Last active
August 7, 2024 08:39
-
-
Save NotYusta/d1e227f6dbd27323b8c475586fe6d43d to your computer and use it in GitHub Desktop.
Firewall Cloudflare & SSH
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| dnf update -y | |
| dnf install iptables ipset -y | |
| ipset create cloudflare-v4 hash:net family inet | |
| ipset add cloudflare-v4 173.245.48.0/20 | |
| ipset add cloudflare-v4 103.21.244.0/22 | |
| ipset add cloudflare-v4 103.22.200.0/22 | |
| ipset add cloudflare-v4 103.31.4.0/22 | |
| ipset add cloudflare-v4 141.101.64.0/18 | |
| ipset add cloudflare-v4 108.162.192.0/18 | |
| ipset add cloudflare-v4 190.93.240.0/20 | |
| ipset add cloudflare-v4 188.114.96.0/20 | |
| ipset add cloudflare-v4 197.234.240.0/22 | |
| ipset add cloudflare-v4 198.41.128.0/17 | |
| ipset add cloudflare-v4 162.158.0.0/15 | |
| ipset add cloudflare-v4 104.16.0.0/13 | |
| ipset add cloudflare-v4 104.24.0.0/14 | |
| ipset add cloudflare-v4 172.64.0.0/13 | |
| ipset add cloudflare-v4 131.0.72.0/22 | |
| iptables -F WEBSITE | |
| iptables -N WEBSITE | |
| iptables -A WEBSITE -m set --match-set cloudflare-v4 src -j ACCEPT | |
| iptables -A WEBSITE -j DROP | |
| iptables -D INPUT -p tcp --dport 443 -j WEBSITE | |
| iptables -D INPUT -p tcp --dport 8443 -j WEBSITE | |
| iptables -A INPUT -p tcp --dport 443 -j WEBSITE | |
| iptables -A INPUT -p tcp --dport 8443 -j WEBSITE | |
| ### SSH brute-force protection ### | |
| iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set | |
| iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP | |
| ### Protection against port scanning ### | |
| iptables -N port-scanning | |
| iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN | |
| iptables -A port-scanning -j DROP |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment