From 97e1c41da50a0a80954f3f3bd16ec54545366a1c Mon Sep 17 00:00:00 2001
From: Ferexio <ferexio@andrzejszczepaniak.co.uk>
Date: Tue, 1 Mar 2022 15:40:36 +0000
Subject: [PATCH] Not working...

---
 firewall_ferexio_version.sh | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 firewall_ferexio_version.sh

diff --git a/firewall_ferexio_version.sh b/firewall_ferexio_version.sh
new file mode 100644
index 0000000..9b0fca6
--- /dev/null
+++ b/firewall_ferexio_version.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+apt install ipset
+
+iptables -F
+iptables -t nat -F
+iptables -t mangle -F
+iptables -X
+iptables -A INPUT -m state --state INVALID -j DROP
+iptables -A FORWARD -m state --state INVALID -j DROP
+iptables -A OUTPUT -m state --state INVALID -j DROP
+iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
+iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
+iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
+iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
+
+ipset create port_scanners hash:ip family inet hashsize 32768 maxelem 65536 timeout 600
+ipset create scanned_ports hash:ip,port family inet hashsize 32768 maxelem 65536 timeout 60
+
+iptables -A INPUT -m state --state NEW -m set ! --match-set scanned_ports src,dst -m hashlimit --hashlimit-above 1/hour --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name portscan --hashlimit-htable-expire 10000 -j SET --add-set port_scanners src --exist
+iptables -A INPUT -m state --state NEW -m set --match-set port_scanners src -j DROP
+iptables -A INPUT -m state --state NEW -j SET --add-set scanned_ports src,dst
+
+ss -tunlp | grep LISTEN | awk {'print $5'} | sed 's/.*://' | sort | uniq > /tmp/portyotwarte.txt
+
+for IP in $(cat /tmp/portyotwarte.txt); do iptables -A INPUT -p udp --dport $IP -j ACCEPT; done
+for IP in $(cat /tmp/portyotwarte.txt); do iptables -A INPUT -p tcp --dport $IP -j ACCEPT; done
+
+iptables -A INPUT -j DROP
+iptables -A FORWARD -j DROP
+
+rm /tmp/portyotwarte.txt