timmy bu gisti düzenledi 10 months ago. Düzenlemeye git
Değişiklik yok
timmy bu gisti düzenledi 10 months ago. Düzenlemeye git
Değişiklik yok
timmy bu gisti düzenledi 1 year ago. Düzenlemeye git
1 file changed, 50 insertions, 45 deletions
iptables_rules.sh
| @@ -1,76 +1,81 @@ | |||
| 1 | 1 | #!/bin/bash | |
| 2 | 2 | ||
| 3 | - | # Flush all existing rules | |
| 3 | + | # === Basic Settings === | |
| 4 | + | ||
| 5 | + | # Clear all existing rules | |
| 4 | 6 | iptables -F | |
| 7 | + | iptables -X | |
| 8 | + | iptables -Z | |
| 5 | 9 | ||
| 6 | - | # Set default policies to drop | |
| 10 | + | # Set default policies: drop all incoming and forwarding traffic, allow outgoing | |
| 7 | 11 | iptables -P INPUT DROP | |
| 8 | 12 | iptables -P FORWARD DROP | |
| 9 | 13 | iptables -P OUTPUT ACCEPT | |
| 10 | 14 | ||
| 11 | - | # Allow established connections | |
| 15 | + | # === Variables === | |
| 16 | + | TAIWAN_IPSET="taiwan_ips" # Name of the IP set for Taiwan | |
| 17 | + | ALLOWED_SSH_IP="192.168.1.0/24" # Allowed SSH subnet | |
| 18 | + | ||
| 19 | + | # === Basic Allow Rules === | |
| 20 | + | ||
| 21 | + | # Allow established and related connections | |
| 12 | 22 | iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow established connections" | |
| 13 | 23 | ||
| 14 | - | # Allow loopback interface traffic | |
| 15 | - | iptables -A INPUT -i lo -j ACCEPT -m comment --comment "Allow loopback interface" | |
| 24 | + | # Allow loopback (local) traffic | |
| 25 | + | iptables -A INPUT -i lo -j ACCEPT -m comment --comment "Allow local traffic" | |
| 16 | 26 | ||
| 17 | - | # Allow SSH traffic (port 22) | |
| 18 | - | # iptables -A INPUT -p tcp --dport 22 -j ACCEPT -m comment --comment "Allow SSH" | |
| 27 | + | # === SSH Rules === | |
| 19 | 28 | ||
| 20 | - | # Allow SSH traffic only from IPs in the taiwan_ips ipset collection | |
| 21 | - | iptables -A INPUT -p tcp --dport 22 -m set --match-set taiwan_ips src -j ACCEPT -m comment --comment "Allow SSH from Taiwan IPs" | |
| 29 | + | # Allow SSH from Taiwan IP set | |
| 30 | + | iptables -A INPUT -p tcp --dport 22 -m set --match-set $TAIWAN_IPSET src -j ACCEPT -m comment --comment "Allow SSH from Taiwan IPs" | |
| 22 | 31 | ||
| 23 | - | # Drop SSH traffic from other IPs | |
| 24 | - | iptables -A INPUT -p tcp --dport 22 -j DROP -m comment --comment "Drop SSH from other IPs" | |
| 32 | + | # Allow SSH from allowed internal network | |
| 33 | + | iptables -A INPUT -p tcp --dport 22 -s $ALLOWED_SSH_IP -j ACCEPT -m comment --comment "Allow SSH from internal network" | |
| 25 | 34 | ||
| 35 | + | # Limit SSH attempts to prevent brute force attacks | |
| 36 | + | iptables -A INPUT -p tcp --dport 22 -m recent --name ssh_bruteforce --set | |
| 37 | + | iptables -A INPUT -p tcp --dport 22 -m recent --name ssh_bruteforce --update --seconds 60 --hitcount 5 -j DROP -m comment --comment "Limit SSH attempts" | |
| 26 | 38 | ||
| 27 | - | # Allow HTTP traffic (port 80) | |
| 28 | - | # iptables -A INPUT -p tcp --dport 80 -j ACCEPT -m comment --comment "Allow HTTP" | |
| 39 | + | # Drop SSH from other sources | |
| 40 | + | iptables -A INPUT -p tcp --dport 22 -j DROP -m comment --comment "Drop unauthorized SSH traffic" | |
| 29 | 41 | ||
| 30 | - | # Allow HTTPS traffic (port 443) | |
| 31 | - | # iptables -A INPUT -p tcp --dport 443 -j ACCEPT -m comment --comment "Allow HTTPS" | |
| 42 | + | # === HTTP/HTTPS Traffic === | |
| 32 | 43 | ||
| 33 | - | # Allow ping traffic | |
