#!/bin/bash
# About: Firewall Regeln fuer iptables
iptables -F
iptables -X
iptables -N DENY
iptables -A DENY -p tcp -m tcp -m limit --limit 30/sec --limit-burst 100 -m comment --comment "Anti-DoS" -j REJECT --reject-with tcp-reset
iptables -A DENY -m limit --limit 30/sec --limit-burst 100 -m comment --comment "Anti-DoS" -j REJECT --reject-with icmp-proto-unreachable
iptables -A DENY -m comment --comment "Alles andere ignorieren" -j DROP
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "Stealth Scan"
iptables -N SERVICES
iptables -A INPUT -p tcp --sport 80 -j ACCEPT
iptables -A SERVICES -p udp -m udp --dport 7777 -m comment --comment "Erlaube: DNS" -j ACCEPT
iptables -A SERVICES -p tcp -m tcp --dport **** -m comment --comment "Erlaube: SSH-Zugriff" -j ACCEPT
iptables -A SERVICES -j RETURN
iptables -A INPUT -i lo -m comment --comment "Erlaube: Loopback" -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "Erlaube: Related und Established Verbindungen" -j ACCEPT
iptables -A INPUT -m comment --comment "Erlaube Standard Dienste" -j SERVICES
iptables -A INPUT -m comment --comment "Ignoriere alles andere" -j DENY
iptables -P INPUT DROP
iptables -N PORTSCAN
iptables -A PORTSCAN -j LOG --log-prefix "PORTSCAN detected -- "
iptables -A PORTSCAN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j PORTSCAN
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j PORTSCAN
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j PORTSCAN
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j PORTSCAN
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j PORTSCAN
iptables -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j PORTSCAN
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j PORTSCAN
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j PORTSCAN
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j PORTSCAN
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j PORTSCAN
iptables -A INPUT -p tcp --tcp-flags ALL FIN -j PORTSCAN
iptables -A FORWARD -p tcp --tcp-flags ALL FIN -j PORTSCAN
iptables -A INPUT -p tcp --tcp-flags ALL URG,ACK,PSH,RST,SYN,FIN \
-j PORTSCAN
iptables -A FORWARD -p tcp --tcp-flags ALL URG,ACK,PSH,RST,SYN,FIN \
-j PORTSCAN
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -f -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP