My iptables script

Bluscream

Retired Staff
Contributor
May 8, 2015
967
934
211
Changelog said:
02.09.2015: Translated Comments to english + Added LSBInitScript Comments + Added initial command to create and run the script
08.09.2015: Commented Whitelist line + Edited most ports to default ports.
08.09.2015: Added Supervisors script to easily black-/whitelist a IP.
Code:
sudo nano firewall.sh;sudo chmod 755 firewall.sh;sudo ./firewall.sh
Code:
#!/bin/sh
### BEGIN INIT INFO
# Provides:  iptables
# Required-Start:  $local_fs $network
# Required-Stop:  $local_fs $network
# Default-Start:  2 3 4 5
# Default-Stop:  0 1 6
# Short-Description: Firewall Rules for iptables
# Description: EDIT THIS FILE TO YOUR NEEDS BEFORE EXECUTING
### END INIT INFO#!/bin/sh
aptitude install iptables iptables-persistent fail2ban
service fail2ban stop
iptables -F
iptables -X
#DENY
iptables -N DENY
iptables -A DENY -p tcp -m tcp -m limit --limit 30/sec --limit-burst 100 -m comment --comment "Anti-DoS" -j REJECT --reject-with tcp-reset
iptables -A DENY -m limit --limit 30/sec --limit-burst 100 -m comment --comment "Anti-DoS" -j REJECT --reject-with icmp-proto-unreachable
iptables -A DENY -p tcp ! --syn -m state --state NEW -j DROP
iptables -A DENY -f -j DROP
iptables -A DENY -p tcp --tcp-flags ALL ALL -j DROP
iptables -A DENY -p tcp --tcp-flags ALL NONE -j DROP
iptables -A DENY -p icmp --icmp-type echo-request -m limit --limit 1/s -m comment --comment "Limit Ping Flood" -j ACCEPT
#iptables -A DENY -j LOG --log-prefix "PORT DENIED: " --log-level 5 --log-ip-options --log-tcp-options --log-tcp-sequence
iptables -A DENY -p tcp --tcp-flags ALL NONE -m limit --limit 1/h -m comment --comment "Anti-Portscan" -j ACCEPT
iptables -A DENY -p tcp --tcp-flags ALL ALL -m limit --limit 1/h -m comment --comment "Anti-Portscan2" -j ACCEPT
#Drop unusual flags
iptables -A DENY -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A DENY -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A DENY -p tcp --tcp-flags ALL NONE -j DROP
iptables -A DENY -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A DENY -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A DENY -m comment --comment "Ignore everything else" -j DROP
#BLOCKED
iptables -N BLOCKED
#ALLOWED
iptables -N ALLOWED
#iptables -A ALLOWED -s <YOUR IP HERE> -j ACCEPT ###EDIT AND UNCOMMENT THIS LINE!
#SERVICES
iptables -N SERVICES
iptables -A SERVICES -p tcp -m tcp --dport 53 -m comment --comment "Allow: DNS" -j ACCEPT
iptables -A SERVICES -p udp -m udp --dport 53 -m comment --comment "Allow: DNS" -j ACCEPT
iptables -A SERVICES -p tcp -m tcp --dport 22 -m comment --comment "Allow: SSH-Access" -j ACCEPT
iptables -A SERVICES -p tcp -m multiport --dports 80,8080,443 -m comment --comment "Allow: Webserver" -j ACCEPT
iptables -A SERVICES -j RETURN
#TEAMSPEAK
iptables -N TEAMSPEAK
#iptables -A TEAMSPEAK -p tcp -m tcp --dport 2008 -m comment --comment "Allow: TeamSpeak Accounting" -j ACCEPT
iptables -A TEAMSPEAK -p tcp -m tcp --dport 10011 -m comment --comment "Allow: TeamSpeak ServerQuery" -j ACCEPT
iptables -A TEAMSPEAK -p tcp -m multiport --dports 30033 -m comment --comment "Allow: TeamSpeak FileTransfer" -j ACCEPT
iptables -A TEAMSPEAK -p tcp -m tcp --dport 41144 -m comment --comment "Allow: TeamSpeak TSDNS" -j ACCEPT
iptables -A TEAMSPEAK -p udp -m udp --dport 1:65535 -m comment --comment "Allow: TeamSpeak Voiceports" -j ACCEPT
iptables -A TEAMSPEAK -j RETURN
#INPUT
iptables -A INPUT -m comment --comment "Allow Whitelisted IP's" -j ALLOWED
iptables -A INPUT -m comment --comment "Block Blacklisted IP's" -j BLOCKED
iptables -A INPUT -i lo -m comment --comment "Allow: Loopback" -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "Allow: Related and Established Connections" -j ACCEPT
iptables -A INPUT -m comment --comment "Allow Default Services" -j SERVICES
iptables -A INPUT -m comment --comment "Allow TeamSpeak Services" -j TEAMSPEAK
iptables -A INPUT -p icmp -m comment --comment "Allow: ICMP" -j ACCEPT
iptables -A INPUT -m comment --comment "Ignore everything else" -j DENY
iptables -P INPUT DROP
/etc/init.d/iptables-persistent save
service fail2ban start
clear
iptables -L

If you want to easily add or remove entries from the ALLOWED/BLOCKED chain, you can use the following script, created by @Supervisor:
Code:
sudo nano firewall;sudo chmod +x firewall
Code:
#!/bin/sh
case $1 in
block*) iptables -I BLOCKED -s ${2} -j DROP ;;
unblock*) iptables -D BLOCKED -s ${2} -j DROP ;;
allow*) iptables -I ALLOWED -s ${2} -j ACCEPT ;;
disallow*) iptables -D ALLOWED -s ${2} -j ACCEPT ;;
*) printf "Usage: ./firewall 'block|unblock|allow|disallow' IP\n" ;;
esac
exit 1
Usage example said:
./firewall block IP
./firewall unblock IP
./firewall allow IP
./firewall disallow IP

P.S. I managed to setup iptables with this Tutorial [DE].
 
Last edited:

Bluscream

Retired Staff
Contributor
May 8, 2015
967
934
211
its ip my VDS ?

No, this was my home IP some days ago. Just replace it with your IP so you don't lock out yourself if you break something with this iptables rules.
 

Sharc

Member
Aug 25, 2015
70
9
43
help me pliz)

63b96ce39d.png

929e7e69b5.png
 

Bluscream

Retired Staff
Contributor
May 8, 2015
967
934
211
There is something wrong with yor VPS, i cannot help you with operating system related issues, please use Google.
 
U

User_418

Thanks a lot for these scripts! Everything is working fine.
 

Supervisor

Administrator
Apr 27, 2015
1,863
2,546
335
I just merged all of the above to one script. I think thats easier to handle :)
  1. nano firewall and chmod +x firewall
  2. Code:
    #!/bin/sh
    case $1 in
    block*)     iptables -I BLOCKED -s  ${2} -j DROP                 ;;
    unblock*)   iptables -D BLOCKED -s  ${2} -j DROP                 ;;
    allow*)     iptables -I ALLOWED -s  ${2} -j ACCEPT                 ;;
    disallow*)   iptables -D ALLOWED -s  ${2} -j ACCEPT                 ;;
    *)       printf "Usage: ./firewall 'block|unblock|allow|disallow' IP\n"     ;;
    esac
    exit 1
 

Qraktzyl

Retired Staff
Contributor
Nov 2, 2015
997
723
161
I just want to understand something... Blocking port 2008 access means the license is valid and cannot check if its cracked, but if teamspeak can't access your port 2008 then they know you have a cracked version...?
 

Supervisor

Administrator
Apr 27, 2015
1,863
2,546
335
nope. All it will do is drop the connection to port 2008.
Lets assume you would not have a cracked license and therefore no Accounting server... There would be no process listening to port 2008, thereby the connection would timeout just like it does timeout with the iptables.
 

Qraktzyl

Retired Staff
Contributor
Nov 2, 2015
997
723
161
There would be no process listening to port 2008, thereby the connection would timeout just like it does timeout with the iptables.
I am 100% sure you know this more than me, but there is something I don't get.

TeamSpeak server will listen on 2008 when having a legitimate ATHP license, which would be the reason the server shutdowns when there is no connection to port 2008 without the emulator. no?
 

Supervisor

Administrator
Apr 27, 2015
1,863
2,546
335
Well, there is one more thing you have to know: The Accounting server happens to listen to port 2008, too!
So here is the overview:
TeamSpeak server:
outgoing connection port to Acc server: ?/2008
incoming connection port from Acc server: 2008
Accounting server:
outgoing connection port to teamspeak server: ? (not really important, I guess thats random for the official one, and it does not matter for the cracked one. If I'd have to guess: 2008 :p)
incoming connection port from TS server: 2008

The official way (AccServer and TSServer on different servers):
- TSServer(?/2008) calls AccServer(2008).
- AccServer checks license and sends back the answer
- AccServer(?/2008) sends and approve/deny message to the TSServer(2008)
-> incoming Port 2008 has to be open for the TSServer, but: the TSServer ignores all packages wich are not send from the AccServer !!!!
-
> Port 2008 needs to be open for incoming and outgoing connections.

Cracked way (AccServer and TSServer on the same server):
- TSServer(?/2008) calls AccServer(2008).
- AccServer checks license and sends back the answer
- AccServer(?/2008) sends and approve/deny message to the TSServer(2008)
- now, the cracked AccServer is "stupid". It will send a DENY for all invalid requests (including those ones not even beeing a license request but a "normal" ping request)
-> incoming Port 2008 does need to be closed, otherwise you will get an answer from the AccServer.
-> Port 2008 only needs to be open withing the local network. Outgoing ~, and incoming connections are not required.

Having this said, it should be obvious that you should close Port 2008 for incoming connections when having a cracked server.
If not, ask me :p

/edit:
Now, lets say you ping to a server on port 2008, and it answers: simply analyse the message it sends back: is it an approve/deny answer? Yes? Well, there is an AccServer running on this server. So - the license is cracked with a very high posibillity :p (no need to run an AccServer with a valid license :p)
 
Last edited:
Top