-
Notifications
You must be signed in to change notification settings - Fork 0
/
rules
100 lines (76 loc) · 4.32 KB
/
rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
#!/bin/sh
# Rules by Gaetan, enjoy.
# Version: 1.3
#/!\
# - We are not responsible if your provider does not accept these rules.
# - These rules are a plus, you must have a network antiddos.
# - Please modify the "Whitelist your own port" before activating the rules on your server.
#/!\
# Variables
IPTABLES="sudo iptables" # The location of iptables
MINECRAFT_PORT="25565" # The port of your minecraft server
burstconns=40 # Limit new connections per second. This is highly useful when
# somebody starts an attack because it basically makes his attack
# literally have no visual effect.
#
# Don't rely solely on this as this doesn't really fix the issue,
# just get rid of suspicious IP's.
burstconnstimestamp=3 # Limit new connections per second if the connection has a timestamp.
# This is highly useful when somebody starts an attack because it
# drop the handshake of old linux and very old windows users
# (~80% of the connections are not legit)
#------------------------------------------------------------------------------------------
# Reset all rules.
$IPTABLES -t filter -F
$IPTABLES -t filter -X
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
$IPTABLES -t raw -F
$IPTABLES -t raw -X
echo "The rules were reset."
# Allow all trafic.
$IPTABLES -t filter -P INPUT ACCEPT
$IPTABLES -t filter -P FORWARD ACCEPT
$IPTABLES -t filter -P OUTPUT ACCEPT
echo "All traffic was allowed."
$IPTABLES -N DOCKER
$IPTABLES -F DOCKER
# Here we will enable the logic of the TCP 3 way handshake and drop all if its not 3w handshake.
$IPTABLES -t mangle -A PREROUTING -p tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT
$IPTABLES -t mangle -A PREROUTING -p tcp ! --tcp-flags ALL SYN -j DROP
echo "Enabling logic of 3 way handshake."
# Here we will drop all invalid packets
$IPTABLES -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
echo "Drop all invalid packets."
# Whitelist your own port.
# This can be useful if you have plugins with license.
# Here are several examples of ports for a Minecraft server.
#If you use BungeeCord/Velocity, follow this to block BungeeCord exploit.
#https://www.spigotmc.org/wiki/firewall-guide/
# Whitelist mysql port.
# $IPTABLES -A INPUT -p tcp --dport 3306 -s 127.0.0.1 -j ACCEPT #Enable 3306 on 127.0.0.1.
# $IPTABLES -A INPUT -p tcp --dport 3306 -s 1.1.1.1 -j ACCEPT #Enable 3306 on 1.1.1.1.
# $IPTABLES -A INPUT -p tcp --dport 3306 -j DROP #Block all IP to 3306 if its not 127.0.0.1 or 1.1.1.1.
# echo "Whitelist MySQL port."
#------------------------------------------------------------------------------------------
# LIMITATION rules
# Llimitation for $MINECRAFT_PORT to prevent bot attack.
$IPTABLES -A INPUT -p tcp --dport $MINECRAFT_PORT --syn -m limit --limit $burstconns/s -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $MINECRAFT_PORT --syn -j DROP
echo "Applying basic limitation for default minecraft port."
# Limitation to prevent ssh bruteforce.
$IPTABLES -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
$IPTABLES -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
echo "Applying limitation to prevent ssh bruteforce."
#------------------------------------------------------------------------------------------
#EXPERIMENTAL rules
# /!\ Don't use it with TCPShield, HAProxy (or alternatives..) /!\
# /!\ DROP All packages with the timetamp activated on $MINECRAFT_PORT if it exceeds 3 per second.
$IPTABLES -t mangle -A PREROUTING -p tcp --dport $MINECRAFT_PORT -m tcp --syn --tcp-option 8 -m limit --limit $burstconnstimestamp/s -j ACCEPT
$IPTABLES -t mangle -A PREROUTING -p tcp --dport $MINECRAFT_PORT -m tcp --syn --tcp-option 8 -j DROP
echo "Drop all packets with timestamp on the default minecraft port if it exceeds 3 per sec."
# /!\ Limit connections per second per ip
$IPTABLES -t mangle -A PREROUTING -p tcp --dport $MINECRAFT_PORT -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
$IPTABLES -t mangle -A PREROUTING -p tcp --dport $MINECRAFT_PORT -m state --state NEW -m recent --update --seconds 3 --hitcount 20 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
echo "Limit connections per second per ip."
echo "Firewall applied successfully."