LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
Reload this Page iptables drop at end of script
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-01-2023, 02:36 PM   #1
end
Member
 
Registered: Aug 2016
Posts: 266

Rep: Reputation: Disabled
iptables drop at end of script

hi this is my iptables i whant drop rules also at end of script but i dont know way dont work. i heard i need write some code at begining of script but i canot find that can someone know how to put this also at end of script. or know that code





Code:
#!/bin/bash

i="/sbin/iptables"

$i -F
$i -X
$i -t nat -F
$i -t nat -X
$i -t mangle -F
$i -t mangle -X
$i -t raw -F
$i -t raw -X


$i -t raw -I PREROUTING -j DROP


$i -P INPUT  DROP
$i -P OUTPUT DROP
$i -P FORWARD DROP

$i -I INPUT -j DROP
$i -I OUTPUT -j DROP
$i -I FORWARD -j DROP


$i -I INPUT -j LOG --log-prefix "drop" --log-ip-options --log-tcp-option
$i -I FORWARD -j LOG --log-prefix "dropf" --log-ip-options --log-tcp-option

$i -t raw -I PREROUTING -s 224.0.0.0/3 -j DROP
$i -t raw -I PREROUTING -s 169.254.0.0/16 -j DROP
$i -t raw -I PREROUTING -s 172.16.0.0/12 -j DROP
$i -t raw -I PREROUTING -s 192.0.2.0/24 -j DROP
$i -t raw -I PREROUTING -s 0.0.0.0/8 -j DROP
$i -t raw -I PREROUTING -s 240.0.0.0/5 -j DROP
$i -t raw -I PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP


$i -I INPUT -m conntrack --ctstate INVALID -j DROP
$i -I OUTPUT -m conntrack --ctstate INVALID -j DROP
$i -I FORWARD -m conntrack --ctstate INVALID -j DROP
$i -t raw -I PREROUTING -m conntrack --ctstate INVALID -j DROP

$i -t raw -I PREROUTING   -p tcp --tcp-flags ACK,FIN FIN -j DROP
$i -t raw -I PREROUTING   -p tcp --tcp-flags ACK,PSH PSH -j DROP
$i -t raw -I PREROUTING   -p tcp --tcp-flags ACK,URG URG -j DROP
$i -t raw -I PREROUTING   -p tcp --tcp-flags ALL ALL -j DROP
$i -t raw -I PREROUTING   -p tcp --tcp-flags ALL NONE -j DROP
$i -t raw -I PREROUTING   -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$i -t raw -I PREROUTING   -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$i -t raw  -I PREROUTING   -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$i -t raw  -I PREROUTING   -p tcp --tcp-flags ALL SYN,FIN -j DROP
$i -t raw -I PREROUTING   -p tcp --tcp-flags ALL URG,PSH,FIN -j DROP
$i -t raw -I PREROUTING   -p tcp --tcp-flags ALL FIN -j DROP
$i -t raw -I PREROUTING   -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DROP
$i -t raw -I PREROUTING -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$i -t raw -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP

$i -t raw -I PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP


$i -t raw -A PREROUTING -p icmp -j DROP
$i -t raw -A PREROUTING -f -j DROP
$i -I INPUT -p tcp -m connlimit --connlimit-above 20 -j DROP

$i -N port-scanning
$i -I port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j DROP
$i -I port-scanning -j DROP

$i -t raw -I PREROUTING -d 192.168.0.129  -j ACCEPT

$i -I INPUT -t filter -p tcp -m tcp -m multiport --sports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
$i -I OUTPUT -t filter -p tcp -m tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
$i -I INPUT -t filter -p udp -m udp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
$i -I OUTPUT -t filter -p udp -m udp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT



$i -I INPUT -t filter -p udp -m udp  --dport 9634 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
$i -I OUTPUT -t filter -p udp -m udp  --sport 9634 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

$i -I INPUT -t filter -p tcp -m tcp  --sport 43 -m conntrack --ctstate ESTABLISHED -j ACCEPT
$i -I OUTPUT -t filter  -p tcp -m tcp  --dport 43 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT


$i -I INPUT -i tun+ -j ACCEPT
$i -I OUTPUT -o tun+ -j ACCEPT



$i -I FORWARD -i tun+ -o wlp2s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
$i -I FORWARD -i wlp2s0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT

$i -I FORWARD -i tun+ -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
$i -I FORWARD -i enp1s0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT

$i -t nat -I POSTROUTING  -o wlp2s0 -j MASQUERADE
$i -t nat -I POSTROUTING  -o enp1s0 -j MASQUERADE

wget -O /home/end/bt/torexitnodes https://check.torproject.org/exit-addresses
for torexit in `cat /home/end/bt/torexitnodes | grep ExitAddress | cut -d ' ' -f 2`
 do /sbin/iptables -I INPUT -p tcp -s $torexit -j DROP
done

for torexit in `cat /home/end/bt/torexitnodes | grep ExitAddress | cut -d ' ' -f 2`
 do /sbin/iptables -t raw -I PREROUTING -p tcp -s $torexit -j DROP
done

for torexit in `cat /home/end/bt/torexitnodes | grep ExitAddress | cut -d ' ' -f 2`
 do /sbin/iptables -I FORWARD -p tcp -s $torexit -j DROP
done



#$i -I INPUT -j DROP
#$i -I OUTPUT -j DROP
#$i -I FORWARD -j DROP
#$i -t raw -I PREROUTING -j DROP
 
Old 03-01-2023, 02:57 PM   #2
astrogeek
Moderator
 
Registered: Oct 2008
Distribution: Slackware [64]-X.{0|1|2|37|-current} ::12<=X<=15, FreeBSD_12{.0|.1}
Posts: 6,263
Blog Entries: 24

Rep: Reputation: 4194Reputation: 4194Reputation: 4194Reputation: 4194Reputation: 4194Reputation: 4194Reputation: 4194Reputation: 4194Reputation: 4194Reputation: 4194Reputation: 4194
It would be more meaningful and easier to read if you would post the output of iptables -L instead of the script itself. Using the -L option will show how the rules are actually applied in the kernel, as opposed to the visible order in the script.

Also, please explain what you mean by, "i whant drop rules also at end of script...". Putting rules at the end of the script is not really meaningful. Putting them at the end of a chain such as INPUT or OUTPUT may be meaningful, but only in the context of the other rules that come before them.

You are setting a policy of DROP so any packets that reach the end of those chains will be DROPPED already. SO the real question is, what are you trying to accomplish?

It is always a good idea to try to write a simple specification of how you want your iptables rules to work, and include a simple flow chart or state diagram (as simple as pencil drawn arrows and circles) to indicate where you want groups of packets to end up. In this case, just draw out where the packets to be blocked come from, what path you want them to follow and where you want them to end, or be DROPPED, then write the rules to accomplish that.
Last edited by astrogeek; 03-01-2023 at 03:00 PM. Reason: tposy
 
1 members found this post helpful.
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Is it necessary to drop specific flags in IPTABLES with an INPUT DROP policy? rootaccess Linux - Networking 5 08-22-2012 08:10 PM
iptables drop packets as invalid between 2 end-network connected through VPN nass Linux - Server 1 03-05-2010 09:56 AM
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 08:20 PM
Drop connections to port 80 at firewall machine also drop at protected network? Niceman2005 Linux - Security 2 10-27-2005 08:21 AM
iptables - drop all -> allow needed OR allow all -> drop specific lucastic Linux - Security 5 12-21-2004 02:07 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 08:09 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration