Problems with Iptables

[Jonaxio]

Hi Guys,

today i have tryed to do a iptables firewall, but i faild and i don't know how i can solve my Problem. If my iptables script I can not open any other scripts from outside. It says that it can't resolve the host name.
Can anyone correct my script?

Thank you very much

Jonaxio

#!/bin/bash

IPTABLES="/sbin/iptables"

# Logging options.
#------------------------------------------------------------------------------
LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options"
LOG="$LOG --log-ip-options"

# Defaults for rate limiting
#------------------------------------------------------------------------------
RLIMIT="-m limit --limit 3/s --limit-burst 30"

# Default policies.
#------------------------------------------------------------------------------
 
# Drop everything by default.
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
 
# Set the nat/mangle/raw tables' chains to ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
 
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
 
# Cleanup.
#------------------------------------------------------------------------------
 
# Delete all
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
 
# Delete all
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
 
# Zero all packets and counters.
$IPTABLES -Z
$IPTABLES -t nat -Z
$IPTABLES -t mangle -Z


# Custom user-defined chains.
#------------------------------------------------------------------------------
 
# LOG packets, then ACCEPT.
$IPTABLES -N ACCEPTLOG
$IPTABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "ACCEPT "
$IPTABLES -A ACCEPTLOG -j ACCEPT
 
# LOG packets, then DROP.
$IPTABLES -N DROPLOG
$IPTABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "DROP "
$IPTABLES -A DROPLOG -j DROP
 
# LOG packets, then REJECT.
# TCP packets are rejected with a TCP reset.
$IPTABLES -N REJECTLOG
$IPTABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "REJECT "
$IPTABLES -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A REJECTLOG -j REJECT
 
# Only allows RELATED ICMP types
# (destination-unreachable, time-exceeded, and parameter-problem).
# TODO: Rate-limit this traffic?
# TODO: Allow fragmentation-needed?
# TODO: Test.
$IPTABLES -N RELATED_ICMP
$IPTABLES -A RELATED_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A RELATED_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
$IPTABLES -A RELATED_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT
$IPTABLES -A RELATED_ICMP -j DROPLOG
 
# Make It Even Harder To Multi-PING
$IPTABLES  -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j ACCEPT
$IPTABLES  -A OUTPUT -p icmp -j ACCEPT
 
# Only allow the minimally required/recommended parts of ICMP. Block the rest.
#------------------------------------------------------------------------------

# Allow all ESTABLISHED ICMP traffic.
$IPTABLES -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT
$IPTABLES -A OUTPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT
 
# Allow some parts of the RELATED ICMP traffic, block the rest.
$IPTABLES -A INPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT
$IPTABLES -A OUTPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT
 
# Allow incoming ICMP echo requests (ping), but only rate-limited.
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT
 
# Allow outgoing ICMP echo requests (ping), but only rate-limited.
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT
 
# Drop any other ICMP traffic.
$IPTABLES -A INPUT -p icmp -j DROPLOG
$IPTABLES -A OUTPUT -p icmp -j DROPLOG
$IPTABLES -A FORWARD -p icmp -j DROPLOG
 
# Selectively allow certain special types of traffic.
#------------------------------------------------------------------------------
 
# Allow loopback interface to do anything.
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
 
# Allow incoming connections related to existing allowed connections.
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# Allow outgoing connections EXCEPT invalid
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# Miscellaneous.
#------------------------------------------------------------------------------

# Explicitly drop invalid incoming traffic
$IPTABLES -A INPUT -m state --state INVALID -j DROP
 
# Drop invalid outgoing traffic, too.
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
 
# If we would use NAT, INVALID packets would pass - BLOCK them anyways
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
 
# Selectively allow certain outbound connections, block the rest.
#------------------------------------------------------------------------------
 
# Erlaube ausgehende HTTP Anfragen.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
 
# Erlaube ausgehende HTTPS Anfragen.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
 
# Erlaube ausgehende POP3S Anfragen.
#$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT
 
# Erlaube ausgehende SSH Anfragen.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 7805 -j ACCEPT

# Erlaube ausgehende FTP Anfragen.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT

#Erlaube ausgehende Gameserver/TS3
$IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 9987 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 10011 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 30033 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 25565 -j ACCEPT
# Erlaube ausgehende MySQL Anfragen.
#$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 3306 -j ACCEPT

