Last active
April 22, 2023 10:28
-
-
Save A-xis/81e24bad91d861f6c4fd to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| function startFw { | |
| #Some ban | |
| function banFw { | |
| /sbin/iptables -A INPUT -s $1 -j DROP | |
| } | |
| banFw 41.228.12.228 #brute force ssh | |
| banFw 220.247.238.16 #brute force ssh | |
| banFw 218.85.135.29 #brute force ssh | |
| banFw 178.33.81.38 #w00tw00t | |
| banFw 8.22.205.70 #brute force ssh | |
| banFw 37.49.226.181 #phpmyadmin brute force | |
| banFw 209.15.226.176 #brute force ssh | |
| banFw 37.59.238.177 #brute force ssh | |
| banFw 85.214.245.56 #brute force SSH | |
| # Ping | |
| /sbin/iptables -A INPUT -p icmp -j ACCEPT | |
| /sbin/iptables -A OUTPUT -p icmp -j ACCEPT | |
| # WHOIS | |
| /sbin/iptables -A OUTPUT -p tcp --dport 43 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
| /sbin/iptables -A INPUT -p tcp --sport 43 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
| # SSH Server | |
| /sbin/iptables -A INPUT -p tcp --dport ssh -j ACCEPT | |
| /sbin/iptables -A OUTPUT -p tcp --sport ssh -j ACCEPT | |
| /sbin/iptables -A INPUT -p tcp --sport ssh -j ACCEPT | |
| /sbin/iptables -A OUTPUT -p tcp --dport ssh -j ACCEPT | |
| # NTP | |
| #/sbin/iptables -A INPUT -p UDP --dport 123 -j ACCEPT | |
| #/sbin/iptables -A OUTPUT -p UDP --sport 123 -j ACCEPT | |
| /sbin/iptables -A INPUT -p UDP --sport 123 -j ACCEPT | |
| /sbin/iptables -A OUTPUT -p UDP --dport 123 -j ACCEPT | |
| # X11 forwarding | |
| #/sbin/iptables -A OUTPUT -p tcp --dport 6010 -j ACCEPT | |
| #/sbin/iptables -A OUTPUT -p tcp --sport 6010 -j ACCEPT | |
| #/sbin/iptables -A INPUT -p tcp --dport 6010 -j ACCEPT | |
| #/sbin/iptables -A INPUT -p tcp --sport 6010 -j ACCEPT | |
| # Web Server | |
| /sbin/iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
| /sbin/iptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
| /sbin/iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
| /sbin/iptables -A OUTPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
| # Web Client | |
| /sbin/iptables -A OUTPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
| /sbin/iptables -A INPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
| /sbin/iptables -A OUTPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
| /sbin/iptables -A INPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
| # Jabber | |
| #/sbin/iptables -A OUTPUT -p tcp --dport 5222:5223 -j ACCEPT | |
| #/sbin/iptables -A INPUT -p tcp --sport 5222:5223 -j ACCEPT | |
| # IRC | |
| #/sbin/iptables -A OUTPUT -p tcp --dport 6666:6669 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
| #/sbin/iptables -A INPUT -p tcp --sport 6666:6669 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
| # DNS Server (Requests) | |
| # Input Requests | |
| #/sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT | |
| #/sbin/iptables -A OUTPUT -p udp --sport 53 -j ACCEPT | |
| # Output Requests | |
| /sbin/iptables -A OUTPUT -p udp --dport 53 -j ACCEPT | |
| /sbin/iptables -A INPUT -p udp --sport 53 -j ACCEPT | |
| # DNS Server (AXFR) | |
| #/sbin/iptables -A INPUT -p tcp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
| #/sbin/iptables -A OUTPUT -p tcp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
| # Mumble 64738 => 64741 | |
| #TCP | |
| #/sbin/iptables -A INPUT -p tcp --dport 64738:64741 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
| #/sbin/iptables -A OUTPUT -p tcp --sport 64738:64741 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
| #UDP | |
| #/sbin/iptables -A INPUT -p udp --dport 64738:64741 -j ACCEPT | |
