r4sas
/
ts3init_linux_netfilter_module
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
A Linux netfilter module to aid in (d)dos protection
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
84 Commits
1 Branch
0 Tags
165 KiB
 
 
 
 
Tree: d5cca28c30
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'd5cca28c30'
${ noResults }
ts3init_linux_netfilter_module/examples/simple/create-fw.sh

70 lines
2.3 KiB
Raw Blame History

#!/bin/bash
sudo modprobe xt_ts3init
if [ "$1" == "4" ]
then
IPTABLES=iptables
IPFAMILY=inet
FRAGMENT_FLAG="! -f "
elif [ "$1" == "6" ]
then
IPTABLES=ip6tables
IPFAMILY=inet6
FRAGMENT_FLAG=""
else
echo "specify either 4 or 6 as a parameter for ipv4 or ipv6";
exit -1
fi
#create an autorized ts3 client ip set.
#perhaps create the set with more than the default 1024 entries
sudo ipset create ts3_authorized${1} hash:ip family ${IPFAMILY} timeout 30 || { echo "ipset not installed or there is a problem with it"; exit -1; }
#create new chain that handles ts3
sudo ${IPTABLES} -N TS3_UDP_TRAFFIC
sudo ${IPTABLES} -N TS3_TCP_TRAFFIC
sudo ${IPTABLES} -N TS3_ACCEPT_NEW
sudo ${IPTABLES} -N TS3_UPDATE_AUTHORIZED
RANDOM_FILE_NAME=random.data
if [ ! -f "${RANDOM_FILE_NAME}" ]
then
xxd -l 60 -c 60 -p /dev/urandom > "${RANDOM_FILE_NAME}" || { echo "could not use xxd to create random data"; exit -1; }
fi
RANDOM_FILE=`pwd`/${RANDOM_FILE_NAME}
#disable connection tracking for ts3 server
sudo ${IPTABLES} -t raw -A PREROUTING -p udp --dport 9987 -j CT --notrack
#move ts3 traffic to TS3_TRAFFIC chain (do not allow fragments)
sudo ${IPTABLES} -A INPUT -p udp --dport 9987 ${FRAGMENT_FLAG} -j TS3_UDP_TRAFFIC
#move filetransfer to TCP chain
sudo ${IPTABLES} -A INPUT -p tcp --dport 30033 -j TS3_TCP_TRAFFIC
#Allow authorized clients on UDP
sudo ${IPTABLES} -A TS3_UDP_TRAFFIC -m set --match-set ts3_authorized${1} src -j TS3_UPDATE_AUTHORIZED
#Allow 3.0.19 and up clients
sudo ${IPTABLES} -A TS3_UDP_TRAFFIC -p udp -m ts3init_get_cookie --min-client 1459504131 -j TS3INIT_SET_COOKIE --random-seed-file ${RANDOM_FILE}
#add new connection if cookie is valid
sudo ${IPTABLES} -A TS3_UDP_TRAFFIC -p udp -m ts3init_get_puzzle --check-cookie --random-seed-file ${RANDOM_FILE} -j TS3_ACCEPT_NEW
#drop the rest
sudo ${IPTABLES} -A TS3_UDP_TRAFFIC -j DROP
#add new connection to authorized src
sudo ${IPTABLES} -A TS3_ACCEPT_NEW -j SET --add-set ts3_authorized${1} src
sudo ${IPTABLES} -A TS3_ACCEPT_NEW -p udp -j TS3INIT_GET_COOKIE
#Allow authorized clients on TCP
sudo ${IPTABLES} -A TS3_TCP_TRAFFIC -m set --match-set ts3_authorized${1} src -j ACCEPT
sudo ${IPTABLES} -A TS3_TCP_TRAFFIC -j DROP
#update timeout in set and allow traffic
sudo ${IPTABLES} -A TS3_UPDATE_AUTHORIZED -j SET --add-set ts3_authorized${1} src --exist
sudo ${IPTABLES} -A TS3_UPDATE_AUTHORIZED -j ACCEPT