#!/bin/bash # Firewall for Red hat enterprise linux Virtuozzo VPS # It is simple firewall but effective one on Red hat enterprise linux Virtuozzo VPS :) # --------------------------------------------------------- # 1) DO NOT FORGEDT TO SETUP CORRECT IPS first # 2) touch /root/allbadips.txt; echo "192.1678.0.10"> /root/allbadips.txt # 3) To load/start firewall from this script # chmod +x virtuozzo-iptables-firewall-script.bash # ./virtuozzo-iptables-firewall-script.bash # ----------------------------------------------------- # Laste updated : Aug - 08 - 2005 # ----------------------------------------------------- # Copyright (C) 2004,2005 nixCraft <http://cyberciti.biz/fb/> # This script is licensed under GNU GPL version 2.0 or above # For more info, please visit: # https://www.cyberciti.biz/nixcraft/vivek/blogger/2004/12/virtuozzo-iptables-firewall.html #----------------------------------------------------- # ip = can be setup once - Aug-2005. # ------------------------------------------------------------------------- # This script is part of nixCraft shell script collection (NSSC) # Visit http://bash.cyberciti.biz/ for more information. # ------------------------------------------------------------------------- # BAD IPS FILE all ip in this file are droped BADIPS="$(cat /root/allbadips.txt|grep -v -E "^#")" # setup your IPS here myIPS="xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx" # Setup VPS main IP here ip="xxx.xxx.xxx.xxx" # stop RedHAT linux iptables service iptables stop # Setting default filter policy DROP ALL :D iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # allow unlinited traffic on both lo and venet0 iptables -A INPUT -i venet0 -s 127.0.0.1 -j ACCEPT iptables -A OUTPUT -o venet0 -d 127.0.0.1 -j ACCEPT iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT # Block all those IPs for ip in $BADIPS do iptables -A INPUT -s $ip -j DROP iptables -A OUTPUT -d $ip -j DROP done # Stop flood iptables -N flood iptables -A INPUT -p tcp --syn -j flood iptables -A flood -m limit --limit 1/s --limit-burst 3 -j RETURN iptables -A flood -j DROP # Spoofing and bad addresses # Bad incoming source ip address i.e server IP drop all here for myip in $myIPS do iptables -A INPUT -s $myip -j DROP done # Drop all incoming fragments iptables -A INPUT -f -j DROP # Drop all incoming malformed XMAS packets iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP # Drop all incoming malformed NULL packets iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # Bad incoming source ip address 0.0.0.0/8 iptables -A INPUT -s 0.0.0.0/8 -j DROP # Bad incoming source ip address 127.0.0.0/8 iptables -A INPUT -s 127.0.0.0/8 -j DROP # Bad incoming source ip address 10.0.0.0/8 iptables -A INPUT -s 10.0.0.0/8 -j DROP # Bad incoming source ip address 172.16.0.0/12 iptables -A INPUT -s 172.16.0.0/12 -j DROP # Bad incoming source ip address 192.168.0.0/16 iptables -A INPUT -s 192.168.0.0/16 -j DROP # Bad incoming source ip address 224.0.0.0/3 iptables -A INPUT -s 224.0.0.0/3 -j DROP #Open Port 80 , no statful fw as VPS don't support it :( #ip="xxx.xxx.xxx.xxx" # IP of your www service iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $ip --dport 80 -j ACCEPT iptables -A OUTPUT -p tcp -s $ip --sport 80 -d 0/0 --dport 1024:65535 -j ACCEPT #Open Port 443 #ip="xxx.xxx.xxx.xxx" # IP of your wwws service iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $ip --dport 443 -j ACCEPT iptables -A OUTPUT -p tcp -s $ip --sport 443 -d 0/0 --dport 1024:65535 -j ACCEPT #Open Port 25 #ip="xxx.xxx.xxx.xxx" iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $ip --dport 25 -j ACCEPT iptables -A OUTPUT -p tcp -s $ip --sport 25 -d 0/0 --dport 1024:65535 -j ACCEPT #Open port 22 for all #ip="xxx.xxx.xxx.xxx" iptables -A INPUT -p tcp -s 0/0 --sport 513:65535 -d $ip --dport 22 -j ACCEPT iptables -A OUTPUT -p tcp -s $ip --sport 22 -d 0/0 --dport 513:65535 -j ACCEPT # Outgoing DNS # udp first NSIP="ns1_IP ns2_IP" # NS1 NS2 of ISP #ip="your_main_IP" for mip in $NSIP do iptables -A OUTPUT -p udp -s $ip --sport 1024:65535 -d $mip --dport 53 -j ACCEPT iptables -A INPUT -p udp -s $mip --sport 53 -d $ip --dport 1024:65535 -j ACCEPT # tcp next iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d $mip --dport 53 -j ACCEPT iptables -A INPUT -p tcp -s $mip --sport 53 -d $ip --dport 1024:65535 -j ACCEPT done #outgoin ICMP #ip="your_main_IP" iptables -A OUTPUT -p icmp -s $ip -d 0/0 -j ACCEPT iptables -A INPUT -p icmp -s 0/0 -d $ip -j ACCEPT #outgoing traceroute #ip="your_main_IP" iptables -A OUTPUT -p udp -s $ip --sport 1024:65535 -d 0/0 --dport 33434:33523 -j ACCEPT #outgoing SMTP #ip="your_main_IP" iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d 0/0 --dport 25 -j ACCEPT iptables -A INPUT -p tcp -s 0/0 --sport 25 -d $ip --dport 1024:65535 -j ACCEPT #outgoing FTP #ip="your_main_IP" iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d 0/0 --dport 21 -j ACCEPT iptables -A INPUT -p tcp -s 0/0 --sport 21 -d $ip --dport 1024:65535 -j ACCEPT iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d 0/0 --dport 1024:65535 -j ACCEPT iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $ip --dport 1024:65535 -j ACCEPT #outgoin SSH #ip="your_main_IP" iptables -A OUTPUT -p tcp -s $ip --sport 513:65535 -d 0/0 --dport 22 -j ACCEPT iptables -A INPUT -p tcp -s 0/0 --sport 22 -d $ip --dport 513:65535 -j ACCEPT #outgoin http and https # for up2date and other stuff #ip="your_main_IP" iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d 0/0 --dport 80 -j ACCEPT iptables -A INPUT -p tcp -s 0/0 --sport 80 -d $ip --dport 1024:65535 -j ACCEPT iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d 0/0 --dport 443 -j ACCEPT iptables -A INPUT -p tcp -s 0/0 --sport 443 -d $ip --dport 1024:65535 -j ACCEPT # Okay Drop everything from here :D iptables -A INPUT -s 0/0 -j DROP iptables -A OUTPUT -d 0/0 -j DROP # EOF SFW
Get the latest tutorials on SysAdmin, Linux/Unix, Open Source, and DevOps topics:
- RSS feed or Weekly email newsletter
- Share on Twitter • Facebook • 4 comments... add one ↓
Related Shell Scripts:
| Category | List of Unix and Linux commands |
|---|---|
| File Management | cat |
| Firewall | Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04 |
| Network Utilities | dig • host • ip • nmap |
| OpenVPN | CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04 |
| Package Manager | apk • apt |
| Processes Management | bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time |
| Searching | grep • whereis • which |
| User Information | groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w |
| WireGuard VPN | Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04 |
# iptables -A flood -m limit -limit 1/s -limit-burst 3 -j RETURN
iptables v1.4.3.1: option `limit’ requires an argument
Try `iptables -h’ or ‘iptables –help’ for more information.
hi after doing this without the script
i get the error can you help Boris .
i’m new to iptable thanks
Can you please make a decent shell script where you dont get logged out, drop and deny access to ONLY the bad IPs? How hard is that because this script what it does is logout me – the serveradmin :(
Thank you, nice script. This script has me very helped.
Nice, I’d just suggest one thing:
iptables -A flood -m limit –limit 1/s –limit-burst 3 -j RETURN
If the IP address of the source of attack is spoofed, this rule will return the packets to the spoofed IP, so technically it will hit the innocent victim back – saw this happen, those type of attacks are often performed, so it would be better to DROP those packets.