Like 0
Fork 0

Last active 10 months ago

這個 iptables 防火牆腳本 用於 強化伺服器的網路安全,透過 允許合法流量(如 SSH、HTTP/HTTPS)並封鎖未授權連線,同時防禦各種攻擊(如 暴力破解、SYN Flood、埠掃描、DoS)。此外,它會 記錄異常流量 以便後續分析,並將規則儲存至 /etc/iptables/rules.v4,確保設定在重啟後仍生效。適用於 企業伺服器、內部網路防護及個人伺服器安全強化。

bash ddos-protection firewall iptables networking security ssh

timmy revised this gist 10 months ago. Go to revision

No changes

timmy revised this gist 10 months ago. Go to revision

No changes

timmy revised this gist 1 year ago. Go to revision

1 file changed, 50 insertions, 45 deletions

iptables_rules.sh

@@ -1,76 +1,81 @@
1 1 #!/bin/bash
2 2
3 - # Flush all existing rules
3 + # === Basic Settings ===
4 +
5 + # Clear all existing rules
4 6 iptables -F
7 + iptables -X
8 + iptables -Z
5 9
6 - # Set default policies to drop
10 + # Set default policies: drop all incoming and forwarding traffic, allow outgoing
7 11 iptables -P INPUT DROP
8 12 iptables -P FORWARD DROP
9 13 iptables -P OUTPUT ACCEPT
10 14
11 - # Allow established connections
15 + # === Variables ===
16 + TAIWAN_IPSET="taiwan_ips" # Name of the IP set for Taiwan
17 + ALLOWED_SSH_IP="192.168.1.0/24" # Allowed SSH subnet
18 +
19 + # === Basic Allow Rules ===
20 +
21 + # Allow established and related connections
12 22 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow established connections"
13 23
14 - # Allow loopback interface traffic
15 - iptables -A INPUT -i lo -j ACCEPT -m comment --comment "Allow loopback interface"
24 + # Allow loopback (local) traffic
25 + iptables -A INPUT -i lo -j ACCEPT -m comment --comment "Allow local traffic"
16 26
17 - # Allow SSH traffic (port 22)
18 - # iptables -A INPUT -p tcp --dport 22 -j ACCEPT -m comment --comment "Allow SSH"
27 + # === SSH Rules ===
19 28
20 - # Allow SSH traffic only from IPs in the taiwan_ips ipset collection
21 - iptables -A INPUT -p tcp --dport 22 -m set --match-set taiwan_ips src -j ACCEPT -m comment --comment "Allow SSH from Taiwan IPs"
29 + # Allow SSH from Taiwan IP set
30 + iptables -A INPUT -p tcp --dport 22 -m set --match-set $TAIWAN_IPSET src -j ACCEPT -m comment --comment "Allow SSH from Taiwan IPs"
22 31
23 - # Drop SSH traffic from other IPs
24 - iptables -A INPUT -p tcp --dport 22 -j DROP -m comment --comment "Drop SSH from other IPs"
32 + # Allow SSH from allowed internal network
33 + iptables -A INPUT -p tcp --dport 22 -s $ALLOWED_SSH_IP -j ACCEPT -m comment --comment "Allow SSH from internal network"
25 34
35 + # Limit SSH attempts to prevent brute force attacks
36 + iptables -A INPUT -p tcp --dport 22 -m recent --name ssh_bruteforce --set
37 + iptables -A INPUT -p tcp --dport 22 -m recent --name ssh_bruteforce --update --seconds 60 --hitcount 5 -j DROP -m comment --comment "Limit SSH attempts"
26 38
27 - # Allow HTTP traffic (port 80)
28 - # iptables -A INPUT -p tcp --dport 80 -j ACCEPT -m comment --comment "Allow HTTP"
39 + # Drop SSH from other sources
40 + iptables -A INPUT -p tcp --dport 22 -j DROP -m comment --comment "Drop unauthorized SSH traffic"
29 41
30 - # Allow HTTPS traffic (port 443)
31 - # iptables -A INPUT -p tcp --dport 443 -j ACCEPT -m comment --comment "Allow HTTPS"
42 + # === HTTP/HTTPS Traffic ===
32 43
33 - # Allow ping traffic
34 - iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT -m comment --comment "Allow ping"
44 + # Allow HTTP (port 80)
45 + iptables -A INPUT -p tcp --dport 80 -j ACCEPT -m comment --comment "Allow HTTP traffic"
35 46
36 - # Block SYN Flood attacks
37 - iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 4 -j ACCEPT -m comment --comment "Protect against SYN Flood"
47 + # Allow HTTPS (port 443)
48 + iptables -A INPUT -p tcp --dport 443 -j ACCEPT -m comment --comment "Allow HTTPS traffic"
38 49
39 - # Block Port Scanning
40 - iptables -A INPUT -p tcp --syn -m recent --name scan --set -m comment --comment "Detect port scans"
41 - iptables -A INPUT -p tcp --syn -m recent --name scan --update --seconds 60 --hitcount 10 -j DROP -m comment --comment "Drop port scans"
50 + # === Attack Prevention ===
42 51
