My iptables script

[Bluscream]

02.09.2015: Translated Comments to english + Added LSBInitScript Comments + Added initial command to create and run the script
08.09.2015: Commented Whitelist line + Edited most ports to default ports.
08.09.2015: Added Supervisors script to easily black-/whitelist a IP.

sudo nano firewall.sh;sudo chmod 755 firewall.sh;sudo ./firewall.sh

#!/bin/sh
### BEGIN INIT INFO
# Provides:  iptables
# Required-Start:  $local_fs $network
# Required-Stop:  $local_fs $network
# Default-Start:  2 3 4 5
# Default-Stop:  0 1 6
# Short-Description: Firewall Rules for iptables
# Description: EDIT THIS FILE TO YOUR NEEDS BEFORE EXECUTING
### END INIT INFO#!/bin/sh
aptitude install iptables iptables-persistent fail2ban
service fail2ban stop
iptables -F
iptables -X
#DENY
iptables -N DENY
iptables -A DENY -p tcp -m tcp -m limit --limit 30/sec --limit-burst 100 -m comment --comment "Anti-DoS" -j REJECT --reject-with tcp-reset
iptables -A DENY -m limit --limit 30/sec --limit-burst 100 -m comment --comment "Anti-DoS" -j REJECT --reject-with icmp-proto-unreachable
iptables -A DENY -p tcp ! --syn -m state --state NEW -j DROP
iptables -A DENY -f -j DROP
iptables -A DENY -p tcp --tcp-flags ALL ALL -j DROP
iptables -A DENY -p tcp --tcp-flags ALL NONE -j DROP
iptables -A DENY -p icmp --icmp-type echo-request -m limit --limit 1/s -m comment --comment "Limit Ping Flood" -j ACCEPT
#iptables -A DENY -j LOG --log-prefix "PORT DENIED: " --log-level 5 --log-ip-options --log-tcp-options --log-tcp-sequence
iptables -A DENY -p tcp --tcp-flags ALL NONE -m limit --limit 1/h -m comment --comment "Anti-Portscan" -j ACCEPT
iptables -A DENY -p tcp --tcp-flags ALL ALL -m limit --limit 1/h -m comment --comment "Anti-Portscan2" -j ACCEPT
#Drop unusual flags
iptables -A DENY -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A DENY -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A DENY -p tcp --tcp-flags ALL NONE -j DROP
iptables -A DENY -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A DENY -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A DENY -m comment --comment "Ignore everything else" -j DROP
#BLOCKED
iptables -N BLOCKED
#ALLOWED
iptables -N ALLOWED
#iptables -A ALLOWED -s <YOUR IP HERE> -j ACCEPT ###EDIT AND UNCOMMENT THIS LINE!
#SERVICES
iptables -N SERVICES
iptables -A SERVICES -p tcp -m tcp --dport 53 -m comment --comment "Allow: DNS" -j ACCEPT
iptables -A SERVICES -p udp -m udp --dport 53 -m comment --comment "Allow: DNS" -j ACCEPT
iptables -A SERVICES -p tcp -m tcp --dport 22 -m comment --comment "Allow: SSH-Access" -j ACCEPT
iptables -A SERVICES -p tcp -m multiport --dports 80,8080,443 -m comment --comment "Allow: Webserver" -j ACCEPT
iptables -A SERVICES -j RETURN
#TEAMSPEAK
iptables -N TEAMSPEAK
#iptables -A TEAMSPEAK -p tcp -m tcp --dport 2008 -m comment --comment "Allow: TeamSpeak Accounting" -j ACCEPT
iptables -A TEAMSPEAK -p tcp -m tcp --dport 10011 -m comment --comment "Allow: TeamSpeak ServerQuery" -j ACCEPT
iptables -A TEAMSPEAK -p tcp -m multiport --dports 30033 -m comment --comment "Allow: TeamSpeak FileTransfer" -j ACCEPT
iptables -A TEAMSPEAK -p tcp -m tcp --dport 41144 -m comment --comment "Allow: TeamSpeak TSDNS" -j ACCEPT
iptables -A TEAMSPEAK -p udp -m udp --dport 1:65535 -m comment --comment "Allow: TeamSpeak Voiceports" -j ACCEPT
iptables -A TEAMSPEAK -j RETURN
#INPUT
iptables -A INPUT -m comment --comment "Allow Whitelisted IP's" -j ALLOWED
iptables -A INPUT -m comment --comment "Block Blacklisted IP's" -j BLOCKED
iptables -A INPUT -i lo -m comment --comment "Allow: Loopback" -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "Allow: Related and Established Connections" -j ACCEPT
iptables -A INPUT -m comment --comment "Allow Default Services" -j SERVICES
iptables -A INPUT -m comment --comment "Allow TeamSpeak Services" -j TEAMSPEAK
iptables -A INPUT -p icmp -m comment --comment "Allow: ICMP" -j ACCEPT
iptables -A INPUT -m comment --comment "Ignore everything else" -j DENY
iptables -P INPUT DROP
/etc/init.d/iptables-persistent save
service fail2ban start
clear
iptables -L

If you want to easily add or remove entries from the ALLOWED/BLOCKED chain, you can use the following script, created by @Supervisor:

sudo nano firewall;sudo chmod +x firewall

#!/bin/sh
case $1 in
block*) iptables -I BLOCKED -s ${2} -j DROP ;;
unblock*) iptables -D BLOCKED -s ${2} -j DROP ;;
allow*) iptables -I ALLOWED -s ${2} -j ACCEPT ;;
disallow*) iptables -D ALLOWED -s ${2} -j ACCEPT ;;
*) printf "Usage: ./firewall 'block|unblock|allow|disallow' IP\n" ;;
esac
exit 1

./firewall block IP
./firewall unblock IP
./firewall allow IP
./firewall disallow IP

P.S. I managed to setup iptables with this Tutorial [DE].

