Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
hi this is my iptables i whant drop rules also at end of script but i dont know way dont work. i heard i need write some code at begining of script but i canot find that can someone know how to put this also at end of script. or know that code
Code:
#!/bin/bash
i="/sbin/iptables"
$i -F
$i -X
$i -t nat -F
$i -t nat -X
$i -t mangle -F
$i -t mangle -X
$i -t raw -F
$i -t raw -X
$i -t raw -I PREROUTING -j DROP
$i -P INPUT DROP
$i -P OUTPUT DROP
$i -P FORWARD DROP
$i -I INPUT -j DROP
$i -I OUTPUT -j DROP
$i -I FORWARD -j DROP
$i -I INPUT -j LOG --log-prefix "drop" --log-ip-options --log-tcp-option
$i -I FORWARD -j LOG --log-prefix "dropf" --log-ip-options --log-tcp-option
$i -t raw -I PREROUTING -s 224.0.0.0/3 -j DROP
$i -t raw -I PREROUTING -s 169.254.0.0/16 -j DROP
$i -t raw -I PREROUTING -s 172.16.0.0/12 -j DROP
$i -t raw -I PREROUTING -s 192.0.2.0/24 -j DROP
$i -t raw -I PREROUTING -s 0.0.0.0/8 -j DROP
$i -t raw -I PREROUTING -s 240.0.0.0/5 -j DROP
$i -t raw -I PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
$i -I INPUT -m conntrack --ctstate INVALID -j DROP
$i -I OUTPUT -m conntrack --ctstate INVALID -j DROP
$i -I FORWARD -m conntrack --ctstate INVALID -j DROP
$i -t raw -I PREROUTING -m conntrack --ctstate INVALID -j DROP
$i -t raw -I PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
$i -t raw -I PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
$i -t raw -I PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
$i -t raw -I PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
$i -t raw -I PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
$i -t raw -I PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$i -t raw -I PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$i -t raw -I PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$i -t raw -I PREROUTING -p tcp --tcp-flags ALL SYN,FIN -j DROP
$i -t raw -I PREROUTING -p tcp --tcp-flags ALL URG,PSH,FIN -j DROP
$i -t raw -I PREROUTING -p tcp --tcp-flags ALL FIN -j DROP
$i -t raw -I PREROUTING -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DROP
$i -t raw -I PREROUTING -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$i -t raw -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
$i -t raw -I PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
$i -t raw -A PREROUTING -p icmp -j DROP
$i -t raw -A PREROUTING -f -j DROP
$i -I INPUT -p tcp -m connlimit --connlimit-above 20 -j DROP
$i -N port-scanning
$i -I port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j DROP
$i -I port-scanning -j DROP
$i -t raw -I PREROUTING -d 192.168.0.129 -j ACCEPT
$i -I INPUT -t filter -p tcp -m tcp -m multiport --sports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
$i -I OUTPUT -t filter -p tcp -m tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
$i -I INPUT -t filter -p udp -m udp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
$i -I OUTPUT -t filter -p udp -m udp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
$i -I INPUT -t filter -p udp -m udp --dport 9634 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
$i -I OUTPUT -t filter -p udp -m udp --sport 9634 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
$i -I INPUT -t filter -p tcp -m tcp --sport 43 -m conntrack --ctstate ESTABLISHED -j ACCEPT
$i -I OUTPUT -t filter -p tcp -m tcp --dport 43 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
$i -I INPUT -i tun+ -j ACCEPT
$i -I OUTPUT -o tun+ -j ACCEPT
$i -I FORWARD -i tun+ -o wlp2s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
$i -I FORWARD -i wlp2s0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
$i -I FORWARD -i tun+ -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
$i -I FORWARD -i enp1s0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
$i -t nat -I POSTROUTING -o wlp2s0 -j MASQUERADE
$i -t nat -I POSTROUTING -o enp1s0 -j MASQUERADE
wget -O /home/end/bt/torexitnodes https://check.torproject.org/exit-addresses
for torexit in `cat /home/end/bt/torexitnodes | grep ExitAddress | cut -d ' ' -f 2`
do /sbin/iptables -I INPUT -p tcp -s $torexit -j DROP
done
for torexit in `cat /home/end/bt/torexitnodes | grep ExitAddress | cut -d ' ' -f 2`
do /sbin/iptables -t raw -I PREROUTING -p tcp -s $torexit -j DROP
done
for torexit in `cat /home/end/bt/torexitnodes | grep ExitAddress | cut -d ' ' -f 2`
do /sbin/iptables -I FORWARD -p tcp -s $torexit -j DROP
done
#$i -I INPUT -j DROP
#$i -I OUTPUT -j DROP
#$i -I FORWARD -j DROP
#$i -t raw -I PREROUTING -j DROP
It would be more meaningful and easier to read if you would post the output of iptables -L instead of the script itself. Using the -L option will show how the rules are actually applied in the kernel, as opposed to the visible order in the script.
Also, please explain what you mean by, "i whant drop rules also at end of script...". Putting rules at the end of the script is not really meaningful. Putting them at the end of a chain such as INPUT or OUTPUT may be meaningful, but only in the context of the other rules that come before them.
You are setting a policy of DROP so any packets that reach the end of those chains will be DROPPED already. SO the real question is, what are you trying to accomplish?
It is always a good idea to try to write a simple specification of how you want your iptables rules to work, and include a simple flow chart or state diagram (as simple as pencil drawn arrows and circles) to indicate where you want groups of packets to end up. In this case, just draw out where the packets to be blocked come from, what path you want them to follow and where you want them to end, or be DROPPED, then write the rules to accomplish that.
Last edited by astrogeek; 03-01-2023 at 03:00 PM.
Reason: tposy
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.