Not working...
This commit is contained in:
parent
98f75ac326
commit
97e1c41da5
31
firewall_ferexio_version.sh
Normal file
31
firewall_ferexio_version.sh
Normal file
|
@ -0,0 +1,31 @@
|
|||
#!/bin/bash
|
||||
apt install ipset
|
||||
|
||||
iptables -F
|
||||
iptables -t nat -F
|
||||
iptables -t mangle -F
|
||||
iptables -X
|
||||
iptables -A INPUT -m state --state INVALID -j DROP
|
||||
iptables -A FORWARD -m state --state INVALID -j DROP
|
||||
iptables -A OUTPUT -m state --state INVALID -j DROP
|
||||
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
|
||||
iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
|
||||
iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
|
||||
iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
|
||||
|
||||
ipset create port_scanners hash:ip family inet hashsize 32768 maxelem 65536 timeout 600
|
||||
ipset create scanned_ports hash:ip,port family inet hashsize 32768 maxelem 65536 timeout 60
|
||||
|
||||
iptables -A INPUT -m state --state NEW -m set ! --match-set scanned_ports src,dst -m hashlimit --hashlimit-above 1/hour --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name portscan --hashlimit-htable-expire 10000 -j SET --add-set port_scanners src --exist
|
||||
iptables -A INPUT -m state --state NEW -m set --match-set port_scanners src -j DROP
|
||||
iptables -A INPUT -m state --state NEW -j SET --add-set scanned_ports src,dst
|
||||
|
||||
ss -tunlp | grep LISTEN | awk {'print $5'} | sed 's/.*://' | sort | uniq > /tmp/portyotwarte.txt
|
||||
|
||||
for IP in $(cat /tmp/portyotwarte.txt); do iptables -A INPUT -p udp --dport $IP -j ACCEPT; done
|
||||
for IP in $(cat /tmp/portyotwarte.txt); do iptables -A INPUT -p tcp --dport $IP -j ACCEPT; done
|
||||
|
||||
iptables -A INPUT -j DROP
|
||||
iptables -A FORWARD -j DROP
|
||||
|
||||
rm /tmp/portyotwarte.txt
|
Loading…
Reference in a new issue