43 - # Block DoS attacks
44 - iptables -A INPUT -p tcp -m limit --limit 10/s --limit-burst 20 -j ACCEPT -m comment --comment "Limit incoming connections to prevent DoS"
45 - iptables -A INPUT -p udp -m limit --limit 10/s --limit-burst 20 -j ACCEPT -m comment --comment "Limit UDP connections to prevent DoS"
46 - iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 3 -j ACCEPT -m comment --comment "Limit ICMP requests to prevent DoS"
52 + # Protect against SYN Flood
53 + iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 4 -j ACCEPT -m comment --comment "Protect from SYN Flood"
47 54
48 - # Limit UDP traffic to prevent UDP Flood attack
49 - iptables -A INPUT -p udp -m limit --limit 10/s --limit-burst 20 -j ACCEPT -m comment --comment "Limit UDP traffic to prevent UDP Flood"
55 + # Detect and drop port scans
56 + iptables -A INPUT -p tcp --syn -m recent --name portscan --set -m comment --comment "Detect port scans"
57 + iptables -A INPUT -p tcp --syn -m recent --name portscan --update --seconds 60 --hitcount 10 -j DROP -m comment --comment "Drop port scans"
50 58
51 - # Drop oversized ICMP packets to prevent Ping of Death attack
52 - iptables -A INPUT -p icmp --icmp-type echo-request -m length --length 0:1024 -j ACCEPT -m comment --comment "Drop oversized ICMP packets"
59 + # Limit TCP, UDP, and ICMP traffic to prevent DoS attacks
60 + iptables -A INPUT -p tcp -m limit --limit 10/s --limit-burst 20 -j ACCEPT -m comment --comment "Limit TCP traffic for DoS"
61 + iptables -A INPUT -p udp -m limit --limit 10/s --limit-burst 20 -j ACCEPT -m comment --comment "Limit UDP traffic for DoS"
62 + iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 3 -j ACCEPT -m comment --comment "Limit ICMP requests for DoS"
53 63
54 - # Drop packets with a source address equal to the broadcast address
55 - iptables -A INPUT -p icmp --icmp-type echo-request -s 255.255.255.255 -j DROP -m comment --comment "Drop ICMP packets with broadcast source address"
64 + # Drop large ICMP packets to prevent Ping of Death
65 + iptables -A INPUT -p icmp --icmp-type echo-request -m length --length 0:1024 -j ACCEPT -m comment --comment "Prevent Ping of Death"
56 66
57 - # Drop packets with the same source and destination address
58 - iptables -A INPUT -s 192.168.1.1 -d 192.168.1.1 -j DROP -m comment --comment "Drop packets with same source and destination address"
67 + # Drop packets with the same source and destination IP
68 + iptables -A INPUT -s 192.168.1.1 -d 192.168.1.1 -j DROP -m comment --comment "Drop same source and destination"
59 69
60 70 # Drop invalid packets
61 71 iptables -A INPUT -m state --state INVALID -j DROP -m comment --comment "Drop invalid packets"
62 72
63 - # Drop suspicious port scanning attempts
64 - iptables -A INPUT -p tcp --syn -m recent --name portscan --set -m comment --comment "Track port scanning attempts"
65 - iptables -A INPUT -p tcp --syn -m recent --name portscan --update --seconds 60 --hitcount 10 -j DROP -m comment --comment "Drop excessive port scan attempts"
66 -
67 - # Rate limit incoming connections to mitigate DDoS
68 - iptables -A INPUT -p tcp -m limit --limit 20/s --limit-burst 100 -j ACCEPT -m comment --comment "Rate limit TCP connections to mitigate DDoS"
69 - iptables -A INPUT -p udp -m limit --limit 20/s --limit-burst 100 -j ACCEPT -m comment --comment "Rate limit UDP connections to mitigate DDoS"
73 + # === Logging ===
70 74
75 + # Log dropped packets
76 + iptables -A INPUT -m limit --limit 2/min -j LOG --log-prefix "Dropped: " --log-level 4 -m comment --comment "Log dropped packets"
71 77
72 - # Set NAT forwarding rules (if needed)
73 - # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -m comment --comment "NAT outbound traffic"
78 + # === Save Rules ===
74 79
75 - # Save rules
76 - # iptables-save > /etc/iptables/rules.v4
80 + # Save rules to /etc/iptables/rules.v4
81 + iptables-save > /etc/iptables/rules.v4

timmy revised this gist 1 year ago. Go to revision

1 file changed, 76 insertions

iptables_rules.sh(file created)

