From 3340d0695df93c3969f30e50685b73b980e00133 Mon Sep 17 00:00:00 2001 From: root Date: Thu, 4 Feb 2021 22:19:22 -0500 Subject: [PATCH] updated with new scripts --- README.md | 12 +- etc/iptables/README.md | 19 +++ ipset.save => etc/iptables/ipset.save | 166 -------------------------- {list => etc/iptables/list}/CF.list | 0 etc/iptables/rules.v4 | 11 ++ rules.v6 => etc/iptables/rules.v6 | 0 etc/iptables/service.sh | 65 ++++++++++ etc/iptables/zone/block.zone | 0 {zone => etc/iptables/zone}/cf.zone | 0 {zone => etc/iptables/zone}/cn.zone | 0 {zone => etc/iptables/zone}/co.zone | 0 {zone => etc/iptables/zone}/eu.zone | 0 {zone => etc/iptables/zone}/id.zone | 0 {zone => etc/iptables/zone}/in.zone | 0 {zone => etc/iptables/zone}/iq.zone | 0 {zone => etc/iptables/zone}/jp.zone | 0 {zone => etc/iptables/zone}/kp.zone | 0 {zone => etc/iptables/zone}/kr.zone | 0 {zone => etc/iptables/zone}/ru.zone | 0 {zone => etc/iptables/zone}/za.zone | 0 etc/systemd/system/iptables.service | 13 ++ list/allowHTTPS.list | 14 --- list/allowSSH.list | 129 -------------------- list/directHTTPS.list | 2 - rules.v4 | 53 -------- update.sh | 22 ---- zone/block.zone | 1 - 27 files changed, 110 insertions(+), 397 deletions(-) create mode 100644 etc/iptables/README.md rename ipset.save => etc/iptables/ipset.save (99%) rename {list => etc/iptables/list}/CF.list (100%) create mode 100644 etc/iptables/rules.v4 rename rules.v6 => etc/iptables/rules.v6 (100%) create mode 100755 etc/iptables/service.sh create mode 100644 etc/iptables/zone/block.zone rename {zone => etc/iptables/zone}/cf.zone (100%) rename {zone => etc/iptables/zone}/cn.zone (100%) rename {zone => etc/iptables/zone}/co.zone (100%) rename {zone => etc/iptables/zone}/eu.zone (100%) rename {zone => etc/iptables/zone}/id.zone (100%) rename {zone => etc/iptables/zone}/in.zone (100%) rename {zone => etc/iptables/zone}/iq.zone (100%) rename {zone => etc/iptables/zone}/jp.zone (100%) rename {zone => etc/iptables/zone}/kp.zone (100%) rename {zone => etc/iptables/zone}/kr.zone (100%) rename {zone => etc/iptables/zone}/ru.zone (100%) rename {zone => etc/iptables/zone}/za.zone (100%) create mode 100644 etc/systemd/system/iptables.service delete mode 100644 list/allowHTTPS.list delete mode 100644 list/allowSSH.list delete mode 100644 list/directHTTPS.list delete mode 100644 rules.v4 delete mode 100644 update.sh delete mode 100644 zone/block.zone diff --git a/README.md b/README.md index 42b4043..0892637 100644 --- a/README.md +++ b/README.md @@ -6,14 +6,6 @@ The different files are listed in lists and are hopefully somewhat self explanat Anything with .list end in the zone folder will be added to the block list. This was initially used to block countries, but you can use it to block anything. -Add ```update.sh``` in your cron +This now uses systemd. Move the systemd service and do a ```systemstl daemon-reload``` then ```systemctl enable iptables --now``` -Load iptables and ipset rules however you please on start up - -This is done by the following. Some of my servers have it in ```/etc/rc.local``` others have it in ```/etc/network/interface``` as post-up script - -```iptables-restore < /path/to/iptables.save``` - -```ipset restore < /path/to/ipset.save``` - -There may be a better way to do this, but this works for me on some servers. +There may be a better way to do this, but this works for me on my servers. diff --git a/etc/iptables/README.md b/etc/iptables/README.md new file mode 100644 index 0000000..42b4043 --- /dev/null +++ b/etc/iptables/README.md @@ -0,0 +1,19 @@ +# iptables + +Here is my script that I use to update iptables with data. + +The different files are listed in lists and are hopefully somewhat self explanatory + +Anything with .list end in the zone folder will be added to the block list. This was initially used to block countries, but you can use it to block anything. + +Add ```update.sh``` in your cron + +Load iptables and ipset rules however you please on start up + +This is done by the following. Some of my servers have it in ```/etc/rc.local``` others have it in ```/etc/network/interface``` as post-up script + +```iptables-restore < /path/to/iptables.save``` + +```ipset restore < /path/to/ipset.save``` + +There may be a better way to do this, but this works for me on some servers. diff --git a/ipset.save b/etc/iptables/ipset.save similarity index 99% rename from ipset.save rename to etc/iptables/ipset.save index 0234f6e..69fdd9e 100644 --- a/ipset.save +++ b/etc/iptables/ipset.save @@ -37735,169 +37735,3 @@ add drop 121.101.64.0/18 add drop 94.125.186.0/24 add drop 212.40.192.0/19 add drop 195.128.96.0/22 -create allowHTTPS hash:net family inet hashsize 1024 maxelem 65536 -add allowHTTPS 173.245.48.0/20 -add allowHTTPS 103.31.4.0/22 -add allowHTTPS 172.64.0.0/13 -add allowHTTPS 197.234.240.0/22 -add allowHTTPS 198.41.128.0/17 -add allowHTTPS 188.114.96.0/20 -add allowHTTPS 141.101.64.0/18 -add allowHTTPS 108.162.192.0/18 -add allowHTTPS 190.93.240.0/20 -add allowHTTPS 131.0.72.0/22 -add allowHTTPS 104.16.0.0/12 -add allowHTTPS 162.158.0.0/15 -add allowHTTPS 103.22.200.0/22 -add allowHTTPS 103.21.244.0/22 -create allowSSH hash:net family inet hashsize 1024 maxelem 65536 -add allowSSH 97.255.128.0/18 -add allowSSH 174.255.255.254 -add allowSSH 70.223.240.0/21 -add allowSSH 70.223.254.0/24 -add allowSSH 70.223.255.254 -add allowSSH 70.223.255.248/30 -add allowSSH 174.255.240.0/21 -add allowSSH 70.208.0.0/13 -add allowSSH 70.223.255.252/31 -add allowSSH 66.174.255.240/29 -add allowSSH 69.103.255.255 -add allowSSH 97.255.255.0/25 -add allowSSH 174.255.255.240/29 -add allowSSH 69.82.0.0/16 -add allowSSH 66.174.255.254 -add allowSSH 66.174.192.0/19 -add allowSSH 172.32.0.0/11 -add allowSSH 192.182.251.66 -add allowSSH 97.254.0.0/16 -add allowSSH 174.255.255.192/27 -add allowSSH 69.103.254.0/24 -add allowSSH 206.29.160.0/19 -add allowSSH 70.223.248.0/22 -add allowSSH 69.103.192.0/19 -add allowSSH 174.248.0.0/14 -add allowSSH 97.255.255.252/31 -add allowSSH 69.83.254.0/24 -add allowSSH 70.223.255.128/26 -add allowSSH 72.250.0.0/17 -add allowSSH 69.83.255.224/28 -add allowSSH 69.83.128.0/18 -add allowSSH 97.248.0.0/14 -add allowSSH 174.255.255.248/30 -add allowSSH 69.103.255.192/27 -add allowSSH 45.76.15.216/31 -add allowSSH 97.255.240.0/21 -add allowSSH 66.174.255.248/30 -add allowSSH 69.103.240.0/21 -add allowSSH 97.255.255.224/28 -add allowSSH 97.255.255.255 -add allowSSH 69.102.0.0/16 -add allowSSH 69.83.255.248/30 -add allowSSH 66.174.252.0/23 -add allowSSH 70.223.0.0/17 -add allowSSH 69.103.224.0/20 -add allowSSH 66.174.255.192/27 -add allowSSH 66.174.254.0/24 -add allowSSH 70.223.255.192/27 -add allowSSH 69.103.128.0/18 -add allowSSH 208.54.0.0/17 -add allowSSH 69.83.255.0/25 -add allowSSH 72.240.0.0/15 -add allowSSH 174.255.255.128/26 -add allowSSH 69.83.255.252/31 -add allowSSH 208.54.128.0/19 -add allowSSH 70.223.252.0/23 -add allowSSH 50.28.192.0/18 -add allowSSH 157.230.229.117 -add allowSSH 174.254.0.0/16 -add allowSSH 162.160.0.0/11 -add allowSSH 97.255.0.0/17 -add allowSSH 174.255.224.0/20 -add allowSSH 69.103.255.224/28 -add allowSSH 70.223.255.224/28 -add allowSSH 66.174.255.0/25 -add allowSSH 69.103.255.128/26 -add allowSSH 70.192.0.0/12 -add allowSSH 97.240.0.0/13 -add allowSSH 97.255.254.0/24 -add allowSSH 174.224.0.0/12 -add allowSSH 69.103.248.0/22 -add allowSSH 70.220.0.0/15 -add allowSSH 174.255.252.0/23 -add allowSSH 70.223.128.0/18 -add allowSSH 69.103.255.254 -add allowSSH 174.255.254.0/24 -add allowSSH 69.83.252.0/23 -add allowSSH 97.252.0.0/15 -add allowSSH 69.83.240.0/21 -add allowSSH 174.141.208.0/20 -add allowSSH 174.240.0.0/13 -add allowSSH 66.174.128.0/18 -add allowSSH 45.76.28.244 -add allowSSH 69.83.255.255 -add allowSSH 69.103.255.248/30 -add allowSSH 97.255.192.0/19 -add allowSSH 216.155.160.0/20 -add allowSSH 97.224.0.0/12 -add allowSSH 69.83.248.0/22 -add allowSSH 174.255.255.255 -add allowSSH 66.174.255.252/31 -add allowSSH 45.76.15.216 -add allowSSH 174.255.248.0/22 -add allowSSH 69.103.0.0/17 -add allowSSH 70.223.255.0/25 -add allowSSH 174.255.128.0/18 -add allowSSH 69.83.255.254 -add allowSSH 70.216.0.0/14 -add allowSSH 174.252.0.0/15 -add allowSSH 174.255.192.0/19 -add allowSSH 69.103.255.252/31 -add allowSSH 66.174.255.128/26 -add allowSSH 66.174.0.0/17 -add allowSSH 66.174.248.0/22 -add allowSSH 172.98.199.107 -add allowSSH 69.103.252.0/23 -add allowSSH 69.83.255.128/26 -add allowSSH 149.28.123.155 -add allowSSH 69.83.255.192/27 -add allowSSH 69.83.255.240/29 -add allowSSH 70.222.0.0/16 -add allowSSH 70.223.255.240/29 -add allowSSH 66.94.0.0/19 -add allowSSH 66.174.240.0/21 -add allowSSH 69.103.255.0/25 -add allowSSH 174.255.255.252/31 -add allowSSH 69.96.0.0/14 -add allowSSH 97.255.255.240/29 -add allowSSH 100.128.0.0/9 -add allowSSH 70.223.224.0/20 -add allowSSH 69.83.0.0/17 -add allowSSH 69.103.255.240/29 -add allowSSH 70.223.255.255 -add allowSSH 149.28.42.0/23 -add allowSSH 97.255.255.192/27 -add allowSSH 97.255.252.0/23 -add allowSSH 67.211.160.0/24 -add allowSSH 69.100.0.0/15 -add allowSSH 174.255.0.0/17 -add allowSSH 69.83.224.0/20 -add allowSSH 97.255.255.254 -add allowSSH 97.192.0.0/11 -add allowSSH 97.128.0.0/10 -add allowSSH 69.83.192.0/19 -add allowSSH 97.255.255.248/30 -add allowSSH 66.174.255.224/28 -add allowSSH 66.174.224.0/20 -add