40 lines
1.7 KiB
Bash
40 lines
1.7 KiB
Bash
#!/bin/bash
|
|
apt install ipset
|
|
|
|
IP2=$(ifconfig | grep eth0 -A 1 | grep inet | awk {'print $2'})
|
|
|
|
iptables -F
|
|
iptables -t nat -F
|
|
iptables -t mangle -F
|
|
iptables -X
|
|
iptables -A INPUT -m state --state INVALID -j DROP
|
|
iptables -A FORWARD -m state --state INVALID -j DROP
|
|
iptables -A OUTPUT -m state --state INVALID -j DROP
|
|
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
|
|
iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
|
|
iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
|
|
iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
|
|
|
|
ipset create port_scanners hash:ip family inet hashsize 32768 maxelem 65536 timeout 600
|
|
ipset create scanned_ports hash:ip,port family inet hashsize 32768 maxelem 65536 timeout 60
|
|
|
|
iptables -A INPUT -m state --state NEW -m set ! --match-set scanned_ports src,dst -m hashlimit --hashlimit-above 1/hour --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name portscan --hashlimit-htable-expire 10000 -j SET --add-set port_scanners src --exist
|
|
iptables -A INPUT -m state --state NEW -m set --match-set port_scanners src -j DROP
|
|
iptables -A INPUT -m state --state NEW -j SET --add-set scanned_ports src,dst
|
|
|
|
ss -tunlp | grep LISTEN | awk {'print $5'} | sed 's/.*://' | sort | uniq > /tmp/portyotwarte.txt
|
|
|
|
for IP in $(cat /tmp/portyotwarte.txt); do iptables -A INPUT -p udp --dport $IP -j ACCEPT; done
|
|
for IP in $(cat /tmp/portyotwarte.txt); do iptables -A INPUT -p tcp --dport $IP -j ACCEPT; done
|
|
|
|
iptables -A INPUT -i lo -j ACCEPT
|
|
iptables -A OUTPUT -o lo -j ACCEPT
|
|
|
|
iptables -A INPUT -s $IP2 -j ACCEPT
|
|
iptables -A OUTPUT -d $IP2 -j ACCEPT
|
|
|
|
iptables -A INPUT -j DROP
|
|
iptables -A FORWARD -j DROP
|
|
|
|
rm /tmp/portyotwarte.txt
|