Hallo,
da ich nun einen KVM-Server habe und keinen vServer mehr musste ich auf die IPTables umsteigen. Ein Bekannter hat mir nen nettes Script geschickt und soweit angepasst. Kann da mal wer drüber schauen und konstruktive Kritik üben?
Danke!
Bash
#!/bin/bash
#
# Quick & Dirty IPTABLES Script 2012
#
#
# LOGNDROP log to seperate file
#joe /etc/syslog.conf
#kern.debug -/var/log/DoS.log
#/etc/init.d/sysklogd restart
#/etc/init.d/klogd restart
IPT="/sbin/iptables"
EXT_1="SERVERIP"
CLEAR(){
# clear iptables
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F LOGNDROP
$IPT -F # will delete all rules from filter table
$IPT -F -t nat # will delete all rules from nat table
$IPT -F -t mangle # will delete all rules from mangle table
}
LOCALHOST(){
# allow all lo
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
}
FILTER(){
# some filtering
$IPT -A INPUT -p icmp --icmp-type 8 -j DROP
$IPT -A OUTPUT -p icmp --icmp-type 8 -j DROP
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
$IPT -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT # Anti-SYN
$IPT -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT # Anti Portscan
$IPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/sec -j ACCEPT # Anti Ping-of-Death
# broken packets
$IPT -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
#new Chain for logging
$IPT -N LOGNDROP
$IPT -A LOGNDROP -j LOG -m limit --limit 1/min --log-prefix "[DoS]: " --log-level 7
$IPT -A LOGNDROP -j DROP
#limit connections per minute from single ip to 10 (HTTP)
$IPT -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --set --name http
$IPT -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 --rttl --name http -j LOGNDROP
#teamspeak udp
$IPT -A INPUT -p udp -d $EXT_1 --dport 9987 -j ACCEPT
}
EXT_INPUT_ACCEPT(){
# allow related connections
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
WHITELIST="SERVERIP MEINEIPCLIENT"
for x in $WHITELIST; do
$IPT -A INPUT -s $x -d $EXT_1 -j ACCEPT
done;
TCPPORTS="41144 10011 30033 SSH PORT 21 80"
for x in $TCPPORTS; do
$IPT -A INPUT -p tcp -d $EXT_1 --dport $x -j ACCEPT
done;
# limit PPS
#$IPT -A INPUT -p tcp -d $EXT_1 --dport 50001 -m limit --limit 15/s --limit-burst 25 -j ACCEPT
#$IPT -A INPUT -p tcp -d $EXT_1 --dport 50005 -m limit --limit 10/s --limit-burst 15 -j ACCEPT
#$IPT -A INPUT -p tcp -d $EXT_1 --dport 50004 -m limit --limit 5/s --limit-burst 10 -j ACCEPT
}
DEF_DROP(){
# DEFAULT DROP ALL OTHER
$IPT -A INPUT -j DROP
#$IPT -A FORWARD -j DROP
}
if [ ! -z "$1" ]; then
if [ "$1" = "start" ]; then
sh $0 stop
LOCALHOST;
FILTER;
EXT_INPUT_ACCEPT;
DEF_DROP;
echo "rules loaded";
exit
fi
if [ "$1" = "stop" ]; then
CLEAR;
if [ $? = 0 ]; then echo "Rules cleared"; else echo "error in CLEARing rules!"; fi
fi
if [ "$1" = "restart" ]; then
sh $0 start
fi
if [ "$1" = "status" ]; then
$IPT -L -vnx
$IPT -vxn -L POSTROUTING -t nat
$IPT -vnx -L PREROUTING -t nat
fi
else
echo "usage $0 start | stop | status | restart"
fi
Display More