allowSSH 174.192.0.0/11 -add allowSSH 174.255.255.0/25 -add allowSSH 97.255.255.128/26 -add allowSSH 70.223.192.0/19 -add allowSSH 66.174.255.255 -add allowSSH 174.255.255.224/28 -add allowSSH 162.248.242.96/29 -add allowSSH 97.255.248.0/22 -add allowSSH 97.255.224.0/20 -create directHTTPS hash:net family inet hashsize 1024 maxelem 65536 -add directHTTPS 67.211.160.100 -add directHTTPS 72.241.86.95 -add directHTTPS 72.240.75.15 diff --git a/list/CF.list b/etc/iptables/list/CF.list similarity index 100% rename from list/CF.list rename to etc/iptables/list/CF.list diff --git a/etc/iptables/rules.v4 b/etc/iptables/rules.v4 new file mode 100644 index 0000000..132a0fb --- /dev/null +++ b/etc/iptables/rules.v4 @@ -0,0 +1,11 @@ +# Generated by iptables-save v1.4.21 on Sat May 13 10:34:33 2017 +*filter +:INPUT ACCEPT [59:5736] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [45:49826] + +-A INPUT -m set --match-set drop src -j DROP +-A OUTPUT -m set --match-set drop dst -j DROP + +COMMIT +# Completed on Sat May 13 10:34:33 2017 diff --git a/rules.v6 b/etc/iptables/rules.v6 similarity index 100% rename from rules.v6 rename to etc/iptables/rules.v6 diff --git a/etc/iptables/service.sh b/etc/iptables/service.sh new file mode 100755 index 0000000..8da8580 --- /dev/null +++ b/etc/iptables/service.sh @@ -0,0 +1,65 @@ +#!/bin/bash +# Configure iptables firewall + +# Limit PATH +PATH="/sbin:/usr/sbin:/bin:/usr/bin" + +# Download +ip_update() { + wget -q 'https://www.cloudflare.com/ips-v4' -O /etc/iptables/list/CF.list + wget -q 'http://ipdeny.com/ipblocks/data/countries/ru.zone' -O /etc/iptables/zone/ru.zone + wget -q 'http://ipdeny.com/ipblocks/data/countries/cn.zone' -O /etc/iptables/zone/cn.zone + wget -q 'http://ipdeny.com/ipblocks/data/countries/in.zone' -O /etc/iptables/zone/in.zone + wget -q 'http://ipdeny.com/ipblocks/data/countries/iq.zone' -O /etc/iptables/zone/iq.zone + wget -q 'http://ipdeny.com/ipblocks/data/countries/jp.zone' -O /etc/iptables/zone/jp.zone + wget -q 'http://ipdeny.com/ipblocks/data/countries/kp.zone' -O /etc/iptables/zone/kp.zone + wget -q 'http://ipdeny.com/ipblocks/data/countries/kr.zone' -O /etc/iptables/zone/kr.zone + wget -q 'http://ipdeny.com/ipblocks/data/countries/id.zone' -O /etc/iptables/zone/id.zone + wget -q 'http://ipdeny.com/ipblocks/data/countries/cf.zone' -O /etc/iptables/zone/cf.zone + wget -q 'http://ipdeny.com/ipblocks/data/countries/za.zone' -O /etc/iptables/zone/za.zone + wget -q 'http://ipdeny.com/ipblocks/data/countries/co.zone' -O /etc/iptables/zone/co.zone +} +# ipset update +firewall_update() { + ip_update + for i in $(cat /etc/iptables/zone/*.zone ); do ipset -exist -A drop $i; done +} + +# iptables configuration +firewall_start() { + ipset create drop hash:net family inet hashsize 16384 maxelem 65536 + ip_update + for i in $(cat /etc/iptables/zone/*.zone ); do ipset -exist -A drop $i; done + iptables -A INPUT -m set --match-set drop src -j DROP + iptables -A OUTPUT -m set --match-set drop dst -j DROP +} + +# clear iptables configuration +firewall_stop() { + iptables -F + iptables -X + iptables -P INPUT