| 34 | - | iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT -m comment --comment "Allow ping" | |
| 44 | + | # Allow HTTP (port 80) | |
| 45 | + | iptables -A INPUT -p tcp --dport 80 -j ACCEPT -m comment --comment "Allow HTTP traffic" | |
| 35 | 46 | ||
| 36 | - | # Block SYN Flood attacks | |
| 37 | - | iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 4 -j ACCEPT -m comment --comment "Protect against SYN Flood" | |
| 47 | + | # Allow HTTPS (port 443) | |
| 48 | + | iptables -A INPUT -p tcp --dport 443 -j ACCEPT -m comment --comment "Allow HTTPS traffic" | |
| 38 | 49 | ||
| 39 | - | # Block Port Scanning | |
| 40 | - | iptables -A INPUT -p tcp --syn -m recent --name scan --set -m comment --comment "Detect port scans" | |
| 41 | - | iptables -A INPUT -p tcp --syn -m recent --name scan --update --seconds 60 --hitcount 10 -j DROP -m comment --comment "Drop port scans" | |
| 50 | + | # === Attack Prevention === | |
| 42 | 51 | ||
| 43 | - | # Block DoS attacks | |
| 44 | - | iptables -A INPUT -p tcp -m limit --limit 10/s --limit-burst 20 -j ACCEPT -m comment --comment "Limit incoming connections to prevent DoS" | |
| 45 | - | iptables -A INPUT -p udp -m limit --limit 10/s --limit-burst 20 -j ACCEPT -m comment --comment "Limit UDP connections to prevent DoS" | |
| 46 | - | iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 3 -j ACCEPT -m comment --comment "Limit ICMP requests to prevent DoS" | |
| 52 | + | # Protect against SYN Flood | |
| 53 | + | iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 4 -j ACCEPT -m comment --comment "Protect from SYN Flood" | |
| 47 | 54 | ||
| 48 | - | # Limit UDP traffic to prevent UDP Flood attack | |
| 49 | - | iptables -A INPUT -p udp -m limit --limit 10/s --limit-burst 20 -j ACCEPT -m comment --comment "Limit UDP traffic to prevent UDP Flood" | |
| 55 | + | # Detect and drop port scans | |
| 56 | + | iptables -A INPUT -p tcp --syn -m recent --name portscan --set -m comment --comment "Detect port scans" | |
| 57 | + | iptables -A INPUT -p tcp --syn -m recent --name portscan --update --seconds 60 --hitcount 10 -j DROP -m comment --comment "Drop port scans" | |
| 50 | 58 | ||
| 51 | - | # Drop oversized ICMP packets to prevent Ping of Death attack | |
| 52 | - | iptables -A INPUT -p icmp --icmp-type echo-request -m length --length 0:1024 -j ACCEPT -m comment --comment "Drop oversized ICMP packets" | |
| 59 | + | # Limit TCP, UDP, and ICMP traffic to prevent DoS attacks | |
| 60 | + | iptables -A INPUT -p tcp -m limit --limit 10/s --limit-burst 20 -j ACCEPT -m comment --comment "Limit TCP traffic for DoS" | |
| 61 | + | iptables -A INPUT -p udp -m limit --limit 10/s --limit-burst 20 -j ACCEPT -m comment --comment "Limit UDP traffic for DoS" | |
| 62 | + | iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 3 -j ACCEPT -m comment --comment "Limit ICMP requests for DoS" | |
| 53 | 63 | ||
| 54 | - | # Drop packets with a source address equal to the broadcast address | |
| 55 | - | iptables -A INPUT -p icmp --icmp-type echo-request -s 255.255.255.255 -j DROP -m comment --comment "Drop ICMP packets with broadcast source address" | |
| 64 | + | # Drop large ICMP packets to prevent Ping of Death | |
| 65 | + | iptables -A INPUT -p icmp --icmp-type echo-request -m length --length 0:1024 -j ACCEPT -m comment --comment "Prevent Ping of Death" | |
| 56 | 66 | ||
| 57 | - | # Drop packets with the same source and destination address | |
| 58 | - | iptables -A INPUT -s 192.168.1.1 -d 192.168.1.1 -j DROP -m comment --comment "Drop packets with same source and destination address" | |
| 67 | + | # Drop packets with the same source and destination IP | |
| 68 | + | iptables -A INPUT -s 192.168.1.1 -d 192.168.1.1 -j DROP -m comment --comment "Drop same source and destination" | |
| 59 | 69 | ||
| 60 | 70 | # Drop invalid packets | |
| 61 | 71 | iptables -A INPUT -m state --state INVALID -j DROP -m comment --comment "Drop invalid packets" | |
| 62 | 72 | ||
| 63 | - | # Drop suspicious port scanning attempts | |
| 64 | - | iptables -A INPUT -p tcp --syn -m recent --name portscan --set -m comment --comment "Track port scanning attempts" | |
| 65 | - | iptables -A INPUT -p tcp --syn -m recent --name portscan --update --seconds 60 --hitcount 10 -j DROP -m comment --comment "Drop excessive port scan attempts" | |
| 66 | - | ||
| 67 | - | # Rate limit incoming connections to mitigate DDoS | |
| 68 | - | iptables -A INPUT -p tcp -m limit --limit 20/s --limit-burst 100 -j ACCEPT -m comment --comment "Rate limit TCP connections to mitigate DDoS" | |
| 69 | - | iptables -A INPUT -p udp -m limit --limit 20/s --limit-burst 100 -j ACCEPT -m comment --comment "Rate limit UDP connections to mitigate DDoS" | |
| 73 | + | # === Logging === | |
| 70 | 74 | ||
| 75 | + | # Log dropped packets | |
| 76 | + | iptables -A INPUT -m limit --limit 2/min -j LOG --log-prefix "Dropped: " --log-level 4 -m comment --comment "Log dropped packets" | |
| 71 | 77 | ||
| 72 | - | # Set NAT forwarding rules (if needed) | |
| 73 | - | # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -m comment --comment "NAT outbound traffic" | |
| 78 | + | # === Save Rules === | |
| 74 | 79 | ||
| 75 | - | # Save rules | |
| 76 | - | # iptables-save > /etc/iptables/rules.v4 | |
| 80 | + | # Save rules to /etc/iptables/rules.v4 | |
| 81 | + | iptables-save > /etc/iptables/rules.v4 | |
timmy bu gisti düzenledi 1 year ago. Düzenlemeye git
1 file changed, 76 insertions
iptables_rules.sh(dosya oluşturuldu)
| @@ -0,0 +1,76 @@ | |||
| 1 | + | #!/bin/bash | |
| 2 | + | ||
| 3 | + | # Flush all existing rules | |
| 4 | + | iptables -F | |
| 5 | + | ||
| 6 | + | # Set default policies to drop | |
| 7 | + | iptables -P INPUT DROP | |
| 8 | + | iptables -P FORWARD DROP | |
| 9 | + | iptables -P OUTPUT ACCEPT | |
| 10 | + | ||
| 11 | + | # Allow established connections | |
| 12 | + | iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow established connections" | |
| 13 | + | ||
| 14 | + | # Allow loopback interface traffic | |
| 15 | + | iptables -A INPUT -i lo -j ACCEPT -m comment --comment "Allow loopback interface" | |
| 16 | + | ||
| 17 | + | # Allow SSH traffic (port 22) | |
| 18 | + | # iptables -A INPUT -p tcp --dport 22 -j ACCEPT -m comment --comment "Allow SSH" | |
| 19 | + | ||
| 20 | + | # Allow SSH traffic only from IPs in the taiwan_ips ipset collection | |
| 21 | + | iptables -A INPUT -p tcp --dport 22 -m set --match-set taiwan_ips src -j ACCEPT -m comment --comment "Allow SSH from Taiwan IPs" | |
| 22 | + | ||
| 23 | + | # Drop SSH traffic from other IPs | |
| 24 | + | iptables -A INPUT -p tcp --dport 22 -j DROP -m comment --comment "Drop SSH from other IPs" | |
| 25 | + | ||
| 26 | + | ||
| 27 | + | # Allow HTTP traffic (port 80) | |
| 28 | + | # iptables -A INPUT -p tcp --dport 80 -j ACCEPT -m comment --comment "Allow HTTP" | |
| 29 | + | ||
| 30 | + | # Allow HTTPS traffic (port 443) | |
