bisco/iptables-scripts
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

template_iptables.sh: added rules to block countries netblocks via ipset

Browse Source
This commit is contained in:
bisco
2019-03-04 22:59:39 +01:00
parent 91e840746a
commit 22c3c138ec
1 changed files with 21 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
template_iptables.sh
View File

@ -22,20 +22,33 @@ check_error()
trap check_error EXIT trap check_error EXIT
# Flush rules and set default rules # Flush rules and set default rules
$IPT -F ${IPT} -F
$IPT -P INPUT DROP ${IPT} -P INPUT DROP
$IPT -P FORWARD DROP ${IPT} -P FORWARD DROP
$IPT -P OUTPUT ACCEPT ${IPT} -P OUTPUT ACCEPT
# Set host sepcific rules # Set host sepcific rules
### Accept all data from "lo" interface ### Accept all data from "lo" interface
$IPT -A INPUT -i lo -j ACCEPT ${IPT} -A INPUT -i lo -j ACCEPT
### Accept all connections after the three-way handshake ### Accept all connections after the three-way handshake
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ${IPT} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
### Block country zones
if [ "${IPSET}" == "" ]; then
echo "No ipset command found. Skipping"
else
for chain in $(${IPSET} list -name);
do if [ "${chain}" == "" ]; then
echo "No ipset chain found. Skipping"
else
${IPT} -A INPUT -p tcp -m set --match-set ${chain} src -j DROP;
fi
done
fi
### Services rules ### Services rules
##### Allow connections to the server main ip for SSH, MOSH and psyBNC ##### Allow connections to the server main ip for SSH, MOSH and psyBNC
##### Use multiports extension to set more ports in a oneline rule ##### Use multiports extension to set more ports in a oneline rule
$IPT -A INPUT -p tcp -d $MAINIP -m multiport --dports $DPORTSIN -j ACCEPT ${IPT} -A INPUT -p tcp -d ${MAINIP} -m multiport --dports ${DPORTSIN} -j ACCEPT
$IPT -A INPUT -p udp -d $MAINIP -m multiport --dports $MOSHIN -j ACCEPT ${IPT} -A INPUT -p udp -d ${MAINIP} -m multiport --dports ${MOSHIN} -j ACCEPT