исправте меня пожалуиста. если я ошибся где то
#!/bin/sh
if [ "$1" = "stop" ]
then
echo "O4UCKA firewalla"
iptables -F
iptables -t mangle -F
iptables -P FORWARD ACCEPT
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -X syn-flood
/bin/echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
/bin/echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/accept_source_route
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/accept_redirects
/bin/echo "0" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/rp_filter
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/log_martians
echo "O4UCTKA 3ABEPWEHA"
exit
fi
echo "Firewal: HA4AJIO"
iptables -F -t nat
iptables -X -t nat
iptables -F -t filter
iptables -X -t filter
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
#Даем доступ к YatQA
iptables -I INPUT -p tcp -s 127.0.0.1 --dport 10011 -j ACCEPT
iptables -I INPUT -p tcp -s 92.63.203.00 --dport 10011 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 10011 -m iprange --src-range 77.40.0.0-77.40.127.255 -j ACCEPT
#доступ для мониторинга gametrackera.
iptables -I INPUT -p tcp -s 208.167.241.190 --dport 10011 -j ACCEPT
iptables -I INPUT -p tcp -s 208.167.241.185 --dport 10011 -j ACCEPT
iptables -I INPUT -p tcp -s 208.167.241.186 --dport 10011 -j ACCEPT
iptables -I INPUT -p tcp -s 108.61.78.147 --dport 10011 -j ACCEPT
iptables -I INPUT -p tcp -s 108.61.78.148 --dport 10011 -j ACCEPT
iptables -I INPUT -p tcp -s 108.61.78.149 --dport 10011 -j ACCEPT
iptables -I INPUT -p tcp -s 108.61.78.150 --dport 10011 -j ACCEPT
#Открываем порты для SSH
iptables -I INPUT -p tcp -s 188.187.188.165 --dport 22 -j ACCEPT
iptables -I INPUT -p tcp -s 188.187.188.165 --sport 22 -j ACCEPT
#Открываем порты для Sinusbot
iptables -I INPUT -p tcp --dport 8087 -j ACCEPT
iptables -I INPUT -p udp --dport 8087 -j ACCEPT
#Блокировка порта Query
iptables -A INPUT -p tcp --dport 10011 -j DROP
iptables -A INPUT -p udp --sport 10011 -j DROP
#Блокировка порта 80
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p udp --sport 80 -j DROP
#Открываем порты для teamspeak
#порт для подключения 9987
iptables -I INPUT -p udp --dport 9987 -j ACCEPT
iptables -I INPUT -p udp --sport 9987 -j ACCEPT
#порт для Weblist 2010
iptables -I INPUT -p udp --dport 2010 -j ACCEPT
iptables -I INPUT -p udp --sport 2010 -j ACCEPT
#порт для проверки License 2008
iptables -I INPUT -p tcp --dport 2008 -j ACCEPT
iptables -I INPUT -p tcp --sport 2008 -j ACCEPT
#DNS port
iptables -I INPUT -p tcp --dport 41144 -j ACCEPT
iptables -I INPUT -p tcp --sport 41144 -j ACCEPT
#DNS port
iptables -I INPUT -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -p tcp --sport 53 -j ACCEPT
#CrashFix 3.0.13 http://www.mpcforum.pl/topic/1568622-crashfix-%C5%82atka-3013/#entry13243822
iptables -N Exploit_3_0_13
iptables -A INPUT -p udp -m udp --match length --length 300:350 -j Exploit_3_0_13
iptables -A Exploit_3_0_13 -m limit --limit 200/min -j LOG --log-prefix "Detect - Exploit_3.0.13: " --log-level 4
iptables -A Exploit_3_0_13 -j DROP
#CrashFix 3.0.13 http://r4p3.net/threads/hotfix-for-teamspeak-vulnerabilities-till-3-0-13.2872/
-A INPUT -p udp -m udp -j DROP --match length --length 300:350
#Защита TS3Fuck'a / TS3Dropera
/sbin/iptables -A INPUT -s 31.14.135.45 -j DROP
/sbin/iptables -A INPUT -s 5.249.159.251 -j DROP
/sbin/iptables -N ts3droper
/sbin/iptables -A INPUT -p udp -m udp -m string --algo bm --hex-string '|545333494e|' -m limit --limit 250/s --limit-burst 250 -j ACCEPT
/sbin/iptables -A INPUT -p udp -m udp -m string --algo bm --hex-string '|545333494e|' -j ts3droper
/sbin/iptables -A ts3droper -m limit --limit 100/min -j LOG --log-prefix "TS3droper: " --log-level 4
/sbin/iptables -A ts3droper -j DROP
iptables -A INPUT -s 31.14.135.45 -j DROP
iptables -A INPUT -s 5.249.159.251 -j DROP
iptables -N ts3droper
iptables -A INPUT -p udp -m udp -m string --algo bm --hex-string '|545333494e|' -m limit --limit 250/s --limit-burst 250 -j ACCEPT
iptables -A INPUT -p udp -m udp -m string --algo bm --hex-string '|545333494e|' -j ts3droper
iptables -A ts3droper -m limit --limit 100/min -j LOG --log-prefix "TS3droper: " --log-level 4
iptables -A ts3droper -j DROP
iptables -A INPUT -s 31.14.135.45 -j DROP
iptables -A INPUT -s 5.249.159.251 -j DROP
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP
/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH,URG -j DROP
/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
/sbin/iptables -A INPUT -f -j DROP
/sbin/iptables -A INPUT -p udp -m udp --sport 19 -j DROP
/sbin/iptables -A INPUT -p udp -m udp --sport 123 -j DROP
/sbin/iptables -A INPUT -p udp -m udp --sport 161 -j DROP
/sbin/iptables -A INPUT -p udp -m udp --sport 1433 -j DROP
/sbin/iptables -A INPUT -p udp -m udp --sport 1900 -j DROP
/sbin/iptables -A INPUT -p udp -m udp --sport 27015 -j DROP
/sbin/iptables -A INPUT -p udp -m udp --sport 27950 -j DROP
/sbin/iptables -A INPUT -p udp -m udp --sport 27952 -j DROP
/sbin/iptables -A INPUT -p udp -m udp --sport 27960 -j DROP
/sbin/iptables -A INPUT -p udp -m udp --sport 27965 -j DROP
/sbin/iptables -A INPUT -p icmp -j DROP
/sbin/iptables -A INPUT -p udp -m udp --sport 19329 -j DROP
/sbin/iptables -A INPUT -p udp -m udp --sport 53 -j DROP
/sbin/iptables -A INPUT -p tcp -m tcp --sport 53 -j DROP
/sbin/iptables -A INPUT -p tcp -m tcp --sport 19329 -j DROP
/sbin/iptables -A INPUT -p tcp -m tcp --sport 5353 -j DROP
/sbin/iptables -A INPUT -p udp -m udp --sport 5353 -j DROP
/sbin/iptables -A INPUT -p udp -m udp --sport 7143 -j DROP
/sbin/iptables -A INPUT -p tcp -m tcp --sport 7143 -j DROP
/sbin/iptables -A INPUT -p tcp -m tcp --sport 123 -j DROP
/sbin/iptables -A INPUT -p udp -m udp --sport 123 -j DROP
/sbin/iptables -A INPUT -p udp -m udp --sport 111 -j DROP
/sbin/iptables -A INPUT -p udp -m tcp --sport 111 -j DROP
/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p icmp -j DROP
/sbin/iptables -N syn-flood
/sbin/iptables -A syn-flood -m limit --limit 10/sec --limit-burst 15 -j RETURN
/sbin/iptables -A syn-flood -j LOG --log-prefix "SYN flood: "
/sbin/iptables -A syn-flood -j DROP
/sbin/iptables -A INPUT -s 31.14.135.45 -j DROP
/sbin/iptables -A INPUT -s 5.249.159.251 -j DROP
/sbin/iptables -N ts3droper
/sbin/iptables -A INPUT -p udp -m udp -m string --algo bm --hex-string '|545333494e|' -m limit --limit 250/s --limit-burst 250 -j ACCEPT
/sbin/iptables -A INPUT -p udp -m udp -m string --algo bm --hex-string '|545333494e|' -j ts3droper
/sbin/iptables -A INPUT -p udp -m udp -m string --algo bm --hex-string '|ab41ce52ce69|' -m limit --limit 250 --limit-burst 250 -j ACCEPT
/sbin/iptables -A INPUT -p udp -m udp -m string --algo bm --hex-string '|ab41ce52ce69|' -j ts3droper
/sbin/iptables -A INPUT -p udp -m udp -m string --algo bm --hex-string '|0df0aa8f61b9|' -m limit --limit 250 --limit-burst 250 -j ACCEPT
/sbin/iptables -A INPUT -p udp -m udp -m string --algo bm --hex-string '|0df0aa8f61b9|' -j ts3droper
/sbin/iptables -A ts3droper -m limit --limit 100/min -j LOG --log-prefix "TS3droper: " --log-level 4
/sbin/iptables -A ts3droper -j DROP
#Блокировка порта 30033 с задержкой
iptables -A INPUT -p tcp --dport 30033 -m limit --limit 2/sec --limit-burst 20 -j ACCEPT
iptables -A INPUT -p tcp --dport 30033 -m limit --limit 2/sec --limit-burst 20 -j LOG --log-prefix "TCP-FLOOD:"
iptables -A INPUT -p tcp --dport 30033 -j DROP
#Закрываем доступ спамерам румынам, туркам
iptables -A INPUT -m iprange --src-range 176.33.184.0-176.33.191.255 -j DROP
iptables -A INPUT -m iprange --src-range 78.184.0.0-78.184.255.255 -j DROP
iptables -A INPUT -m iprange --src-range 86.121.156.0-86.121.156.255 -j DROP
iptables -A INPUT -m iprange --src-range 213.233.92.0-213.233.92.255 -j DROP
iptables -A INPUT -m iprange --src-range 213.233.88.0-213.233.88.255 -j DROP
iptables -A INPUT -m iprange --src-range 87.117.231.0-87.117.231.255 -j DROP
iptables -A INPUT -m iprange --src-range 81.213.220.0-81.213.223.255 -j DROP
iptables -A INPUT -m iprange --src-range 78.96.228.0-78.96.231.255 -j DROP
iptables -A INPUT -m iprange --src-range 95.76.0.0-95.76.3.255 -j DROP
iptables -A INPUT -m iprange --src-range 78.176.0.0-78.176.255.255 -j DROP
#Белый список IP Адресов
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -s 92.63.203.00 -j ACCEPT
echo "Firewal: KOHELL YCIIEWHO"