# Selectively allow certain inbound connections, block the rest.
#------------------------------------------------------------------------------
 

# Erlaube eingehende HTTP Anfragen.
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
 
# Erlaube eingehende HTTPS Anfragen.
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
 
# Erlaube eingehende POP3 Anfragen.
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT
 
# Erlaube eingehende IMAP4 Anfragen.
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT
 
# Erlaube eingehende POP3S Anfragen.
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT
 
# Erlaube eingehende SMTP Anfragen.
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT
 
# Erlaube eingehende SSH Anfragen.
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 7805 -j ACCEPT
 
# Erlaube eingehende FTP Anfragen.
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT

#Erlaube eigehende Gameserver/TS3
$IPTABLES -A INPUT -m state --state NEW -p udp --dport 9987 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 10011 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 30033 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 25565 -j ACCEPT

# Explicitly log and reject everything else.
#------------------------------------------------------------------------------
# Use REJECT instead of REJECTLOG if you don't need/want logging.
$IPTABLES -A INPUT -j REJECT
$IPTABLES -A OUTPUT -j REJECT
$IPTABLES -A FORWARD -j REJECT


# ANTI-Spofing
#------------------------------------------------------------------------------

#block udp with a 0-byte payload
iptables -A INPUT -p udp -m u32 --u32 "22&0xFFFF=0x0008" -j DROP

#block all packets from ips ending in .255.255
iptables -A INPUT -m u32 --u32 "12&0xFFFF=0xFFFF" -j DROP

#block common Camfrog-specific attacks
iptables -A INPUT -m u32 --u32 "28&0x00000FF0=0xFEDFFFFF" -j DROP

#block udp containing "farewall"
iptables -A INPUT -m string --algo bm --from 28 --to 29 --string "farewell" -j DROP

#block udp starting with alternating spaces
iptables -A INPUT -p udp -m u32 --u32 "28 & 0x00FF00FF = 0x00200020 && 32 & 0x00FF00FF = 0x00200020 && 36 & 0x00FF00FF = 0x00200020 && 40 & 0x00FF00FF = 0x00200020" -j DROP

#block tcp ack 0 of length 40
iptables -I INPUT -p tcp -m tcp -m string --hex-string "|000000005010|" --algo kmp --from 28 --to 29 -m length --length 40 -j DROP

#block udp containing "SAMP"
iptables -I INPUT -p udp -m udp -m string --hex-string "|53414d50|" --algo kmp --from 28 --to 29 -j DROP

#block udp starting with "std" and 00s
iptables -I INPUT -p udp -m udp -m string --hex-string "|7374640000000000|" --algo kmp --from 28 --to 29 -j DROP

#block udp containing 16 null (00) chars
iptables -I INPUT -p udp -m udp -m string --hex-string "|00000000000000000000000000000000|" --algo kmp --from 32 --to 33 -j DROP

#block udp containing "AAAAAAAAAAAAAAAA"
iptables -A INPUT -p udp -m udp -m string --algo bm --from 32 --to 33 --string "AAAAAAAAAAAAAAAA" -j DROP

#block udp containing "0123456789ABCDE"
iptables -A INPUT -p udp -m udp -m string --algo bm --from 28 --to 29 --string "0123456789ABCDE" -j DROP

#block all packets from ips ending in .0.0
iptables -A INPUT -m u32 --u32 "12&0xFFFF=0" -j DROP

#block Source Split Packets
iptables -A INPUT -p udp -m u32 --u32 "26&0xFFFFFFFF=0xfeff" -j DROP

#block udp containing "0123456789"
iptables -A INPUT -p udp -m udp -m string --algo bm --from 44 --to 45 --string "0123456789" -j DROP

#block udp containing "a cat is fine too"
iptables -A INPUT -p udp -m udp -m string --algo bm --from 28 --to 29 --string "A cat is fine too" -j DROP

#block udp containing "flood"
iptables -A INPUT -p udp -m udp -m string --algo bm --from 28 --to 29 --string "flood" -j DROP

