Evo i iptables skripta koju sam napravio ako nekad nekom zatreba. Pristup ssh portu je moguc samo sa uredjaja koji je kao wg klijent ili sa definisane ip adrese, sve sto je vidljivo od portovan a vps jeste samo udp port wg i portovi koji su otvoreni ka mojoj kucnoj mrezi, sve ostalo je drop i reject. U jednom momentu sam sam sebe zakljucao kad sam restartovao ruter i promenila mi se ip adresa, a nisam obezbedio ovu liniju "#allow wireguard" da bi mogao preko dremaboxa da pristupim, sva sreca pa ne koristim ufw pa mi nije aktiviran pa se iptables resetovale na allow nakon restarta vps-a inace bi sve morao ponovo da instaliram. Ovako podeseno ni konzola sa Mts Oblaci nema pristup pa ne moze nista da se uradi ako se zakljuca ulaz, u tom slucaju mora da se ponovo reinstalira os na vm. Znaci samo je jedan siguran backdor aktivan a to je ulaz preko uredjaja koji je klijent wg ili ako ste predhodno upisali pravu ip adresu sa pocetka skripte to je kao varijanta dva koja nije sigurna jer ako se promeni dinamicka ip adresa ne moze na ta vrata da se udje u sistem.
Code:
#!/bin/bash
export PATH=/sbin:/usr/sbin:/bin:/usr/bin
IPTABLES_BIN=`which iptables`
DESTINACIJA=10.8.0.2
MOJAIP=90.90.90.134
WGINT=wg0
WGPORT=55520
ETHINT=ens224
DEBUG=0
IPTABLES() {
[[ "$DEBUG" == 1 ]] && echo "Izvrsavam: $IPTABLES_BIN $@"
$IPTABLES_BIN "$@"
}
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "15" > /proc/sys/net/ipv4/tcp_fin_timeout
echo "1" > /proc/sys/net/ipv4/tcp_window_scaling
echo "0" > /proc/sys/net/ipv4/tcp_slow_start_after_idle
#get ip of these dns and store into variable
BLOCK_DNS="
109.101.33.238
"
BLOCK_DNS=""
# first actions - delete all rules - do not touch
IPTABLES -F
IPTABLES -X
IPTABLES -t nat -F
IPTABLES -t nat -X
IPTABLES -t mangle -F
IPTABLES -t mangle -X
# allow all from localhost - do not touch
IPTABLES -A INPUT -i lo -j ACCEPT
IPTABLES -A OUTPUT -o lo -j ACCEPT
# change policy to drop all - do not touch
IPTABLES --policy INPUT DROP
IPTABLES --policy OUTPUT DROP
IPTABLES --policy FORWARD DROP
#######################
# 1: Drop invalid packets
IPTABLES -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
# 2: Drop TCP packets that are new and are not SYN
IPTABLES -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
# 3: Drop SYN packets with suspicious MSS value
IPTABLES -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
# 4: Block packets with bogus TCP flags
IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# 5: Block spoofed packets
IPTABLES -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
IPTABLES -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
IPTABLES -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
IPTABLES -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
IPTABLES -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
#IPTABLES -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP
IPTABLES -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
IPTABLES -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
#IPTABLES -t mangle -A PREROUTING -s 10.0.0.0/24 ! -i eth0 -j DROP
# 6: Drop ICMP (you usually don't need this protocol)
#IPTABLES -t mangle -A PREROUTING -p icmp -j DROP
# 7: Drop fragments in all chains
IPTABLES -t mangle -A PREROUTING -f -j DROP
########################
# blocking input start here
# 8: Limit connections per source IP
IPTABLES -A INPUT -p tcp -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset
# reject empty packets?
IPTABLES -A INPUT -p tcp --dport 80 -m length --length 20 -j REJECT --reject-with tcp-reset
#IPTABLES -A INPUT -m iprange --src-range 212.200.156.0-212.200.157.255 -j DROP
#block gametracker and game monitor sites
#IPTABLES -A INPUT -m iprange --src-range 208.167.241.176-208.167.241.191 -j DROP
#IPTABLES -A INPUT -m iprange --src-range 108.61.78.0-108.61.78.255 -j DROP
#IPTABLES -A INPUT -m iprange --src-range 208.43.52.0-208.43.52.255 -j DROP
#IPTABLES -A INPUT -p udp -s $ACTIVISION -j REJECT
# amerikano range : )
IPTABLES -A INPUT -p tcp -s 192.35.168.0/24 -j REJECT --reject-with tcp-reset
for TT in $BLOCK_DNS; do
if [ ! -z "$TT" ]; then
IPTABLES -A INPUT -s $TT -j DROP
fi
done
#IPTABLES -A INPUT -m iprange --src-range 91.19.0.0-91.19.255.255 -j REJECT --reject-with icmp-port-unreachable
#####################################
# block by string match (1024 bytes)
IPTABLES -A INPUT -p tcp --dport 80 -m string --string 'HTTP/1.0' --algo bm --to 1024 -j REJECT --reject-with icmp-port-unreachable
IPTABLES -A INPUT -p tcp --dport 80 -m string --string 'CONNECT' --algo bm --to 1024 -j REJECT --reject-with icmp-port-unreachable
IPTABLES -A INPUT -p tcp --dport 80 -m string --string 'censys' --algo bm --to 1024 -j REJECT --reject-with icmp-port-unreachable
IPTABLES -A INPUT -p tcp --dport 80 -m string --string 'paloaltonetworks' --algo bm --to 1024 -j REJECT --reject-with icmp-port-unreachable
##################################
# do not touch
IPTABLES -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
IPTABLES -A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
IPTABLES -A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT
# do not touch
IPTABLES -A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
IPTABLES -A OUTPUT -p udp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
IPTABLES -A OUTPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
#################################
# allow rules
#allow wireguard
IPTABLES -A INPUT -p udp --dport $WGPORT -m state --state NEW -j ACCEPT
# allow ssh kroz tunel
IPTABLES -A INPUT -s $DESTINACIJA -p tcp --dport 22 -m state --state NEW -j ACCEPT
IPTABLES -A INPUT -s $MOJAIP -p tcp --dport 22 -m state --state NEW -j ACCEPT
OPEN_PORTS="
80:tcp
4545:tcp
"
for ITEM in $OPEN_PORTS; do
# Preskoci ako stavka pocinje sa #
[[ "$ITEM" =~ ^# ]] && continue
# Razdvajanje porta i protokola
IFS=":" read -r PORT PROT <<< "$ITEM"
# DNAT preusmeravanje
IPTABLES -t nat -A PREROUTING -p "$PROT" --dport "$PORT" -j DNAT --to-destination $DESTINACIJA:"$PORT"
# Dozvola u FORWARD lancu
IPTABLES -A FORWARD -i $ETHINT -p "$PROT" -d $DESTINACIJA --dport "$PORT" -j ACCEPT
done
# 4. Maskiranje (da $DESTINACIJA zna da odgovori VPS-u, a ne direktno klijentu)
IPTABLES -t nat -A POSTROUTING -o $WGINT -j MASQUERADE
# bez ovoga nece da radi
IPTABLES -A FORWARD -i $WGINT -j ACCEPT
#################################
# block all other with force fragments packets check
IPTABLES -A INPUT -f -j DROP
exit 0