Last active
April 18, 2022 20:07
-
-
Save hroland/5b71b61d641a6d24fc9510b5b3fb06a1 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| iptables -F | |
| iptables -X | |
| # Set default chain policies | |
| iptables -P INPUT DROP | |
| iptables -P FORWARD DROP | |
| iptables -P OUTPUT DROP | |
| # Allow ALL incoming SSH | |
| iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT | |
| iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT | |
| iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT | |
| iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT | |
| # Block torrent - https://gist.github.com/iamtartan/872a0db39fa017dceee0?permalink_comment_id=3122192#gistcomment-3122192 | |
| iptables -I OUTPUT -t filter -p tcp -m string --string "BitTorrent" --algo bm -j REJECT --reject-with tcp-reset | |
| iptables -I OUTPUT -t filter -p udp -m string --string "BitTorrent" --algo bm -j REJECT --reject-with icmp-port-unreachable | |
| # Block torrent - https://www.unixmen.com/how-to-block-bittorrent-traffic-on-your-linux-firewall/ | |
| iptables -A FORWARD -m string --algo bm --string "BitTorrent" -j REJECT | |
| iptables -A FORWARD -m string --algo bm --string "BitTorrent protocol" -j REJECT | |
| iptables -A FORWARD -m string --algo bm --string "peer_id=" -j REJECT | |
| iptables -A FORWARD -m string --algo bm --string ".torrent" -j REJECT | |
| iptables -A FORWARD -m string --algo bm --string "announce.php?passkey=" -j REJECT | |
| iptables -A FORWARD -m string --algo bm --string "torrent" -j REJECT | |
| iptables -A FORWARD -m string --algo bm --string "announce" -j REJECT | |
| iptables -A FORWARD -m string --algo bm --string "info_hash" -j REJECT | |
| # Block torrent - https://www.digitalocean.com/community/questions/updating-iptables-to-block-torrent-traffic | |
| iptables -A INPUT -m string --string "BitTorrent" --algo bm -j REJECT | |
| iptables -A INPUT -m string --string "BitTorrent protocol" --algo bm -j REJECT | |
| iptables -A INPUT -m string --string "peer_id=" --algo bm -j REJECT | |
| iptables -A INPUT -m string --string ".torrent" --algo bm -j REJECT | |
| iptables -A INPUT -m string --string "announce.php?passkey=" --algo bm -j REJECT | |
| iptables -A INPUT -m string --string "torrent" --algo bm -j REJECT | |
| iptables -A INPUT -m string --string "announce" --algo bm -j REJECT | |
| iptables -A INPUT -m string --string "info_hash" --algo bm -j REJECT | |
| iptables -A INPUT -m string --string "tracker" --algo bm -j REJECT | |
| iptables -A INPUT -m string --string "get_peers" --algo bm -j REJECT | |
| iptables -A INPUT -m string --string "announce_peer" --algo bm -j REJECT | |
| iptables -A INPUT -m string --string "find_node" --algo bm -j REJECT | |
| iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT | |
| iptables -A INPUT -p udp -m udp --dport 51214 -j ACCEPT | |
| iptables -A INPUT -p udp -m udp --dport 51294 -j ACCEPT | |
| iptables -A FORWARD -i wg0 -j ACCEPT | |
| iptables -A FORWARD -o wg0 -j ACCEPT | |
| # Allow ALL incoming SSH | |
| iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT | |
| iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT | |
| # MultiPorts (Allow incoming SSH, HTTP, and HTTPS) | |
| iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT | |
| iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT | |
| # Allow All custom proxy ports | |
| iptables -A INPUT -i eth0 -p tcp -m multiport --dports 800:820 -m state --state NEW,ESTABLISHED -j ACCEPT | |
| iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 800:820 -m state --state ESTABLISHED -j ACCEPT | |
| # Allow outgoing SSH | |
| iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT | |
| iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT | |
| # Allow outgoing HTTPS | |
| iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT | |
| iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT | |
| iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT | |
| iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT | |
| # Ping from inside to outside | |
| iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT | |
| iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT | |
| # Ping from outside to inside | |
| iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT | |
| iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT | |
| # Allow loopback access | |
| iptables -A INPUT -i lo -j ACCEPT | |
| iptables -A OUTPUT -o lo -j ACCEPT | |
| # Allow outbound DNS | |
| iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT | |
| iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT | |
| # Prevent DoS attack | |
| iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT | |
| # Log dropped packets | |
| iptables -N LOGGING | |
| iptables -A INPUT -j LOGGING | |
| iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "[torrentban] IPTables Packet Dropped: " --log-level 7 | |
| iptables -A LOGGING -j DROP | |
| iptables -A LOGGING -j REJECT |
Author
hroland
commented
Mar 8, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment