From 22c3c138ec3ed70439ecf68193b3ecf93d4636a7 Mon Sep 17 00:00:00 2001 From: bisco Date: Mon, 4 Mar 2019 22:59:39 +0100 Subject: [PATCH] template_iptables.sh: added rules to block countries netblocks via ipset --- template_iptables.sh | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/template_iptables.sh b/template_iptables.sh index 9ac4662..0ec1360 100644 --- a/template_iptables.sh +++ b/template_iptables.sh @@ -22,20 +22,33 @@ check_error() trap check_error EXIT # Flush rules and set default rules -$IPT -F -$IPT -P INPUT DROP -$IPT -P FORWARD DROP -$IPT -P OUTPUT ACCEPT +${IPT} -F +${IPT} -P INPUT DROP +${IPT} -P FORWARD DROP +${IPT} -P OUTPUT ACCEPT # Set host sepcific rules ### Accept all data from "lo" interface -$IPT -A INPUT -i lo -j ACCEPT +${IPT} -A INPUT -i lo -j ACCEPT ### Accept all connections after the three-way handshake -$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +${IPT} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT + +### Block country zones +if [ "${IPSET}" == "" ]; then + echo "No ipset command found. Skipping" +else + for chain in $(${IPSET} list -name); + do if [ "${chain}" == "" ]; then + echo "No ipset chain found. Skipping" + else + ${IPT} -A INPUT -p tcp -m set --match-set ${chain} src -j DROP; + fi + done +fi ### Services rules ##### Allow connections to the server main ip for SSH, MOSH and psyBNC ##### Use multiports extension to set more ports in a oneline rule -$IPT -A INPUT -p tcp -d $MAINIP -m multiport --dports $DPORTSIN -j ACCEPT -$IPT -A INPUT -p udp -d $MAINIP -m multiport --dports $MOSHIN -j ACCEPT +${IPT} -A INPUT -p tcp -d ${MAINIP} -m multiport --dports ${DPORTSIN} -j ACCEPT +${IPT} -A INPUT -p udp -d ${MAINIP} -m multiport --dports ${MOSHIN} -j ACCEPT