Скрипт Iptables - PullRequest
Новая
       8

Скрипт Iptables

0 голосов
/ 02 ноября 2018

Мой друг написал этот скрипт для защиты моего выделенного сервера несколько лет назад.

Но мне так и не удалось успешно это реализовать.

Когда я начал это, несколько лет назад все соединения были заблокированы (включая меня).

Я ничего не знаю о IPTables. Только для блокировки, разблокировки и списка заблокированных IP-адресов.

Не могли бы вы объяснить, как работает этот скрипт?

А почему это привело к блокировке всех попыток подключения? 

#!/bin/sh

###############################################################################
# 
# Local Settings
#

echo "Setuping local settings..."

# Iptables Location
IPT="/usr/local/sbin/iptables"
IPTS="/usr/local/sbin/iptables-save"
IPTR="/usr/local/sbin/iptables-restore"

# Internet Interface
INET_IFACE="eth0"

# Trusted (network that bypass by all rules)
TRUSTED_NETWORK="X.X.X.X/24"
TRUSTED_IFACE=""

# Localhost Interface
LO_IFACE="lo"

# Private services (protected from syn flood and brutaforce attacks, generialy for admin services like ftp, ssh,etc)
TCP_PRIVATE_SERVICES="3306,8081,1327,1433"
UDP_PRIVATE_SERVICES=""

# Protected services (protected from syn floods, generialy for public game servers)
TCP_PROTECTED_SERVICES="9998,9999"
UDP_PROTECTED_SERVICES=""

# Unprotected services (to handle much connections from one ip, generially for web servers)
TCP_UNPROTECTED_SERVICES="80,666,3000,43"
UDP_UNPROTECTED_SERVICES=""

# Ban time in seconds
BAN_TIME="600"

# How many connections try is allowed
PRIVATE_SERVICES_MAX_1MIN="10"
PROTECTED_SERVICES_MAX_30SEC="20"
PROTECTED_SERVICES_MAX_1MIN="30"
PROTECTED_SERVICES_MAX_5MIN="100"
GLOBAL_MAX_1SEC="20"
GLOBAL_MAX_5SEC="60"
GLOBAL_MAX_10SEC="80"

# Enable max connections filtering? (ipt_connlimit is needed)
ENABLE_CONNLIMIT="1"

# How many connections estabilished per ip is allowed
PRIVATE_SERVICES_MAX_CONN="15"
PROTECTED_SERVICES_MAX_CONN="15"
GLOBAL_MAX_CONN="30"

# Reject banned ips packets
REJECT_BANNED="1"



###############################################################################
#
# Kernel Parameter Configuration
#

echo "Reconfiguring kernel parameters..."

# Required to enable IPv4 forwarding.
echo "1" > /proc/sys/net/ipv4/ip_forward

# This enables SYN flood protection.
echo "1" > /proc/sys/net/ipv4/tcp_syncookies

# This enables source validation
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

# Reconfigure some services to minimize security risk
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects

# Minimize timeouts to avoid system resources overloading under DDoS attacks
echo "300" > /proc/sys/net/ipv4/tcp_keepalive_time
echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout

# Disable TCP timestams (minimize traffic)
echo "0" > /proc/sys/net/ipv4/tcp_timestamps



###############################################################################
#
# Load Modules
#

echo "Loading kernel modules ..."

/sbin/modprobe ip_tables
/sbin/modprobe ipt_conntrack
/sbin/modprobe ipt_recent ip_list_tot=8192 ip_pkt_list_tot=64
/sbin/modprobe ipt_multiport
test $ENABLE_CONNLIMIT = "1" && /sbin/modprobe ipt_connlimit



###############################################################################
#
# Flush Any Existing Rules or Chains
#

echo "Flushing Tables ..."

# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT

# Flush all rules
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F

# Erase all non-default chains
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X


#---delete by Long---# /etc/init.d/monitorix restart
###############################################################################
#
# Rules Configuration
#

echo "Setting default policies roles..."

# Set Policies
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP


echo "Creating and populating custom rule chains..."

# Create custom chains
$IPT -N global_accept
$IPT -N private_service_accept
$IPT -N protected_service_accept
$IPT -N ban_and_drop
$IPT -N icmp_inbound
$IPT -N udp_inbound
$IPT -N tcp_inbound


###### global_accept ######
$IPT -A global_accept -m recent --set --name global_accept_iplist
$IPT -A global_accept -m recent --hitcount $GLOBAL_MAX_10SEC --rcheck --seconds 10 --name global_accept_iplist -j ban_and_drop
$IPT -A global_accept -m recent --hitcount $GLOBAL_MAX_5SEC --rcheck --seconds 5 --name global_accept_iplist -j ban_and_drop
$IPT -A global_accept -m recent --hitcount $GLOBAL_MAX_1SEC --rcheck --seconds 1 --name global_accept_iplist -j ban_and_drop
test $ENABLE_CONNLIMIT = "1" && $IPT -A global_accept -m connlimit --connlimit-above $GLOBAL_MAX_CONN -j DROP
$IPT -A global_accept -j ACCEPT


###### private_service_accept ######
$IPT -A private_service_accept -m recent --set --name private_service_iplist
$IPT -A private_service_accept -m recent --hitcount $PRIVATE_SERVICES_MAX_1MIN --rcheck --seconds 60 --name private_service_iplist -j ban_and_drop
test $ENABLE_CONNLIMIT = "1" && $IPT -A private_service_accept -m connlimit --connlimit-above $PRIVATE_SERVICES_MAX_CONN -j ban_and_drop
$IPT -A private_service_accept -j ACCEPT


###### protected_service_accept ######
$IPT -A protected_service_accept -m recent --set --name protected_service_iplist
$IPT -A protected_service_accept -m recent --hitcount $PROTECTED_SERVICES_MAX_5MIN --rcheck --seconds 300 --name protected_service_iplist -j ban_and_drop
$IPT -A protected_service_accept -m recent --hitcount $PROTECTED_SERVICES_MAX_1MIN --rcheck --seconds 60 --name protected_service_iplist -j ban_and_drop
$IPT -A protected_service_accept -m recent --hitcount $PROTECTED_SERVICES_MAX_30SEC --rcheck --seconds 30 --name protected_service_iplist -j ban_and_drop
test $ENABLE_CONNLIMIT = "1" && $IPT -A protected_service_accept -m connlimit --connlimit-above $PROTECTED_SERVICES_MAX_CONN -j ban_and_drop
$IPT -A protected_service_accept -j ACCEPT


###### ban_and_drop ######
$IPT -A ban_and_drop -j LOG --log-prefix "Banned ip: "
$IPT -A ban_and_drop -m recent --set --name ban_iplist -j DROP


###### icmp_inbound chain ######
$IPT -A icmp_inbound -p ICMP --icmp-type 0 -j ACCEPT
$IPT -A icmp_inbound -p ICMP --icmp-type 3 -j ACCEPT
$IPT -A icmp_inbound -p ICMP --icmp-type 11 -j ACCEPT
$IPT -A icmp_inbound -p ICMP --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A icmp_inbound -p ICMP -j RETURN


###### udp_inbound chain ######
test ! -z $UDP_PRIVATE_SERVICES && $IPT -A udp_inbound -p UDP -m multiport --destination-ports $UDP_PRIVATE_SERVICES -j private_service_accept
test ! -z $UDP_PROTECTED_SERVICES && $IPT -A udp_inbound -p UDP -m multiport --destination-ports $UDP_PROTECTED_SERVICES -j protected_service_accept
test ! -z $UDP_UNPROTECTED_SERVICES && $IPT -A udp_inbound -p UDP -m multiport --destination-ports $UDP_UNPROTECTED_SERVICES -j global_accept
$IPT -A udp_inbound -p UDP -j RETURN


###### tcp_inbound chain ######
$IPT -A tcp_inbound -p TCP ! --tcp-flags ALL SYN -j DROP
test ! -z $TCP_PRIVATE_SERVICES && $IPT -A tcp_inbound -p TCP -m multiport --destination-ports $TCP_PRIVATE_SERVICES -j private_service_accept
test ! -z $TCP_PROTECTED_SERVICES && $IPT -A tcp_inbound -p TCP -m multiport --destination-ports $TCP_PROTECTED_SERVICES -j protected_service_accept
test ! -z $TCP_UNPROTECTED_SERVICES && $IPT -A tcp_inbound -p TCP -m multiport --destination-ports $TCP_UNPROTECTED_SERVICES -j global_accept
$IPT -A tcp_inbound -p TCP -j RETURN



###############################################################################
#
# INPUT Chain
#

echo "Processing INPUT chain..."

# Allow all on localhost interface
$IPT -A INPUT -i $LO_IFACE -j ACCEPT

# Allow trusted networks
test ! -z $TRUSTED_NETWORK && $IPT -A INPUT -s $TRUSTED_NETWORK -j ACCEPT
test ! -z $TRUSTED_IFACE && $IPT -A INPUT -i $TRUSTED_IFACE -j ACCEPT

# Drop INVALID packets
$IPT -A INPUT -m conntrack --ctstate INVALID -j DROP

# Accept Established Connections
$IPT -A INPUT -i $INET_IFACE -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Check if the ip is banned and drop it
$IPT -A INPUT -m recent --update --hitcount 1 --name ban_iplist --seconds $BAN_TIME -j DROP

# Route the rest to the appropriate user chain
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_inbound


###############################################################################
#
# FORWARD Chain
#

echo "Process FORWARD chain ..."



###############################################################################
#
# OUTPUT Chain
#

echo "Process OUTPUT chain ..."

# Localhost
$IPT -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT

# Trusted networks
test ! -z $TRUSTED_NETWORK && $IPT -A OUTPUT -d $TRUSTED_NETWORK -j ACCEPT
test ! -z $TRUSTED_IFACE && $IPT -A OUTPUT -o $TRUSTED_IFACE -j ACCEPT

# Check if it was banned and reject it (for TCP packets)
test $REJECT_BANNED = "1" && $IPT -A OUTPUT -p TCP -m recent --rdest --rcheck --hitcount 1 --name ban_iplist --seconds $BAN_TIME -j REJECT --reject-with tcp-reset

# To internet
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT



###############################################################################
#
# nat table
#



###############################################################################
#
# PREROUTING chain
#



###############################################################################
#
# POSTROUTING chain
#



###############################################################################
#
# mangle table
#


###############################################################################
#
# Custom rules
#
...