@@ -0,0 +1,76 @@
1 + #!/bin/bash
2 +
3 + # Flush all existing rules
4 + iptables -F
5 +
6 + # Set default policies to drop
7 + iptables -P INPUT DROP
8 + iptables -P FORWARD DROP
9 + iptables -P OUTPUT ACCEPT
10 +
11 + # Allow established connections
12 + iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow established connections"
13 +
14 + # Allow loopback interface traffic
15 + iptables -A INPUT -i lo -j ACCEPT -m comment --comment "Allow loopback interface"
16 +
17 + # Allow SSH traffic (port 22)
18 + # iptables -A INPUT -p tcp --dport 22 -j ACCEPT -m comment --comment "Allow SSH"
19 +
20 + # Allow SSH traffic only from IPs in the taiwan_ips ipset collection
21 + iptables -A INPUT -p tcp --dport 22 -m set --match-set taiwan_ips src -j ACCEPT -m comment --comment "Allow SSH from Taiwan IPs"
22 +
23 + # Drop SSH traffic from other IPs
24 + iptables -A INPUT -p tcp --dport 22 -j DROP -m comment --comment "Drop SSH from other IPs"
25 +
26 +
27 + # Allow HTTP traffic (port 80)
28 + # iptables -A INPUT -p tcp --dport 80 -j ACCEPT -m comment --comment "Allow HTTP"
29 +
30 + # Allow HTTPS traffic (port 443)
31 + # iptables -A INPUT -p tcp --dport 443 -j ACCEPT -m comment --comment "Allow HTTPS"
32 +
33 + # Allow ping traffic
34 + iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT -m comment --comment "Allow ping"
35 +
36 + # Block SYN Flood attacks
37 + iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 4 -j ACCEPT -m comment --comment "Protect against SYN Flood"
38 +
39 + # Block Port Scanning
40 + iptables -A INPUT -p tcp --syn -m recent --name scan --set -m comment --comment "Detect port scans"
41 + iptables -A INPUT -p tcp --syn -m recent --name scan --update --seconds 60 --hitcount 10 -j DROP -m comment --comment "Drop port scans"
42 +
43 + # Block DoS attacks
44 + iptables -A INPUT -p tcp -m limit --limit 10/s --limit-burst 20 -j ACCEPT -m comment --comment "Limit incoming connections to prevent DoS"
45 + iptables -A INPUT -p udp -m limit --limit 10/s --limit-burst 20 -j ACCEPT -m comment --comment "Limit UDP connections to prevent DoS"
46 + iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 3 -j ACCEPT -m comment --comment "Limit ICMP requests to prevent DoS"
47 +
48 + # Limit UDP traffic to prevent UDP Flood attack
49 + iptables -A INPUT -p udp -m limit --limit 10/s --limit-burst 20 -j ACCEPT -m comment --comment "Limit UDP traffic to prevent UDP Flood"
50 +
51 + # Drop oversized ICMP packets to prevent Ping of Death attack
52 + iptables -A INPUT -p icmp --icmp-type echo-request -m length --length 0:1024 -j ACCEPT -m comment --comment "Drop oversized ICMP packets"
53 +
54 + # Drop packets with a source address equal to the broadcast address
55 + iptables -A INPUT -p icmp --icmp-type echo-request -s 255.255.255.255 -j DROP -m comment --comment "Drop ICMP packets with broadcast source address"
56 +
57 + # Drop packets with the same source and destination address
58 + iptables -A INPUT -s 192.168.1.1 -d 192.168.1.1 -j DROP -m comment --comment "Drop packets with same source and destination address"
59 +
60 + # Drop invalid packets
61 + iptables -A INPUT -m state --state INVALID -j DROP -m comment --comment "Drop invalid packets"
62 +
63 + # Drop suspicious port scanning attempts
64 + iptables -A INPUT -p tcp --syn -m recent --name portscan --set -m comment --comment "Track port scanning attempts"
65 + iptables -A INPUT -p tcp --syn -m recent --name portscan --update --seconds 60 --hitcount 10 -j DROP -m comment --comment "Drop excessive port scan attempts"
66 +
67 + # Rate limit incoming connections to mitigate DDoS
68 + iptables -A INPUT -p tcp -m limit --limit 20/s --limit-burst 100 -j ACCEPT -m comment --comment "Rate limit TCP connections to mitigate DDoS"
69 + iptables -A INPUT -p udp -m limit --limit 20/s --limit-burst 100 -j ACCEPT -m comment --comment "Rate limit UDP connections to mitigate DDoS"
70 +
71 +
72 + # Set NAT forwarding rules (if needed)
73 + # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -m comment --comment "NAT outbound traffic"
74 +
75 + # Save rules
76 + # iptables-save > /etc/iptables/rules.v4
Newer Older

Powered by Opengist Load: 11ms

English