#block udp containing "q00000000000000"
iptables -A INPUT -m string --algo bm --from 32 --to 33 --string "q00000000000000" -j DROP

#block udp containing "statusResponse"
iptables -A INPUT -m string --algo bm --from 32 --to 33 --string "statusResponse" -j DROP

#block icmp
iptables -A INPUT -p icmp -j DROP

#block udp methode "NTP"
iptables -A INPUT -i lo -p udp --destination-port 123 -j DROP
iptables -A INPUT -p udp --source-port 123:123 -m state --state ESTABLISHED -j DROP

#block udp methode "CODE"
iptables -I INPUT -p udp -m udp -m string --hex-string "|ffffffff6765746368616c6c656e676520302022|" --algo kmp -j DROP

#block udp methode "SSDP"
iptables -I INPUT -p udp --dport 16000:29000 -m string --to 75 --algo bm --string 'HTTP/1.1 200 OK' -j DROP

#block protocols other than tcp, udp, and icmp [block all traffic]
iptables -A INPUT -p udp -m u32 --u32 "6&0xFF=0,2:5,7:16,18:255" -j DROP


# ANTI-Spofing UDP
#------------------------------------------------------------------------------


ipset create r4p3_udp_spoofing hash:ip hashsize 16777216 maxelem 40000000 timeout 120
iptables -N R4P3 -t raw
iptables -A PREROUTING -p udp -m set ! --match-set r4p3_udp_spoofing src -t raw -j R4P3
iptables -A R4P3 -t raw -j SET --add-set r4p3_udp_spoofing src
iptables -A R4P3 -t raw -j DROP




exit 0

 

[User_38581]

Hi Guys,

today i have tryed to do a iptables firewall, but i faild and i don't know how i can solve my Problem. If my iptables script I can not open any other scripts from outside. It says that it can't resolve the host name.
Can anyone correct my script?

Thank you very much

Jonaxio

#!/bin/bash

IPTABLES="/sbin/iptables"

# Logging options.
#------------------------------------------------------------------------------
LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options"
LOG="$LOG --log-ip-options"

# Defaults for rate limiting
#------------------------------------------------------------------------------
RLIMIT="-m limit --limit 3/s --limit-burst 30"

# Default policies.
#------------------------------------------------------------------------------

# Drop everything by default.
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP

# Set the nat/mangle/raw tables' chains to ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT

$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT

# Cleanup.
#------------------------------------------------------------------------------

# Delete all
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

# Delete all
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X

# Zero all packets and counters.
$IPTABLES -Z
$IPTABLES -t nat -Z
$IPTABLES -t mangle -Z


# Custom user-defined chains.
#------------------------------------------------------------------------------

# LOG packets, then ACCEPT.
$IPTABLES -N ACCEPTLOG
$IPTABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "ACCEPT "
$IPTABLES -A ACCEPTLOG -j ACCEPT

# LOG packets, then DROP.
$IPTABLES -N DROPLOG
$IPTABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "DROP "
$IPTABLES -A DROPLOG -j DROP

# LOG packets, then REJECT.
# TCP packets are rejected with a TCP reset.
$IPTABLES -N REJECTLOG
$IPTABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "REJECT "
$IPTABLES -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A REJECTLOG -j REJECT

# Only allows RELATED ICMP types
# (destination-unreachable, time-exceeded, and parameter-problem).
# TODO: Rate-limit this traffic?
# TODO: Allow fragmentation-needed?
# TODO: Test.
$IPTABLES -N RELATED_ICMP
$IPTABLES -A RELATED_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A RELATED_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
$IPTABLES -A RELATED_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT
$IPTABLES -A RELATED_ICMP -j DROPLOG

# Make It Even Harder To Multi-PING
$IPTABLES  -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j ACCEPT
$IPTABLES  -A OUTPUT -p icmp -j ACCEPT

# Only allow the minimally required/recommended parts of ICMP. Block the rest.
#------------------------------------------------------------------------------

# Allow all ESTABLISHED ICMP traffic.
$IPTABLES -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT
$IPTABLES -A OUTPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT

# Allow some parts of the RELATED ICMP traffic, block the rest.
$IPTABLES -A INPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT
$IPTABLES -A OUTPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT

# Allow incoming ICMP echo requests (ping), but only rate-limited.
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT

# Allow outgoing ICMP echo requests (ping), but only rate-limited.
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT

# Drop any other ICMP traffic.
$IPTABLES -A INPUT -p icmp -j DROPLOG
$IPTABLES -A OUTPUT -p icmp -j DROPLOG
$IPTABLES -A FORWARD -p icmp -j DROPLOG

# Selectively allow certain special types of traffic.
#------------------------------------------------------------------------------

# Allow loopback interface to do anything.
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# Allow incoming connections related to existing allowed connections.
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections EXCEPT invalid
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Miscellaneous.
#------------------------------------------------------------------------------

# Explicitly drop invalid incoming traffic
$IPTABLES -A INPUT -m state --state INVALID -j DROP

# Drop invalid outgoing traffic, too.
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP

# If we would use NAT, INVALID packets would pass - BLOCK them anyways
$IPTABLES -A FORWARD -m state --state INVALID -j DROP

# Selectively allow certain outbound connections, block the rest.
#------------------------------------------------------------------------------

# Erlaube ausgehende HTTP Anfragen.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT

# Erlaube ausgehende HTTPS Anfragen.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

# Erlaube ausgehende POP3S Anfragen.
#$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT

# Erlaube ausgehende SSH Anfragen.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 7805 -j ACCEPT

# Erlaube ausgehende FTP Anfragen.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT

#Erlaube ausgehende Gameserver/TS3
$IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 9987 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 10011 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 30033 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 25565 -j ACCEPT
# Erlaube ausgehende MySQL Anfragen.
#$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 3306 -j ACCEPT

# Selectively allow certain inbound connections, block the rest.
#------------------------------------------------------------------------------


# Erlaube eingehende HTTP Anfragen.
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT

# Erlaube eingehende HTTPS Anfragen.
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

# Erlaube eingehende POP3 Anfragen.
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT

# Erlaube eingehende IMAP4 Anfragen.
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT

# Erlaube eingehende POP3S Anfragen.
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT

# Erlaube eingehende SMTP Anfragen.
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT

# Erlaube eingehende SSH Anfragen.
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 7805 -j ACCEPT

# Erlaube eingehende FTP Anfragen.
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT

#Erlaube eigehende Gameserver/TS3
$IPTABLES -A INPUT -m state --state NEW -p udp --dport 9987 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 10011 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 30033 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 25565 -j ACCEPT

# Explicitly log and reject everything else.
#------------------------------------------------------------------------------
# Use REJECT instead of REJECTLOG if you don't need/want logging.
$IPTABLES -A INPUT -j REJECT
$IPTABLES -A OUTPUT -j REJECT
$IPTABLES -A FORWARD -j REJECT


# ANTI-Spofing
#------------------------------------------------------------------------------

#block udp with a 0-byte payload
iptables -A INPUT -p udp -m u32 --u32 "22&0xFFFF=0x0008" -j DROP

#block all packets from ips ending in .255.255
iptables -A INPUT -m u32 --u32 "12&0xFFFF=0xFFFF" -j DROP

#block common Camfrog-specific attacks
iptables -A INPUT -m u32 --u32 "28&0x00000FF0=0xFEDFFFFF" -j DROP

#block udp containing "farewall"
iptables -A INPUT -m string --algo bm --from 28 --to 29 --string "farewell" -j DROP

#block udp starting with alternating spaces
iptables -A INPUT -p udp -m u32 --u32 "28 & 0x00FF00FF = 0x00200020 && 32 & 0x00FF00FF = 0x00200020 && 36 & 0x00FF00FF = 0x00200020 && 40 & 0x00FF00FF = 0x00200020" -j DROP

#block tcp ack 0 of length 40
iptables -I INPUT -p tcp -m tcp -m string --hex-string "|000000005010|" --algo kmp --from 28 --to 29 -m length --length 40 -j DROP

#block udp containing "SAMP"
iptables -I INPUT -p udp -m udp -m string --hex-string "|53414d50|" --algo kmp --from 28 --to 29 -j DROP

#block udp starting with "std" and 00s
iptables -I INPUT -p udp -m udp -m string --hex-string "|7374640000000000|" --algo kmp --from 28 --to 29 -j DROP

#block udp containing 16 null (00) chars
iptables -I INPUT -p udp -m udp -m string --hex-string "|00000000000000000000000000000000|" --algo kmp --from 32 --to 33 -j DROP

#block udp containing "AAAAAAAAAAAAAAAA"
iptables -A INPUT -p udp -m udp -m string --algo bm --from 32 --to 33 --string "AAAAAAAAAAAAAAAA" -j DROP

#block udp containing "0123456789ABCDE"
iptables -A INPUT -p udp -m udp -m string --algo bm --from 28 --to 29 --string "0123456789ABCDE" -j DROP

#block all packets from ips ending in .0.0
iptables -A INPUT -m u32 --u32 "12&0xFFFF=0" -j DROP

#block Source Split Packets
iptables -A INPUT -p udp -m u32 --u32 "26&0xFFFFFFFF=0xfeff" -j DROP

#block udp containing "0123456789"
iptables -A INPUT -p udp -m udp -m string --algo bm --from 44 --to 45 --string "0123456789" -j DROP

#block udp containing "a cat is fine too"
iptables -A INPUT -p udp -m udp -m string --algo bm --from 28 --to 29 --string "A cat is fine too" -j DROP

#block udp containing "flood"
iptables -A INPUT -p udp -m udp -m string --algo bm --from 28 --to 29 --string "flood" -j DROP

#block udp containing "q00000000000000"
iptables -A INPUT -m string --algo bm --from 32 --to 33 --string "q00000000000000" -j DROP

#block udp containing "statusResponse"
iptables -A INPUT -m string --algo bm --from 32 --to 33 --string "statusResponse" -j DROP

#block icmp
iptables -A INPUT -p icmp -j DROP

#block udp methode "NTP"
iptables -A INPUT -i lo -p udp --destination-port 123 -j DROP
iptables -A INPUT -p udp --source-port 123:123 -m state --state ESTABLISHED -j DROP

#block udp methode "CODE"
iptables -I INPUT -p udp -m udp -m string --hex-string "|ffffffff6765746368616c6c656e676520302022|" --algo kmp -j DROP

#block udp methode "SSDP"
iptables -I INPUT -p udp --dport 16000:29000 -m string --to 75 --algo bm --string 'HTTP/1.1 200 OK' -j DROP

#block protocols other than tcp, udp, and icmp [block all traffic]
iptables -A INPUT -p udp -m u32 --u32 "6&0xFF=0,2:5,7:16,18:255" -j DROP


# ANTI-Spofing UDP
#------------------------------------------------------------------------------


ipset create r4p3_udp_spoofing hash:ip hashsize 16777216 maxelem 40000000 timeout 120
iptables -N R4P3 -t raw
iptables -A PREROUTING -p udp -m set ! --match-set r4p3_udp_spoofing src -t raw -j R4P3
iptables -A R4P3 -t raw -j SET --add-set r4p3_udp_spoofing src
iptables -A R4P3 -t raw -j DROP




exit 0

May I know what do you want to run on vps? teamspeak or what?

 

[Jonaxio]

teamspeak, minecraft and scripts. The only problem is that my scripts are not working

 

[User_38581]

which scripts?

 

[Jonaxio]

Scripts like. Sinusbot Multiscripts, Ts3 Audio Bot Scripts

 

[User_38581]

Sinusbot uses 8087 port did you allow that port?

 

[Jonaxio]

yes... all is working, but not my scripts...

 

[User_38581]

port 53?

 

[Jonaxio]

Not working

 

[VoiXCode]

You are dropping all output

 

[Asphyxia]

You are dropping all output

It would be REALLY cool to have a throwaway iptables/nmap Docker container that does stuff between 2 Docker instances. For example, Docker1 spins up saying block port 22, Docker2 scans Docker1 and says "Port 22 came back closed." etc.. like pretty much a firewall config validator tool.

How do you feel about this idea VoiXCode? For the user, they'd just copy/paste iptables rules and see the Nmap scan. Perhaps could even use JavaScript to highlight rules and explain "You are blocking all traffic with this rule." X__0 would be some work, but many people suck at iptables so I wonder if this would be nice.. because some people need more help than just a basic iptables generator??