| 31 | + | # iptables -A INPUT -p tcp --dport 443 -j ACCEPT -m comment --comment "Allow HTTPS" | |
| 32 | + | ||
| 33 | + | # Allow ping traffic | |
| 34 | + | iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT -m comment --comment "Allow ping" | |
| 35 | + | ||
| 36 | + | # Block SYN Flood attacks | |
| 37 | + | iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 4 -j ACCEPT -m comment --comment "Protect against SYN Flood" | |
| 38 | + | ||
| 39 | + | # Block Port Scanning | |
| 40 | + | iptables -A INPUT -p tcp --syn -m recent --name scan --set -m comment --comment "Detect port scans" | |
| 41 | + | iptables -A INPUT -p tcp --syn -m recent --name scan --update --seconds 60 --hitcount 10 -j DROP -m comment --comment "Drop port scans" | |
| 42 | + | ||
| 43 | + | # Block DoS attacks | |
| 44 | + | iptables -A INPUT -p tcp -m limit --limit 10/s --limit-burst 20 -j ACCEPT -m comment --comment "Limit incoming connections to prevent DoS" | |
| 45 | + | iptables -A INPUT -p udp -m limit --limit 10/s --limit-burst 20 -j ACCEPT -m comment --comment "Limit UDP connections to prevent DoS" | |
| 46 | + | iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 3 -j ACCEPT -m comment --comment "Limit ICMP requests to prevent DoS" | |
| 47 | + | ||
| 48 | + | # Limit UDP traffic to prevent UDP Flood attack | |
| 49 | + | iptables -A INPUT -p udp -m limit --limit 10/s --limit-burst 20 -j ACCEPT -m comment --comment "Limit UDP traffic to prevent UDP Flood" | |
| 50 | + | ||
| 51 | + | # Drop oversized ICMP packets to prevent Ping of Death attack | |
| 52 | + | iptables -A INPUT -p icmp --icmp-type echo-request -m length --length 0:1024 -j ACCEPT -m comment --comment "Drop oversized ICMP packets" | |
| 53 | + | ||
| 54 | + | # Drop packets with a source address equal to the broadcast address | |
| 55 | + | iptables -A INPUT -p icmp --icmp-type echo-request -s 255.255.255.255 -j DROP -m comment --comment "Drop ICMP packets with broadcast source address" | |
| 56 | + | ||
| 57 | + | # Drop packets with the same source and destination address | |
| 58 | + | iptables -A INPUT -s 192.168.1.1 -d 192.168.1.1 -j DROP -m comment --comment "Drop packets with same source and destination address" | |
| 59 | + | ||
| 60 | + | # Drop invalid packets | |
| 61 | + | iptables -A INPUT -m state --state INVALID -j DROP -m comment --comment "Drop invalid packets" | |
| 62 | + | ||
| 63 | + | # Drop suspicious port scanning attempts | |
| 64 | + | iptables -A INPUT -p tcp --syn -m recent --name portscan --set -m comment --comment "Track port scanning attempts" | |
| 65 | + | iptables -A INPUT -p tcp --syn -m recent --name portscan --update --seconds 60 --hitcount 10 -j DROP -m comment --comment "Drop excessive port scan attempts" | |
| 66 | + | ||
| 67 | + | # Rate limit incoming connections to mitigate DDoS | |
| 68 | + | iptables -A INPUT -p tcp -m limit --limit 20/s --limit-burst 100 -j ACCEPT -m comment --comment "Rate limit TCP connections to mitigate DDoS" | |
| 69 | + | iptables -A INPUT -p udp -m limit --limit 20/s --limit-burst 100 -j ACCEPT -m comment --comment "Rate limit UDP connections to mitigate DDoS" | |
| 70 | + | ||
| 71 | + | ||
| 72 | + | # Set NAT forwarding rules (if needed) | |
| 73 | + | # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -m comment --comment "NAT outbound traffic" | |
| 74 | + | ||
| 75 | + | # Save rules | |
| 76 | + | # iptables-save > /etc/iptables/rules.v4 | |
Daha yeni
Daha eski