All pastes #2447430 Raw Edit

Someone

public unlisted shellscript v1 · immutable
#2447430 ·published 2013-09-10 10:58 UTC
rendered paste body
#!/usr/bin/sh# run this file as rootsystemctl stop iptables.serviceIPT='/usr/sbin/iptables'# Internet Interface. "eth+", the ending '+' is a wildcard for matching patternsINET_IFACE="eth0"# RESET DEFAULT POLICIES$IPT -P INPUT ACCEPT$IPT -P FORWARD ACCEPT$IPT -P OUTPUT ACCEPT$IPT -t nat -P PREROUTING ACCEPT$IPT -t nat -P POSTROUTING ACCEPT$IPT -t nat -P OUTPUT ACCEPT$IPT -t mangle -P PREROUTING ACCEPT$IPT -t mangle -P OUTPUT ACCEPT# FLUSH ALL RULES, ERASE NON-DEFAULT CHAINS$IPT -F$IPT -X$IPT -t nat -F$IPT -t nat -X$IPT -t mangle -F$IPT -t mangle -X## creating chains$IPT -N TCP$IPT -N UDP## Set policies for the chains# Only Block Incoming Traffic$IPT -P FORWARD DROP$IPT -P OUTPUT ACCEPT$IPT -P INPUT DROP$IPT -A INPUT -p icmp --icmp-type echo-request -m recent --name ping_limiter --set$IPT -A INPUT -p icmp --icmp-type echo-request -m recent --name ping_limiter --update --hitcount 5 --seconds 3 -j DROP$IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT$IPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT$IPT -A INPUT -i lo -j ACCEPT$IPT -A INPUT -m conntrack --ctstate INVALID -j DROP$IPT -A INPUT -p udp -m conntrack --ctstate NEW -j UDP$IPT -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP$IPT -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable$IPT -A INPUT -p tcp -j REJECT --reject-with tcp-rst$IPT -A INPUT -j REJECT --reject-with icmp-proto-unreachable# SYN scans$IPT -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst$IPT -D INPUT -p tcp -j REJECT --reject-with tcp-rst$IPT -A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst# UDP scans$IPT -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with port-unreach$IPT -D INPUT -p udp -j REJECT --reject-with icmp-port-unreach$IPT -A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreach# Restore the Final Rule$IPT -D INPUT -j REJECT --reject-with icmp-proto-unreachable$IPT -A INPUT -j REJECT --reject-with icmp-proto-unreachable#rc.d save iptablesiptables-save > /etc/iptables/iptables.rules#systemctl enable iptables.servicesystemctl restart iptables.service && systemctl status iptables.service$IPT -nvL --line-numbers