IPTables Fun
I found these scripts years ago and decided to use them. I might as well share them
First the ipset and iptables need to be installed
apt install iptables ipset
Now we need to create the ipset lists
ipset create drop hash:net
ipset create allowHTTPS hash:net
ipset create allowSSH hash:net
ipset create directHTTPS hash:net
ipset create google hash:net
script to update files and countries. If you go to the ipdeny site you can find which countries you can add. /etc/iptables/update.sh
#!/bin/bash
wget -q 'http://ipdeny.com/ipblocks/data/countries/ru.zone' -O /etc/iptables/zone/ru.zone
wget -q 'http://ipdeny.com/ipblocks/data/countries/cn.zone' -O /etc/iptables/zone/cn.zone
wget -q 'http://ipdeny.com/ipblocks/data/countries/in.zone' -O /etc/iptables/zone/in.zone
wget -q 'http://ipdeny.com/ipblocks/data/countries/iq.zone' -O /etc/iptables/zone/iq.zone
wget -q 'http://ipdeny.com/ipblocks/data/countries/jp.zone' -O /etc/iptables/zone/jp.zone
wget -q 'http://ipdeny.com/ipblocks/data/countries/kp.zone' -O /etc/iptables/zone/kp.zone
wget -q 'http://ipdeny.com/ipblocks/data/countries/kr.zone' -O /etc/iptables/zone/kr.zone
wget -q 'http://ipdeny.com/ipblocks/data/countries/id.zone' -O /etc/iptables/zone/id.zone
wget -q 'http://ipdeny.com/ipblocks/data/countries/cf.zone' -O /etc/iptables/zone/cf.zone
wget -q 'http://ipdeny.com/ipblocks/data/countries/za.zone' -O /etc/iptables/zone/za.zone
wget -q 'http://ipdeny.com/ipblocks/data/countries/co.zone' -O /etc/iptables/zone/co.zone
wget -q 'https://www.cloudflare.com/ips-v4' -O /etc/iptables/list/CF.list
for i in $(cat /etc/iptables/zone/*.zone ); do ipset -exist -A drop $i; done
for i in $(cat /etc/iptables/list/CF.list ); do ipset -exist -A allowHTTPS $i; done
for i in $(cat /etc/iptables/list/allowSSH.list ); do ipset -exist -A allowSSH $i; done
for i in $(cat /etc/iptables/list/directHTTPS.list ); do ipset -exist -A directHTTPS $i; done
ipset save > /etc/iptables/ipset.save
Now we want to run the update script
chmod +x /etc/iptables/update.sh
bash -x /etc/iptables/update.sh
Iptables rules file. Mine is stored at /etc/iptables/rules.v4
# Generated by iptables-save v1.4.21 on Sat May 13 10:34:33 2017
*filter
:INPUT ACCEPT [59:5736]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [45:49826]
-A INPUT -m set --match-set drop src -j DROP
-A OUTPUT -m set --match-set drop dst -j DROP
#-A INPUT -m set --match-set google src -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A FORWARD -m state --state INVALID -j DROP
##-A OUTPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
-A INPUT -m recent --name portscan --rcheck --second 86400 -j DROP
-A FORWARD -m recent --name portscan --rcheck --second 86400 -j DROP
-A INPUT -m recent --name portscan --remove
-A FORWARD -m recent --name portscan --remove
-A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
-A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
-A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
-A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
#### END DROP INVALID DATA 20180408 ####
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m set --match-set allowHTTPS src -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -m set --match-set directHTTPS src -p tcp -m tcp --dport 443 -j ACCEPT
# SSH
-A INPUT -m set --match-set allowSSH src -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -j ACCEPT
-A FORWARD -j DROP
#-A INPUT -i eth0 -j DROP
-A INPUT -j DROP
COMMIT
# Completed on Sat May 13 10:34:33 2017
There’s numerous ways to restore iptables at boot up, but his is how I do it. I add the below to the lines following iface NIC inet static
post-up ipset restore < /etc/iptables/ipset.save
post-up iptables-restore < /etc/iptables/rules.v4
Now we want to back import the iptables rules. We do that with the following
iptables-restore < /etc/iptables/rules.v4
<- OTHERS ->