#!/bin/bash
IPTABLES=/usr/sbin/iptables
DEPMOD=/sbin/depmod
INSMOD=/sbin/insmod
local_eth=eth1 #alamat ethernet IP local
inet_eth=eth0 #alamat ethernet IP publik
inet_ip=xx.x.xx. #ip publik
# hack limits
sf_limit=1/s
sfb_limit=3
pd_limit=2/minute
pdb_limit=2
ps_limit=1/s
psb_limit=4
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "Loading routing rules..."
$IPTABLES -A FORWARD -i ${local_eth} -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o ${inet_eth} -j SNAT --to-source ${inet_ip}
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "Initialising Defense Systems..."
# SYN-FLOOD
$IPTABLES -N syn-flood
$IPTABLES -A INPUT -i ${inet_eth} -p tcp --syn -j syn-flood
$IPTABLES -A FORWARD -p tcp --syn -j syn-flood
$IPTABLES -A syn-flood -m limit --limit ${sf_limit} --limit-burst ${sfb_limit} -j RETURN
$IPTABLES -A syn-flood -j LOG --log-prefix "IPTABLES SYN-FLOOD:"
$IPTABLES -A syn-flood -j DROP
# ping of death
$IPTABLES -N ping-death
$IPTABLES -A INPUT -i ${inet_eth} -p icmp --icmp-type echo-request -j ping-death
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -j ping-death
$IPTABLES -A ping-death -m limit --limit ${pd_limit} --limit-burst ${pdb_limit} -j RETURN
$IPTABLES -A ping-death -j LOG --log-prefix "IPTABLES PING-DEATH:"
$IPTABLES -A ping-death -j DROP
# Port-Scan
$IPTABLES -N port-scan
$IPTABLES -A INPUT -i ${inet_eth} -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j port-scan
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j port-scan
$IPTABLES -A port-scan -m limit --limit ${ps_limit} --limit-burst ${psb_limit} -j RETURN
$IPTABLES -A port-scan -j LOG --log-prefix "IPTABLES PORT-SCAN:"
$IPTABLES -A port-scan -j DROP
$IPTABLES -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
Semoga berhasil.
Langganan:
Posting Komentar (Atom)
Tidak ada komentar:
Posting Komentar