTION THAT PASSED ROUTERS FIREWALLeD RULES, DROP the rest;
iptables -A FireWALLED -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FireWALLED -j DROP
#CREATE ACCESS CONTROL LEVEL for connection to the website(s)
#iptables -N ACL-WEB
iptables -A ACL-WEB -p tcp --dport http -j ACCEPT
#Limit connection to per client connecting to the website, drop dummy connection saves bandwidth
iptables -A ACL-WEB -p tcp --syn --dport 80 -m connlimit --connlimit-above 10 --connlimit-mask 24 -j REJECT
iptables -A ACL-WEB -j DROP
#Allow all connection to website port http goes through ACL-WEB (Access Control Level for Web)
iptables -A INPUT -p tcp --dport http -j ACL-WEB
#iptables -N ACL-WEB-SECURE
iptables -A ACL-WEB-SECURE -p tcp --dport https -j ACCEPT
iptables -A ACL-WEB -p tcp --syn --dport 443 -m connlimit --connlimit-above 10 --connlimit-mask 24 -j REJECT
#Allow all connection to website port https goes through ACL-WEB SECURE (Access Control Level for Web)
iptables -A ACL-WEB-SECURE -j DROP
#Allow all connection to website port https goes through ACL-WEB-SECURE (Access Control Level for secure Web)
iptables -A INPUT -p tcp --dport https -j ACL-WEB-SECURE
#Monitors connections to your server and block and lock hacking flags.
#Blocks any IP address that hit the server 10 times within a minute with any of HACKING FLAG.
#See the blocked IP Address using grep -i "BLOCKED-DATA :" /var/location/of/your/iptable.log
#iptables -N BLOCKED-DATA;
iptables -A BLOCKED-DATA -m limit --limit 10/minute -j LOG --log-prefix "BLOCKED-DATA : "
#BLOCK HACKING FLAGS, drop their incoming packets.
iptables -A BLOCKED-DATA -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A BLOCKED-DATA -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A BLOCKED-DATA -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -A BLOCKED-DATA -p tcp --tcp-flags FIN,RST SYN,RST -j DROP
iptables -A BLOCKED-DATA -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A BLOCKED-DATA -p tcp --tcp-flags ALL ALL -j DROP
iptables -A BLOCKED-DATA -p tcp --tcp-flags ALL NONE -j DROP
iptables -A BLOCKED-DATA -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A BLOCKED-DATA -j DROP
#Monitors connection to the server with hacking flags goes through BLOCKED-DATA
iptables -A INPUT -p tcp -j BLOCKED-DATA
#ALLOW CONNECTION prevent dns hi-jacking, only connection from known source port and destination port is allowed thru RouterDATA
iptables -A INPUT -p udp --sport 67:68 --dport 67:68 -j RouterDATA
#Hide your VM (Virtual Machines) or network from the real world, but allow them to access the world masqueradly.
iptables -t nat -A POSTROUTING -s 172.30.80.248/29 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.19.35.248/29 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.21.44.248/29 -j MASQUERADE
#Automatically append blacklisted IP addresses to our database, keep spammers, script kiddies and tor users etc off my network.
#wget -qO - http://infiltrated.net/blacklisted|awk '!/#|[a-z]/&&/./{print "iptables -A INPUT -s "$1" -j DROP"}'
#DROP ALL CONNECTION THAT DOESNT MATCH OUR RULES
iptables -A INPUT -j DROP