Because when I wrote this tut I was still new to many of the concepts that are involved with IpTables (netfilter). I have seance then rewritten my firewall scripts but just have not updated this tut to match those changes.
Here is my current script, this one has some information redacted IE some of my ports and ip's and is not a drop in for SRCDS server but is alot better then my starting one.
Code:
#!/bin/sh
# Shell script for iptabls in use on game servers
# Copyright (C) 2013 Christopher M. Lynch
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#Set Iptables bin location
IPT="/sbin/iptables"
IPT6="/sbin/ip6tables"
# Flush old rules
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -t raw -F
$IPT -t raw -X
$IPT --flush
$IPT --delete-chain
# Create New chains
$IPT -N fail2ban-ssh-ddos
$IPT -N fail2ban-ssh
# IPv4 Default Policys
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
# IPv6 Default Policys
$IPT6 -P INPUT DROP
$IPT6 -P OUTPUT DROP
$IPT6 -P FORWARD DROP
# Drop Private networks
$IPT -A INPUT -s 200.200.200.200 -j DROP
$IPT -A INPUT -s 192.168.0.0/16 -j DROP
$IPT -A INPUT -s 10.0.0.0/8 -j DROP
$IPT -A INPUT -s 172.16.0.0/16 -j DROP
#Drop Chargen attacks
$IPT -t raw -A PREROUTING -p UDP --sport 19 -j DROP
$IPT -t mangle -A PREROUTING -p UDP --sport 19 -j DROP
# Slow down port scanners
$IPT -A INPUT -m psd --psd-weight-threshold 21 --psd-delay-threshold 120 --psd-lo-ports-weight 7 --psd-hi-ports-weight 3 -j DROP
# Check For Invaled TCP Packets
$IPT -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags ACK,FIN FIN -j DROP
$IPT -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPT -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags ACK,URG URG -j DROP
$IPT -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$IPT -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
$IPT -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
$IPT -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
$IPT -A INPUT -m conntrack --ctstate INVALID -p tcp -j DROP
$IPT -A INPUT -p tcp -f -j DROP
# Check for Unwanted ICMP packets
$IPT -A INPUT -p ICMP --icmp-type echo-request -m pkttype --pkt-type broadcast -j DROP
$IPT -A INPUT -p icmp -j DROP
$IPT -A INPUT -p ICMP -f -j DROP
# Block ICMP on maintance IP allow rest
$IPT -A INPUT ! --destination IP -p icmp --icmp-type echo-reply -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT ! --destination IP -p icmp --icmp-type echo-request -m limit --limit 5/s -m state --state NEW -j ACCEPT
$IPT -A INPUT ! --destination IP -p icmp --icmp-type destination-unreachable -m state --state NEW -j ACCEPT
$IPT -A INPUT ! --destination IP -p icmp --icmp-type time-exceeded -m state --state NEW -j ACCEPT
$IPT -A INPUT ! --destination IP -p icmp --icmp-type timestamp-request -m state --state NEW -j ACCEPT
$IPT -A INPUT ! --destination IP -p icmp --icmp-type timestamp-reply -m state --state ESTABLISHED,RELATED -j ACCEPT
# Check for Unwanted UDP Packets
$IPT -A INPUT -p UDP -m pkttype --pkt-type broadcast -j DROP
$IPT -A INPUT -p UDP -f -j DROP
# Check for Flood !!!!====Only UDP is being Limited ATM====!!!!
$IPT -A INPUT -p tcp --syn -m connlimit --connlimit-above 4 -j DROP
$IPT -A INPUT -p ICMP --icmp-type echo-request -m limit --limit 3/s -j DROP
$IPT -A INPUT -p UDP ! --destination IP! --destination-port 25565 -m limit --limit 200/s -j DROP
$IPT -A INPUT -p UDP --destination IP2 --destination-port 25565 -m limit --limit 1000/s -j DROP
# Allow incoming and outgoing for loopback interfaces
$IPT -A INPUT --source 127.0.0.1 --in-interface lo -j ACCEPT
$IPT -A OUTPUT --source 127.0.0.1 --out-interface lo -j ACCEPT
#Fail2Ban Catch Rules
$IPT -A INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh
$IPT -A INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh-ddos
#Fail2Ban Chain Returns
$IPT -A fail2ban-ssh -j RETURN
$IPT -A fail2ban-ssh-ddos -j RETURN
# Allow established connections:
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# SSH
$IPT -A INPUT -p tcp -d IP --dport ssh -j ACCEPT
#MC
$IPT -A INPUT -p TCP -d IP --dport 25565 --jump ACCEPT
Linear Mode
