irwanmohi
/
SEVPNsetup


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166
							#!/bin/sh
DEF_IF=$(route | grep '^default' | grep -o '[^ ]*$')
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -X
iptables -X -t nat
iptables -F
iptables -F -t nat

##############################
### ATTACKS
##############################
# All TCP sessions should begin with SYN
iptables -A INPUT -p tcp ! --syn -m state --state NEW -s 0.0.0.0/0 -j DROP
# Limit the number of incoming tcp connections
# incoming syn-flood protection
iptables -N syn_flood
iptables -A INPUT -p tcp --syn -j syn_flood
iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A syn_flood -j DROP
# fragmented ICMP - sign of DoS attack
iptables -A INPUT --fragment -p ICMP -j DROP
#Limiting the incoming icmp ping request:
iptables -A INPUT -p icmp -m limit --limit  1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -j ACCEPT
#Force Fragments packets check
iptables -A INPUT -f -j DROP
#Incoming malformed XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# Drop all NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# invalid and suspicious packets
iptables -A INPUT -m state --state INVALID -j DROP
# Stealth scan 1
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "FWLOG: Stealth scan (1): "
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Stealth scan 2
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "FWLOG: Stealth scan (2): "
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# Stealth scan 3
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix "FWLOG: Stealth scan (3): "
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
# Stealth scan 4
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "FWLOG: Stealth scan (4): "
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# Stealth scan 5
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "FWLOG: Stealth scan (5): "
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# Stealth scan 6
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "FWLOG: Stealth scan (6): "
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# Port scan
iptables -N port-scan
iptables -A port-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
iptables -A port-scan -j DROP


iptables -A INPUT -i $DEF_IF -m state --state NEW,ESTABLISHED,RELATED -p udp -m multiport --dports 22,80,443,995,5555,400,500,1194:1196 -j ACCEPT
iptables -A INPUT -i $DEF_IF -m state --state NEW,ESTABLISHED,RELATED -p tcp -m multiport --dports 22,80,443,995,5555,400,500,1194:1196 -j ACCEPT
iptables -A OUTPUT -o $DEF_IF -p tcp -m multiport --sports 22,80,443,995,5555,400,500,1194:1196 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $DEF_IF -p udp -m multiport --sports 22,80,443,995,5555,400,500,1194:1196 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $DEF_IF -m state --state NEW,ESTABLISHED,RELATED -p udp -m multiport --dports 993,8080,3128 -j ACCEPT
iptables -A INPUT -i $DEF_IF -m state --state NEW,ESTABLISHED,RELATED -p tcp -m multiport --dports 993,8080,3128 -j ACCEPT
iptables -A OUTPUT -o $DEF_IF -p tcp -m multiport --sports 993,8080,3128  -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $DEF_IF -p udp -m multiport --sports 993,8080,3128 -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p udp -o $DEF_IF -j ACCEPT
iptables -A INPUT -p udp -i $DEF_IF -j ACCEPT

#minecraft
iptables -A INPUT -i $DEF_IF -m state --state NEW,ESTABLISHED,RELATED -p tcp -m multiport --dports 25655:25680 -j ACCEPT
iptables -A OUTPUT -o $DEF_IF -p tcp -m multiport --sports 25655:25680 -m state --state RELATED,ESTABLISHED -j ACCEPT

#allow tun+
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o $DEF_IF -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $DEF_IF -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun+ -o ens0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ens0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT

#iptables -t nat -A PREROUTING -i tap_soft -p udp --dport 53 -j DNAT --to-destination 192.168.199.1:53
#iptables -t nat -A PREROUTING -i tap_soft -p udp --dport 5353 -j DNAT --to-destination 192.168.199.1:53
#iptables -t nat -A PREROUTING -i tap_soft -p tcp --dport 5353 -j DNAT --to-destination 192.168.199.1:53
#iptables -t nat -A PREROUTING -i tap_soft -p tcp --dport 53 -j DNAT --to-destination 192.168.199.1:53
iptables -A INPUT -i tap_soft -p udp --dport 53 -d 208.67.222.123 -j ACCEPT
iptables -A INPUT -i tap_soft -p udp --dport 53 -d 208.67.220.123 -j ACCEPT
iptables -A INPUT -i tap_soft -p udp --dport 53 -d 81.218.119.11 -j ACCEPT
iptables -A INPUT -i tap_soft -p udp --dport 53 -d 209.88.198.133 -j ACCEPT
iptables -A INPUT -i tap_soft -p udp --dport 53 -d 199.85.126.20 -j ACCEPT
iptables -A INPUT -i tap_soft -p udp --dport 53 -d 199.85.127.20 -j ACCEPT
iptables -A INPUT -i tap_soft -p udp --dport 53 -d 5.5.0.1 -j ACCEPT
iptables -A INPUT -i tap_soft -p udp --dport 53 -d 8.8.8.8 -j ACCEPT
iptables -A INPUT -i tap_soft -p udp --dport 53 -d 8.8.4.4 -j ACCEPT
iptables -A INPUT -i tap_soft -p udp --dport 53 -d 208.67.220.220 -j ACCEPT
iptables -A INPUT -i tap_soft -p udp --dport 53 -d 208.67.222.222 -j ACCEPT
iptables -A INPUT -i tap_soft -p udp --dport 53 -j ACCEPT
iptables -A INPUT -i tap_soft -p udp --dport 5353 -j ACCEPT

#allow ssh,www,https, letsencrypt

iptables -A OUTPUT -p tcp -m multiport --dports 22,80,443,54321 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m multiport --sports 22,80,443,54321 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 22,80,443,54321 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --sports 22,80,443,54321 -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp -m multiport --dports 995,3128,992,5555,8080 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m multiport --sports 995,3128,992,5555,8080 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 995,3128,992,5555,8080 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --sport 995,3128,992,5555,8080 -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

#rsync
iptables -A INPUT -p tcp --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 51413 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 51413 -m state --state ESTABLISHED -j ACCEPT

#mysql
iptables -A INPUT -p tcp --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -i tap_soft -j ACCEPT
iptables -A OUTPUT -o tap_soft -j ACCEPT
iptables -A FORWARD -i tap_soft -j ACCEPT
iptables -A FORWARD -i tap_soft -o $DEF_IF -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $DEF_IF -o tap_soft -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -p udp -m multiport --dports 53,67,68 -j ACCEPT
iptables -A INPUT -p udp -m multiport --sports 53,67,68 -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --dports 53,67,68 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --sports 53,67,68 -j ACCEPT

iptables -A OUTPUT -p udp -m multiport --dports 60000:61000 -j ACCEPT
iptables -A INPUT -p udp -m multiport --sports 60000:61000 -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --dports 60000:61000 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --sports 60000:61000 -j ACCEPT

#nat
iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.16.0.0/12 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -j MASQUERADE

#ping
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
#save rules
iptables-save > /etc/iptables/rules.v4
echo 1 > /proc/sys/net/ipv4/ip_forward
sudo sed -i 's/#net.ipv4.ip_forward/net.ipv4.ip_forward/g' /etc/sysctl.conf
sudo sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf