diff options
| author | Sven Göthel <[email protected]> | 2024-06-02 19:57:07 +0200 |
|---|---|---|
| committer | Sven Göthel <[email protected]> | 2024-06-02 19:57:07 +0200 |
| commit | 9bba8ba2f3b21732509823eaf4c0fada4df04e1a (patch) | |
| tree | b9e86e8722417e497794ecc239e3ea3d9fde0928 | |
| parent | 5fbe2a89d94e564d44b58574d6f724561f600e5b (diff) | |
server firewall: Add 'badbots_ipaddr.txt' to REJECT misbehaving bots (heuristics, 2 specific alibaba machines)
| -rw-r--r-- | server/setup/02-firewall/etc/iptables/badbots_ipaddr.txt | 2 | ||||
| -rwxr-xr-x | server/setup/02-firewall/etc/iptables/ip4tables_bad_fwdmz_good-secure | 31 |
2 files changed, 22 insertions, 11 deletions
diff --git a/server/setup/02-firewall/etc/iptables/badbots_ipaddr.txt b/server/setup/02-firewall/etc/iptables/badbots_ipaddr.txt new file mode 100644 index 0000000..bfd9d3d --- /dev/null +++ b/server/setup/02-firewall/etc/iptables/badbots_ipaddr.txt @@ -0,0 +1,2 @@ +47.76.209.138 # Alibaba Cloud HK +47.76.99.127 # Alibaba Cloud HK diff --git a/server/setup/02-firewall/etc/iptables/ip4tables_bad_fwdmz_good-secure b/server/setup/02-firewall/etc/iptables/ip4tables_bad_fwdmz_good-secure index 7416a8d..f6b1ad1 100755 --- a/server/setup/02-firewall/etc/iptables/ip4tables_bad_fwdmz_good-secure +++ b/server/setup/02-firewall/etc/iptables/ip4tables_bad_fwdmz_good-secure @@ -18,15 +18,16 @@ IP_EXTERN_GW=$( /sbin/ip -o -f inet route show dev $ETH_EXTERN | grep default | IPTABLES=/sbin/iptables -if [ "$action" != "start" -a "$action" != "stop" ] ; then - echo usage $0 \( start \| stop \) +if [ "$action" != "start" -a "$action" != "stop" -a "$action" != "restart" ] ; then + echo usage $0 \( start \| stop \| restart \) echo - echo $0 start - echo $0 stop - exit 1 -fi -if [ "$action" = "stop" ] ; then +elif [ "$action" = "restart" ] ; then + $0 stop + $0 start + +elif [ "$action" = "stop" ] ; then + echo "IPTABLES rules down" $IPTABLES -F acl_external_input @@ -48,10 +49,8 @@ if [ "$action" = "stop" ] ; then $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT - exit 0 -fi +elif [ "$action" = "start" ] ; then -if [ "$action" = "start" ] ; then echo "IPTABLES rules up" # Anti-spoofing @@ -161,6 +160,11 @@ if [ "$action" = "start" ] ; then # acl_extern_ # + ipaddr_file=$(dirname $0)/badbots_ipaddr.txt + for ipaddr in `awk -e ' { i=index($1,"#"); if ( 0 == i ) { print $1; } } ' $ipaddr_file` ; do + $IPTABLES -p all -A acl_external_input -s $ipaddr -j RETURN + done + # # Allow fragments (second etc. parts of a huge packet ..) # Allow icmp notification: 3/4 destination-unreachable/fragmentation-needed @@ -280,7 +284,7 @@ if [ "$action" = "start" ] ; then # $IPTABLES -p udp -A acl_srv_connect -i $ETH_EXTERN --dport mdns -s $IP_EXTERN_SELF -j ACCEPT # $IPTABLES -p udp -A acl_srv_connect -i $ETH_EXTERN --dport bootps:tftp -s $IP_EXTERN_GW -j ACCEPT # - $IPTABLES -p tcp -A acl_srv_connect -i $ETH_EXTERN --dport bootps:69 -s $IP_EXTERN_GW -j ACCEPT # + $IPTABLES -p tcp -A acl_srv_connect -i $ETH_EXTERN --dport 67:69 -s $IP_EXTERN_GW -j ACCEPT # # DNS # @@ -291,6 +295,11 @@ if [ "$action" = "start" ] ; then # $IPTABLES -p tcp -A acl_srv_connect --dport netbios-ns:netbios-ssn -j ACCEPT # $IPTABLES -p udp -A acl_srv_connect --dport netbios-ns:netbios-ssn -j ACCEPT + # iperf + # + #$IPTABLES -p tcp -A acl_srv_connect --dport 5001 -j ACCEPT + #$IPTABLES -p udp -A acl_srv_connect --dport 5001 -j ACCEPT + # # acl_srv_connect Allow * to answer, # only for known connections - no new unknown ones ! |