| #/sbin/iptables -A OUTPUT -p udp --sport 64738:64741 -j ACCEPT | |
| # Minecraft | |
| #/sbin/iptables -A INPUT -p tcp --dport 25565 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
| #/sbin/iptables -A OUTPUT -p tcp --sport 25565 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
| # | |
| #END GAME | |
| # | |
| # POP3 Mail | |
| #/sbin/iptables -A INPUT -p tcp --dport 110 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
| #/sbin/iptables -A OUTPUT -p tcp --sport 110 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
| # IMAP Mail | |
| #/sbin/iptables -A INPUT -p tcp --dport 143 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
| #/sbin/iptables -A OUTPUT -p tcp --sport 143 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
| # SMTP Sendmail | |
| /sbin/iptables -A OUTPUT -p tcp --dport 25 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
| /sbin/iptables -A INPUT -p tcp --sport 25 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
| # SMTP TLS Sendmail | |
| /sbin/iptables -A OUTPUT -p tcp --dport 587 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
| /sbin/iptables -A INPUT -p tcp --sport 587 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
| # Oidentd | |
| #/sbin/iptables -A INPUT -p tcp --dport 113 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
| #/sbin/iptables -A OUTPUT -p tcp --sport 113 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
| # MySQL | |
| /sbin/iptables -A INPUT -i lo -j ACCEPT | |
| /sbin/iptables -A OUTPUT -o lo -j ACCEPT | |
| #transmission smurf | |
| #/sbin/iptables -A INPUT -p tcp --dport 55555 -j ACCEPT | |
| #/sbin/iptables -A INPUT -p tcp --sport 55555 -j ACCEPT | |
| #/sbin/iptables -A OUTPUT -p tcp --sport 55555 -j ACCEPT | |
| #/sbin/iptables -A OUTPUT -p tcp --dport 55555 -j ACCEPT | |
| #admin | |
| #/sbin/iptables -A INPUT -p tcp --dport 9091 -j ACCEPT | |
| #/sbin/iptables -A INPUT -p tcp --sport 9091 -j ACCEPT | |
| #/sbin/iptables -A OUTPUT -p tcp --sport 9091 -j ACCEPT | |
| #/sbin/iptables -A OUTPUT -p tcp --dport 9091 -j ACCEPT | |
| #t411 | |
| #/sbin/iptables -A INPUT -p tcp --dport 56969 -j ACCEPT | |
| #/sbin/iptables -A INPUT -p tcp --sport 56969 -j ACCEPT | |
| #/sbin/iptables -A OUTPUT -p tcp --sport 56969 -j ACCEPT | |
| #/sbin/iptables -A OUTPUT -p tcp --dport 56969 -j ACCEPT | |
| # ROUTING OPENVPN | |
| #iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE | |
| #Politiques par défaut | |
| /sbin/iptables -P INPUT DROP | |
| /sbin/iptables -P FORWARD DROP | |
| /sbin/iptables -P OUTPUT DROP | |
| echo "Firewall started" | |
| } | |
| function stopFw { | |
| echo "*filter" > /data/scripts/fail2ban.firewall | |
| /sbin/iptables-save | grep fail2ban >> /data/scripts/fail2ban.firewall | |
| echo "COMMIT" >> /data/scripts/fail2ban.firewall | |
| /sbin/iptables -P INPUT ACCEPT | |
| /sbin/iptables -P OUTPUT ACCEPT | |
| /sbin/iptables -P FORWARD ACCEPT | |
| /sbin/iptables -F | |
| /sbin/iptables-restore -c < /data/scripts/fail2ban.firewall | |
| echo "Firewall stopped" | |
| } | |
| function helpMsg { | |
| echo "Usage : firewall [start|stop|restart]" | |
| } | |
| if [ $# -eq 0 ]; then | |
| /sbin/iptables -L | |
| elif [ $# -eq 1 ]; then | |
| if [ $1 = "start" ]; then | |
| startFw | |
| exit | |
| elif [ $1 = "stop" ]; then | |
| stopFw | |
| exit | |
| elif [ $1 = "restart" ]; then | |
| stopFw | |
| startFw | |
| exit | |
| else | |
| helpMsg | |
| exit | |
| fi | |
| else | |
| helpMsg | |
| exit | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment