#!/bin/bash
IPTS=/usr/sbin/iptables
INIF="eno16780032"
export IPTS INIF
# core network
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "1" > $i
done
for i in /proc/sys/net/ipv4/conf/*/log_martians; do
echo "1" > $i
done
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo "0" > $i
done
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo "0" > $i
done
for i in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo "0" > $i
done
# clear default
PATH=/sbin:/usr/sbin:/bin:/usr/bin;export PATH
$IPTS -F
$IPTS -X
$IPTS -Z
$IPTS -P INPUT DROP
$IPTS -P OUTPUT ACCEPT
$IPTS -P FORWARD ACCEPT
$IPTS -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# ICMP
$IPTS -A INPUT -p icmp -j DROP
# Loopback
$IPTS -A INPUT -i lo -j ACCEPT
$IPTS -A OUTPUT -o lo -j ACCEPT
# SYN-Flooding
$IPTS -N syn-flood
$IPTS -A INPUT -i $INIF -p tcp --syn -j syn-flood
$IPTS -A syn-flood -p tcp -m limit --limit 9000/s --limit-burst 120 -j RETURN
$IPTS -A syn-flood -j DROP
# Make sure that new TCP connections are SYN packets
$IPTS -A INPUT -i $INIF -p tcp ! --syn -m state --state NEW -j DROP
#deny
$IPTS -A INPUT -p tcp -i $INIF -s 112.24.28.0/24 -j DROP
$IPTS -A INPUT -p tcp -i $INIF -s 50.115.170.0/24 -j DROP
$IPTS -A INPUT -p tcp -i $INIF -s 104.160.171.0/24 -j DROP
# services
$IPTS -A INPUT -p TCP -i $INIF --dport 22 -j ACCEPT # SSH
$IPTS -A INPUT -p TCP -i $INIF --dport 80 -j ACCEPT # WWW
$IPTS -A INPUT -p TCP -i $INIF --dport 443 -j ACCEPT #https
$IPTS -A INPUT -p TCP -i $INIF --dport 3399 -j ACCEPT # api
$IPTS -A INPUT -p TCP -i $INIF --dport 3333 -j ACCEPT #https
$IPTS -A INPUT -p TCP -i $INIF --dport 3355 -j ACCEPT # WWW
$IPTS -A INPUT -p TCP -i $INIF --dport 10050 -j ACCEPT # zabbix-agent
# drop all
$IPTS -A INPUT -p TCP -j DROP
$IPTS -A INPUT -p UDP -j DROP