This repository was archived by the owner on Apr 12, 2022. It is now read-only.
forked from GaetanOff/Firewall-Template
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrules
106 lines (81 loc) · 4.41 KB
/
rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
#!/bin/sh
#Rules by Gaetan. Add discord: 'Gaetan#0099' to get help.
#Thanks to Yooniks (mc-protection.eu) Best protection for minecraft server.
#Version: 1.3
#If you have any problem, with theses rules, add me discord.
#/!\
# - I am not responsible if your provider does not accept these rules.
# - These rules are a plus, you must have a network antiddos.
# - Please modify the "Whitelist your own port" before activating the rules on your server.
#/!\
#Enjoy.
#------------------------------------------------------------------------------------------
#Variable
IPTABLES="sudo iptables" # The location of iptables
MINECRAFT_PORT="25565" # The port of your minecraft server
burstconns=2 # Limit new connections per second. This is highly useful when
# somebody starts an attack because it basically makes his attack
# literally have no visual effect.
#
# Don't rely solely on this as this doesn't really fix the issue,
# just get rid of suspicious IP's.
burstconnstimestamp=1 # Limit new connections per second if the connection has timestamp.
# This is highly useful when somebody starts an attack because it
# drop the handshake of old linux users and very old windows
# (80% the connection is not legit)
# It can prevent a lot of spambots !
#------------------------------------------------------------------------------------------
echo "Firewall currently loading..."
# Here we will reset all the rules.
$IPTABLES -t filter -F
$IPTABLES -t filter -X
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
$IPTABLES -t raw -F
$IPTABLES -t raw -X
echo "Firewall - The rules was reset."
# Here we will allow all the trafic.
$IPTABLES -t filter -P INPUT ACCEPT
$IPTABLES -t filter -P FORWARD ACCEPT
$IPTABLES -t filter -P OUTPUT ACCEPT
echo "Firewall - All the trafic was allowed."
# Here we will enable the logic of the TCP 3 way handshake and drop all if its not 3w handshake.
$IPTABLES -t mangle -A PREROUTING -p tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT
$IPTABLES -t mangle -A PREROUTING -p tcp ! --tcp-flags ALL SYN -j DROP
echo "Firewall - Enabling logic of 3w handshake."
#------------------------------------------------------------------------------------------
# Whitelist your own port.
# This can be useful if you have plugins with license.
# Here are several examples of ports for a Minecraft server.
#If you use BungeeCord/Velocity, follow this to block BungeeCord exploit.
#https://www.spigotmc.org/wiki/firewall-guide/
# Whitelist redis port.
$IPTABLES -A INPUT -p tcp --dport 6379 -j ACCEPT
echo "Firewall - WL Redis port."
#------------------------------------------------------------------------------------------
#------------------------------------------------------------------------------------------
# LIMITATION rules
# Llimitation for default minecraft port to prevent bot attack.
$IPTABLES -N BotManager
$IPTABLES -F BotManager
$IPTABLES -A BotManager -p tcp --dport $MINECRAFT_PORT --syn -m limit --limit $burstconns/s -j ACCEPT
$IPTABLES -A BotManager -p tcp --dport $MINECRAFT_PORT --syn -j DROP
$IPTABLES -D INPUT -p tcp -j BotManager
$IPTABLES -A INPUT -p tcp -j BotManager
echo "Firewall - Basic limitation for default minecraft port."
# Limitation to prevent ssh bruteforce.
$IPTABLES -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
$IPTABLES -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
echo "Firewall - Limitation to prevent ssh bruteforce."
#------------------------------------------------------------------------------------------
#------------------------------------------------------------------------------------------
#EXPERIMENTAL rules
# /!\ Drop all packet with timestamp on MINECRAFT_PORT if it limit 3 per sec.
# (This can fix some exploits, but its an experimental rules !) /!\
$IPTABLES -t mangle -A PREROUTING -p tcp --dport $MINECRAFT_PORT -m tcp --syn --tcp-option 8 -m limit --limit $burstconnstimestamp/s -j ACCEPT
$IPTABLES -t mangle -A PREROUTING -p tcp --dport $MINECRAFT_PORT -m tcp --syn --tcp-option 8 -j DROP
echo " "
echo "Firewall - Drop all packet with timestamp on MINECRAFT_PORT if it limit 3 per sec."
echo " "
#------------------------------------------------------------------------------------------
echo "Firewall applied successfully."