Iptables For New Admins - Page 5

Mavrick4283 · 08-25-2012 , 21:05 Re: Iptables For New Admins

1. This script was for people useing the defaults, if you need something differnt please PM me and i can set you up a firewall that will fit your needs.

2. see 1

3.I did not include the vnc ports see 1

4. No it is a shell script you would upload the .sh file then chmod +x it then exec it by ./filename.sh

SmackDaddy · 08-25-2012 , 23:01 Re: Iptables For New Admins

Ahhh, ok. I'll be in touch, thank you very much for helping a older guy out finding his feet out on this. I've only been on Linux for less than a week and I've gotten my servers ported over and up and running from windows.

Mavrick4283 · 08-25-2012 , 23:30 Re: Iptables For New Admins

Quote:

Originally Posted by SmackDaddy

Ahhh, ok. I'll be in touch, thank you very much for helping a older guy out finding his feet out on this. I've only been on Linux for less than a week and I've gotten my servers ported over and up and running from windows.

Not a problem, i am a very poor programmer that is why my script on it's own does not suit your needs but i am a very good Linux administrator so if you need help feel free to help.

craigy09 · 05-23-2013 , 04:46 Re: Iptables For New Admins

Is there a way to block certain packet strings?

DeLiriuM · 05-24-2013 , 13:47 Re: Iptables For New Admins

iptables -D INPUT -p udp -m udp -m string --hex-string "|STRING GOES HERE|" --algo kmp -j DROP

craigy09 · 07-03-2013 , 13:31 Re: Iptables For New Admins

How would i go about making a cron job to run every 5 minutes to not lock myself out? That way i can fiddle with settings and not worry about locking myself out if i mess it up.

j1gg · *Last edited by j1gg; 05-03-2016 at 11:30.*

How to unblock hlstats with this script? I unblocked port but still doesnt works. I have some errors with this iptables

iptables v1.4.14: Unknown TCP flag `!'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.14: Couldn't load match `iplimit':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.14: unknown option "--pkttype"
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.14: Couldn't load match `iplimit':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

And ssh doesnt work

HTML Code:

#!/bin/sh
IPT="/sbin/iptables"
IPT6="/sbin/ip6tables"

# Flush old rules
$IPT --flush
$IPT --delete-chain

# By default, drop everything except outgoing traffic
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
$IPT6 -P INPUT DROP
$IPT6 -P OUTPUT DROP
$IPT6 -P FORWARD DROP


# Allow incoming and outgoing for loopback interfaces
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# ICMP rules
$IPT -A INPUT -p icmp --icmp-type echo-reply -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 5/s -m state --state NEW -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type destination-unreachable -m state --state NEW -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type time-exceeded -m state --state NEW -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type timestamp-request -m state --state NEW -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type timestamp-reply -m state --state ESTABLISHED,RELATED -j ACCEPT

#Dos/Scanners....
$IPT -A INPUT -p tcp --syn -j DROP
$IPT -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH SYN -j DROP
$IPT -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH FIN -j DROP
$IPT -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH ACK -j DROP
$IPT -A INPUT -m conntrack --ctstate INVALID -p tcp --tcp-flags ! SYN,RST,ACK,FIN,URG,PSH SYN,RST,ACK,FIN,URG,PSH -j DROP
$IPT -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH FIN,URG,PSH -j DROP
$IPT -A INPUT -p UDP -f -j DROP
$IPT -A INPUT -p TCP --syn -m iplimit --iplimit-above 9 -j DROP
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
$IPT -A INPUT -p ICMP --icmp-type echo-request -m pkttype --pkttype broadcast -j DROP
$IPT -A INPUT -p ICMP --icmp-type echo-request -m limit --limit 3/s -j ACCEPT
$IPT -A INPUT -p TCP --syn -m iplimit --iplimit-above 3 -j DROP
$IPT -A INPUT -p UDP -m pkttype --pkt-type broadcast -j DROP
$IPT -A INPUT -p UDP -m limit --limit 3/s -j ACCEPT
$IPT -A INPUT -p ICMP -f -j DROP

# Block new connections without SYN
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# Allow established connections:
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# SSH
$IPT -A INPUT -p tcp --dport 44 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p tcp --dport ssh -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 22 -j ACCEPT

# Block fragments and Xmas tree as well as SYN,FIN and SYN,RST
$IPT -A INPUT -p ip -f -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# Anti-spoofing rules
$IPT -A INPUT -s 200.200.200.200 -j DROP
$IPT -A INPUT -s 192.168.0.0/24 -j DROP
$IPT -A INPUT -s 127.0.0.0/8 -j DROP

#FTP
$IPT -A INPUT -p tcp --dport ftp -j ACCEPT
$IPT -A INPUT -p tcp --dport ftp-data -j ACCEPT
$IPT -A INPUT -p ALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -o eth0 -p tcp --sport ftp -j ACCEPT
$IPT -A OUTPUT -o eth0 -p tcp --sport ftp-data -j ACCEPT
$IPT -A INPUT -p tcp --dport 50000:51000 -j ACCEPT

# Creation channel rejection flood udp 28
$IPT -N REJECT_FLOOD28
$IPT -A REJECT_FLOOD28 -j LOG --log-prefix 'IPTABLES-FLOOD LENGTH 28: ' --log-level info
$IPT -A REJECT_FLOOD28 -j DROP

# Creation channel rejection flood udp 46
$IPT -N REJECT_FLOOD46
$IPT -A REJECT_FLOOD46 -j LOG --log-prefix 'IPTABLES-FLOOD LENGTH 46: ' --log-level info
$IPT -A REJECT_FLOOD46 -j DROP

# Srcds Ports
$IPT -A INPUT -i eth0 -p udp --dport 27015 -m length --length 28 -j REJECT_FLOOD28
$IPT -A INPUT -i eth0 -p udp --dport 27016 -m length --length 28 -j REJECT_FLOOD28
$IPT -A INPUT -i eth0 -p udp --dport 27017 -m length --length 28 -j REJECT_FLOOD28
$IPT -A INPUT -i eth0 -p udp --dport 27018 -m length --length 28 -j REJECT_FLOOD28

$IPT -A INPUT -i eth0 -p udp --dport 27015 -m length --length 46 -j REJECT_FLOOD46
$IPT -A INPUT -i eth0 -p udp --dport 27016 -m length --length 46 -j REJECT_FLOOD46
$IPT -A INPUT -i eth0 -p udp --dport 27017 -m length --length 46 -j REJECT_FLOOD46
$IPT -A INPUT -i eth0 -p udp --dport 27018 -m length --length 46 -j REJECT_FLOOD46

#Steam Friends Service
$IPT -A INPUT -p udp --dport 1200 --jump ACCEPT

#Steam Main UDP
$IPT -A INPUT -p udp --dport 27000:27015 --jump ACCEPT

#Steam Main TCP
$IPT -A INPUT -p tcp --dport 27020:27039 --jump ACCEPT

#Steam Dedicated Server HLTV
$IPT -A INPUT -p udp --dport 27020 --jump ACCEPT

#HLSTATS
$IPT -A INPUT -p udp --dport 27500 --jump ACCEPT

#My SQL
$IPT -A INPUT -p TCP --dport 3306 --jump ACCEPT
#your server info go's here
iptables -A INPUT -p udp -d 185.25.151.42 --dport 27015 
iptables -A INPUT -p udp -d 185.25.151.42 --dport 27016
iptables -A INPUT -p udp -d 185.25.151.42 --dport 27017
iptables -A INPUT -p udp -d 185.25.151.42 --dport 27018
#allow rcon to thoes servers
iptables -A INPUT -p tcp -d 185.25.151.42 --dport 27015 --jump ACCEPT
iptables -A INPUT -p tcp -d 185.25.151.42 --dport 27016 --jump ACCEPT
iptables -A INPUT -p tcp -d 185.25.151.42 --dport 27017 --jump ACCEPT
iptables -A INPUT -p tcp -d 185.25.151.42 --dport 27018 --jump ACCEPT