-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathddospreventation.sh
184 lines (131 loc) · 4.27 KB
/
ddospreventation.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
#Burak Koray KOSE
#Gebze Institute of Technology Grad Project
#Ddos Preventation Script with Iptables
#version 1.4
#new rules added
#New chain rules added
#!/bin/bash
#
# Firewall rules
#
######################################################################
function on {
echo "Firewall: ESTABLISHED"
ip6tables -F
ip6tables -X
ip6tables -t mangle -F
ip6tables -t mangle -X
#loop back e izin veme
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
# içerden dos u engelle
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
# Allow full outgoing connection but no incomming stuff
ip6tables -A INPUT -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -o $PUBIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# allow incoming ICMP ping pong stuff
ip6tables -A INPUT -i $PUBIF -p ipv6-icmp -j ACCEPT
ip6tables -A OUTPUT -o $PUBIF -p ipv6-icmp -j ACCEPT
# log everything else
ip6tables -A INPUT -i $PUBIF -j LOG
ip6tables -A INPUT -i $PUBIF -j DROP
#kuralları sile
iptables -t nat -F
iptables -t mangle -F
#kuralları sil
iptables -X
iptables -t nat -X
iptables -t mangle -X
#synflood
#Checking connetions limiting and dropping
#we can change the limit
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 60/minute --limit-burst 120 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/minute --limit-burst 2 -j LOG
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
#Allowing normal requests
# Allow incoming DNS requests.
iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
# Allow incoming HTTP requests.
iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
# Allow incoming HTTPS requests.
iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
# Allow incoming POP3 requests.
iptables -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT
# Allow incoming IMAP4 requests.
iptables -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT
# Allow incoming POP3S requests.
iptables -A INPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT
# Allow incoming SMTP requests.
iptables -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT
# Allow incoming SSH requests.
iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
# Allow incoming FTP requests.
iptables -A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
#synflood preventation test
iptables -N SYN_FLOOD
iptables -A INPUT -p tcp --syn -j SYN_FLOOD
iptables -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
iptables -A SYN_FLOOD -j DROP
# Make It Even Harder To Multi-PING
#can change limits
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j ACCEPT
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix PING-DROP:
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -j ACCEPT
}
######################################################################
function off {
# stop firewall
echo "Firewall: disabling filtering (allowing all access)"
ip6tables -F
ip6tables -F -t mangle
ip6tables -P INPUT ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD ACCEPT
#delete rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
}
######################################################################
function stop {
# stop all external connections
echo "Firewall: stopping all external connections"
ip6tables -F INPUT
ip6tables -F OUTPUT
ip6tables -P INPUT DROP
ip6tables -P FORWARD REJECT
ip6tables -P OUTPUT REJECT
# allow anything over loopback
ip6tables -A INPUT -i lo -s ::1/128 -j ACCEPT
ip6tables -A OUTPUT -o lo -d ::1/128 -j ACCEPT
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
}
case "$1" in
start)
on
;;
stop)
off
;;
*)
echo "options: {start|stop|off}"
;;
esac