 

[hASVAN]

nice

 

[Sharc]

iptables -A ALLOWED -s 79.225.63.42 -j ACCEPT

its ip my VDS ?

 

[Bluscream]

its ip my VDS ?

No, this was my home IP some days ago. Just replace it with your IP so you don't lock out yourself if you break something with this iptables rules.

 

[Sharc]

help me pliz)

 

[Bluscream]

There is something wrong with yor VPS, i cannot help you with operating system related issues, please use Google.

 

[User_418]

Thanks a lot for these scripts! Everything is working fine.

 

[amsaal]

good script but waiting for automated thing as you said.

 

[Supervisor]

good script but waiting for automated thing as you said.

he never said he's gonna make an automated script for this..

 

[Bierkoenig]

help me pliz)

You've saved the script with DOS line ending. To fix this switch to the directory with the "firewall.sh" and run

sed -i 's/\r//' firewall.sh

 

[Supervisor]

I just merged all of the above to one script. I think thats easier to handle

1. nano firewall and chmod +x firewall

2. #!/bin/sh
   case $1 in
   block*)     iptables -I BLOCKED -s  ${2} -j DROP                 ;;
   unblock*)   iptables -D BLOCKED -s  ${2} -j DROP                 ;;
   allow*)     iptables -I ALLOWED -s  ${2} -j ACCEPT                 ;;
   disallow*)   iptables -D ALLOWED -s  ${2} -j ACCEPT                 ;;
   *)       printf "Usage: ./firewall 'block|unblock|allow|disallow' IP\n"     ;;
   esac
   exit 1

 

[Supervisor]

Thank you very much :3

You may put this into your top post if you want to, that way it's easier to find

 

[Bluscream]

You may put this into your top post if you want to, that way it's easier to find

Done ;3

 

[ag1da]

Supervisors script is not working anymore

https://gyazo.com/f0e58fcbfed82c201b7e94950394cb1f

 

[Supervisor]

Supervisors script is not working anymore

https://gyazo.com/f0e58fcbfed82c201b7e94950394cb1f

Maybe just read the error? lol

 

[Bluscream]

Supervisors script is not working anymore

https://gyazo.com/f0e58fcbfed82c201b7e94950394cb1f

Why do you try to insert a surreal IP adress into the chain?

 

[Qraktzyl]

I just want to understand something... Blocking port 2008 access means the license is valid and cannot check if its cracked, but if teamspeak can't access your port 2008 then they know you have a cracked version...?

 

[Supervisor]

nope. All it will do is drop the connection to port 2008.
Lets assume you would not have a cracked license and therefore no Accounting server... There would be no process listening to port 2008, thereby the connection would timeout just like it does timeout with the iptables.

 

[Qraktzyl]

There would be no process listening to port 2008, thereby the connection would timeout just like it does timeout with the iptables.

I am 100% sure you know this more than me, but there is something I don't get.

TeamSpeak server will listen on 2008 when having a legitimate ATHP license, which would be the reason the server shutdowns when there is no connection to port 2008 without the emulator. no?

 

[Supervisor]

Well, there is one more thing you have to know: The Accounting server happens to listen to port 2008, too!
So here is the overview:
TeamSpeak server:
outgoing connection port to Acc server: ?/2008
incoming connection port from Acc server: 2008
Accounting server:
outgoing connection port to teamspeak server: ? (not really important, I guess thats random for the official one, and it does not matter for the cracked one. If I'd have to guess: 2008 )
incoming connection port from TS server: 2008

The official way (AccServer and TSServer on different servers):
- TSServer(?/2008) calls AccServer(2008).
- AccServer checks license and sends back the answer
- AccServer(?/2008) sends and approve/deny message to the TSServer(2008)
-> incoming Port 2008 has to be open for the TSServer, but: the TSServer ignores all packages wich are not send from the AccServer !!!!
-> Port 2008 needs to be open for incoming and outgoing connections.

Cracked way (AccServer and TSServer on the same server):
- TSServer(?/2008) calls AccServer(2008).
- AccServer checks license and sends back the answer
- AccServer(?/2008) sends and approve/deny message to the TSServer(2008)
- now, the cracked AccServer is "stupid". It will send a DENY for all invalid requests (including those ones not even beeing a license request but a "normal" ping request)
-> incoming Port 2008 does need to be closed, otherwise you will get an answer from the AccServer.
-> Port 2008 only needs to be open withing the local network. Outgoing ~, and incoming connections are not required.

Having this said, it should be obvious that you should close Port 2008 for incoming connections when having a cracked server.
If not, ask me

/edit:
Now, lets say you ping to a server on port 2008, and it answers: simply analyse the message it sends back: is it an approve/deny answer? Yes? Well, there is an AccServer running on this server. So - the license is cracked with a very high posibillity (no need to run an AccServer with a valid license )