ACCEPT + iptables -P FORWARD ACCEPT + iptables -P OUTPUT ACCEPT + ipset destroy drop +} + +# execute action +case "$1" in + start|restart) + echo "Starting firewall" + firewall_stop + firewall_start + echo "Firewall started" + ;; + stop) + echo "Stopping firewall" + firewall_stop + echo "Firewall stopped" + ;; + update) + echo "Update ipset IPs" + firewall_update + echo "updated ipset IPs" + ;; +esac diff --git a/etc/iptables/zone/block.zone b/etc/iptables/zone/block.zone new file mode 100644 index 0000000..e69de29 diff --git a/zone/cf.zone b/etc/iptables/zone/cf.zone similarity index 100% rename from zone/cf.zone rename to etc/iptables/zone/cf.zone diff --git a/zone/cn.zone b/etc/iptables/zone/cn.zone similarity index 100% rename from zone/cn.zone rename to etc/iptables/zone/cn.zone diff --git a/zone/co.zone b/etc/iptables/zone/co.zone similarity index 100% rename from zone/co.zone rename to etc/iptables/zone/co.zone diff --git a/zone/eu.zone b/etc/iptables/zone/eu.zone similarity index 100% rename from zone/eu.zone rename to etc/iptables/zone/eu.zone diff --git a/zone/id.zone b/etc/iptables/zone/id.zone similarity index 100% rename from zone/id.zone rename to etc/iptables/zone/id.zone diff --git a/zone/in.zone b/etc/iptables/zone/in.zone similarity index 100% rename from zone/in.zone rename to etc/iptables/zone/in.zone diff --git a/zone/iq.zone b/etc/iptables/zone/iq.zone similarity index 100% rename from zone/iq.zone rename to etc/iptables/zone/iq.zone diff --git a/zone/jp.zone b/etc/iptables/zone/jp.zone similarity index 100% rename from zone/jp.zone rename to etc/iptables/zone/jp.zone diff --git a/zone/kp.zone b/etc/iptables/zone/kp.zone similarity index 100% rename from zone/kp.zone rename to etc/iptables/zone/kp.zone diff --git a/zone/kr.zone b/etc/iptables/zone/kr.zone similarity index 100% rename from zone/kr.zone rename to etc/iptables/zone/kr.zone diff --git a/zone/ru.zone b/etc/iptables/zone/ru.zone similarity index 100% rename from zone/ru.zone rename to etc/iptables/zone/ru.zone diff --git a/zone/za.zone b/etc/iptables/zone/za.zone similarity index 100% rename from zone/za.zone rename to etc/iptables/zone/za.zone diff --git a/etc/systemd/system/iptables.service b/etc/systemd/system/iptables.service new file mode 100644 index 0000000..b482607 --- /dev/null +++ b/etc/systemd/system/iptables.service @@ -0,0 +1,13 @@ +[Unit] +Description=iptables firewall service +After=network.target + +[Service] +Type=oneshot +ExecStart=/etc/iptables/service.sh start +RemainAfterExit=true +ExecStop=/etc/iptables/service.sh stop +StandardOutput=journal + +[Install] +WantedBy=multi-user.target diff --git a/list/allowHTTPS.list b/list/allowHTTPS.list deleted file mode 100644 index dca57f0..0000000 --- a/list/allowHTTPS.list +++ /dev/null @@ -1,14 +0,0 @@ -103.21.244.0/22 -103.22.200.0/22 -103.31.4.0/22 -104.16.0.0/12 -108.162.192.0/18 -131.0.72.0/22 -141.101.64.0/18 -162.158.0.0/15 -172.64.0.0/13 -173.245.48.0/20 -188.114.96.0/20 -190.93.240.0/20 -197.234.240.0/22 -198.41.128.0/17 diff --git a/list/allowSSH.list b/list/allowSSH.list deleted file mode 100644 index 13d722e..0000000 --- a/list/allowSSH.list +++ /dev/null @@ -1,129 +0,0 @@ -72.240.0.0/15 -67.211.160.0/24 -66.174.0.0/17 -66.174.128.0/18 -66.174.192.0/19 -66.174.224.0/20 -66.174.240.0/21 -66.174.248.0/22 -66.174.252.0/23 -66.174.254.0/24 -66.174.255.0/25 -66.174.255.128/26 -66.174.255.192/27 -66.174.255.224/28 -66.174.255.240/29 -66.174.255.248/30 -66.174.255.252/31 -66.174.255.254/32 -66.174.255.255/32 -69.82.0.0/16 -69.83.0.0/17 -69.83.128.0/18 -69.83.192.0/19 -69.83.224.0/20 -69.83.240.0/21 -69.83.248.0/22 -69.83.252.0/23 -69.83.254.0/24 -69.83.255.0/25 -69.83.255.128/26 -69.83.255.192/27 -69.83.255.224/28 -69.83.255.240/29 -69.83.255.248/30 -69.83.255.252/31 -69.83.255.254/32 -69.83.255.255/32 -69.96.0.0/14 -69.100.0.0/15 -69.102.0.0/16 -69.103.0.0/17 -69.103.128.0/18 -69.103.192.0/19 -69.103.224.0/20 -69.103.240.0/21 -69.103.248.0/22 -69.103.252.0/23 -69.103.254.0/24 -69.103.255.0/25 -69.103.255.128/26 -69.103.255.192/27 -69.103.255.224/28 -69.103.255.240/29 -69.103.255.248/30 -69.103.255.252/31 -69.103.255.254/32 -69.103.255.255/32 -70.192.0.0/12 -70.208.0.0/13 -70.216.0.0/14 -70.220.0.0/15 -70.222.0.0/16 -70.223.0.0/17 -70.223.128.0/18 -70.223.192.0/19 -70.223.224.0/20 -70.223.240.0/21 -70.223.248.0/22 -70.223.252.0/23 -70.223.254.0/24 -70.223.255.0/25 -70.223.255.128/26 -70.223.255.192/27 -70.223.255.224/28 -70.223.255.240/29 -70.223.255.248/30 -70.223.255.252/31 -70.223.255.254/32 -70.223.255.255/32 -97.128.0.0/10 -97.192.0.0/11 -97.224.0.0/12 -97.240.0.0/13 -97.248.0.0/14 -97.252.0.0/15 -97.254.0.0/16 -97.255.0.0/17 -97.255.128.0/18 -97.255.192.0/19 -97.255.224.0/20 -97.255.240.0/21 -97.255.248.0/22 -97.255.252.0/23 -97.255.254.0/24 -97.255.255.0/25 -97.255.255.128/26 -97.255.255.192/27 -97.255.255.224/28 -97.255.255.240/29 -97.255.255.248/30 -97.255.255.252/31 -97.255.255.254/32 -97.255.255.255/32 -174.192.0.0/11 -174.224.0.0/12 -174.240.0.0/13 -174.248.0.0/14 -174.252.0.0/15 -174.254.0.0/16 -174.255.0.0/17 -174.255.128.0/18 -174.255.192.0/19 -174.255.224.0/20 -174.255.240.0/21 -174.255.248.0/22 -174.255.252.0/23 -174.255.254.0/24 -174.255.255.0/25 -174.255.255.128/26 -174.255.255.192/27 -174.255.255.224/28 -174.255.255.240/29 -174.255.255.248/30 -174.255.255.252/31 -174.255.255.254/32 -174.255.255.255/32 -149.28.43.193/23 -45.76.15.216/32 -162.248.242.98/29 diff --git a/list/directHTTPS.list b/list/directHTTPS.list deleted file mode 100644 index 01fe520..0000000 --- a/list/directHTTPS.list +++ /dev/null @@ -1,2 +0,0 @@ -72.241.86.95 -67.211.160.100 diff --git a/rules.v4 b/rules.v4 deleted file mode 100644 index 456b0ae..0000000 --- a/rules.v4 +++ /dev/null @@ -1,53 +0,0 @@ -# Generated by iptables-save v1.4.21 on Sat May 13 10:34:33 2017 -*filter -:INPUT DROP [59:5736] -:FORWARD DROP [0:0] -:OUTPUT ACCEPT [45:49826] - --A INPUT -m set --match-set drop src -j DROP --A OUTPUT -m set --match-set drop dst -j DROP - --A INPUT -p ICMP --icmp-type 8 -j ACCEPT - --A INPUT -m state --state INVALID -j DROP --A FORWARD -m state --state INVALID -j DROP -##-A OUTPUT -m state --state INVALID -j DROP - --A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT - --A INPUT -m recent --name portscan --rcheck --second 86400 -j DROP --A FORWARD -m recent --name portscan --rcheck --second 86400 -j DROP - --A INPUT -m recent --name portscan --remove --A FORWARD -m recent --name portscan --remove - --A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:" --A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP - --A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:" --A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP -#### END DROP INVALID DATA 20180408 #### - --A INPUT -i lo -j ACCEPT - -#-A INPUT -p tcp --dport 22333 -i ztwfuerpaw -j ACCEPT - --A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - -#-A INPUT -m set --match-set allowHTTPS src -p tcp -m tcp --dport 443 -j ACCEPT -#-A INPUT -m set --match-set directHTTPS src -p tcp -m tcp --dport 443 -j ACCEPT - --A INPUT -p tcp -m tcp --dport 80 -j ACCEPT --A INPUT -p tcp -m tcp --dport 25 -j ACCEPT --A INPUT -p tcp -m tcp --dport 443 -j ACCEPT --A INPUT -p tcp -m tcp --dport 587 -j ACCEPT --A INPUT -p tcp -m tcp --dport 465 -j ACCEPT --A INPUT -p tcp -m tcp --dport 993 -j ACCEPT --A INPUT -p tcp -m tcp --dport 143 -j ACCEPT - -#-A OUTPUT -j ACCEPT -#-A FORWARD -j DROP -##-A INPUT -i eth0 -j DROP -#-A INPUT -j DROP -COMMIT -# Completed on Sat May 13 10:34:33 2017 diff --git a/update.sh b/update.sh deleted file mode 100644 index 3e59d1f..0000000 --- a/update.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash - -wget -q 'http://ipdeny.com/ipblocks/data/countries/ru.zone' -O /etc/iptables/zone/ru.zone -wget -q 'http://ipdeny.com/ipblocks/data/countries/cn.zone' -O /etc/iptables/zone/cn.zone -wget -q 'http://ipdeny.com/ipblocks/data/countries/in.zone' -O /etc/iptables/zone/in.zone -wget -q 'http://ipdeny.com/ipblocks/data/countries/iq.zone' -O /etc/iptables/zone/iq.zone -wget -q 'http://ipdeny.com/ipblocks/data/countries/jp.zone' -O /etc/iptables/zone/jp.zone -wget -q 'http://ipdeny.com/ipblocks/data/countries/kp.zone' -O /etc/iptables/zone/kp.zone -wget -q 'http://ipdeny.com/ipblocks/data/countries/kr.zone' -O /etc/iptables/zone/kr.zone -wget -q 'http://ipdeny.com/ipblocks/data/countries/id.zone' -O /etc/iptables/zone/id.zone -wget -q 'http://ipdeny.com/ipblocks/data/countries/cf.zone' -O /etc/iptables/zone/cf.zone -wget -q 'http://ipdeny.com/ipblocks/data/countries/za.zone' -O /etc/iptables/zone/za.zone -wget -q 'http://ipdeny.com/ipblocks/data/countries/co.zone' -O /etc/iptables/zone/co.zone -wget -q 'https://www.cloudflare.com/ips-v4' -O /etc/iptables/list/CF.list - - -for i in $(cat /etc/iptables/zone/*.zone ); do ipset -exist -A drop $i; done -for i in $(cat /etc/iptables/list/CF.list ); do ipset -exist -A allowHTTPS $i; done -for i in $(cat /etc/iptables/list/allowSSH.list ); do ipset -exist -A allowSSH $i; done -for i in $(cat /etc/iptables/list/directHTTPS.list ); do ipset -exist -A directHTTPS $i; done - -ipset save > /etc/iptables/ipset.save diff --git a/zone/block.zone b/zone/block.zone deleted file mode 100644 index 5f8721d..0000000 --- a/zone/block.zone +++ /dev/null @@ -1 +0,0 @@ -blockedIPhere/32