├── .github └── FUNDING.yml ├── .gitignore ├── LICENSE ├── README.md ├── _config.yml ├── anti-ddos.sh └── upload └── img ├── anti-ddos.png └── bash-ico.png /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # These are supported funding model platforms 2 | 3 | github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2] 4 | patreon: ismailtasdelen 5 | open_collective: # Replace with a single Open Collective username 6 | ko_fi: # Replace with a single Ko-fi username 7 | tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel 8 | community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry 9 | liberapay: # Replace with a single Liberapay username 10 | issuehunt: # Replace with a single IssueHunt username 11 | otechie: # Replace with a single Otechie username 12 | custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2'] 13 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | env/ 12 | build/ 13 | develop-eggs/ 14 | dist/ 15 | downloads/ 16 | eggs/ 17 | .eggs/ 18 | lib/ 19 | lib64/ 20 | parts/ 21 | sdist/ 22 | var/ 23 | *.egg-info/ 24 | .installed.cfg 25 | *.egg 26 | 27 | # PyInstaller 28 | # Usually these files are written by a python script from a template 29 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 30 | *.manifest 31 | *.spec 32 | 33 | # Installer logs 34 | pip-log.txt 35 | pip-delete-this-directory.txt 36 | 37 | # Unit test / coverage reports 38 | htmlcov/ 39 | .tox/ 40 | .coverage 41 | .coverage.* 42 | .cache 43 | nosetests.xml 44 | coverage.xml 45 | *,cover 46 | .hypothesis/ 47 | 48 | # Translations 49 | *.mo 50 | *.pot 51 | 52 | # Django stuff: 53 | *.log 54 | local_settings.py 55 | 56 | # Flask stuff: 57 | instance/ 58 | .webassets-cache 59 | 60 | # Scrapy stuff: 61 | .scrapy 62 | 63 | # Sphinx documentation 64 | docs/_build/ 65 | 66 | # PyBuilder 67 | target/ 68 | 69 | # IPython Notebook 70 | .ipynb_checkpoints 71 | 72 | # pyenv 73 | .python-version 74 | 75 | # celery beat schedule file 76 | celerybeat-schedule 77 | 78 | # dotenv 79 | .env 80 | 81 | # virtualenv 82 | venv/ 83 | ENV/ 84 | 85 | # Spyder project settings 86 | .spyderproject 87 | 88 | # Rope project settings 89 | .ropeproject 90 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2016 İSMAİL TAŞDELEN 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## Anti DDOS | BASH SCRIPT 2 | 3 | 4 | 5 | 6 | ![anti-ddos](https://user-images.githubusercontent.com/15425071/34910181-caa9f41c-f8c0-11e7-9ec5-6d43adfeb4bd.png) ![bash-language](https://user-images.githubusercontent.com/15425071/34910256-37569a6a-f8c2-11e7-81d8-42dec07d4ef8.png) 7 | 8 | ### Programming Languages : 9 | 10 | * BASH 11 | 12 | ### System : 13 | 14 | * Linux 15 | * [Windows (via MSYS2)](#windows-installation) 16 | ### Explanation : 17 | 18 | Anti-DDOS project is an open source software project developed to protect against DOS and DDoS attacks. The project was written using bash programming language. By writing iptables rules into the Linux operating system. Takes the necessary defense configurations. And it only works on the linux operating system (or see [Windows Installation](#windows-installation) for Windows). 100% compatible for Linux operating systems. It does not provide 100% security, it will only help you to take the necessary measures. 19 | 20 | ### How to use ? 21 | 22 | You need to set the config file according to your system architecture. 23 | #### Windows Installation 24 | This requires MSYS2 (`winget install msys2`). 25 | 26 | ```batch 27 | msys2 28 | ``` 29 | ```sh 30 | git clone https://github.com/anti-ddos/Anti-DDOS 31 | cd ~/Anti-DDOS 32 | bash ./anti-ddos.sh 33 | ``` 34 | ### RUN 35 | ``` 36 | root@ismailtasdelen:~# bash ./anti-ddos.sh 37 | ``` 38 | 39 | ### Cloning an Existing Repository ( Clone with HTTPS ) 40 | ``` 41 | root@ismailtasdelen:~# git clone https://github.com/ismailtasdelen/Anti-DDOS.git 42 | ``` 43 | 44 | ### Cloning an Existing Repository ( Clone with SSH ) 45 | ``` 46 | root@ismailtasdelen:~# git clone git@github.com:ismailtasdelen/Anti-DDOS.git 47 | ``` 48 | 49 | ### About DOS and DDOS : 50 | 51 | ##### Denial of Service : https://www.owasp.org/index.php/Denial_of_Service 52 | 53 | ##### Denial of Service Cheat Sheet : https://www.owasp.org/index.php/Denial_of_Service_Cheat_Sheet 54 | 55 | ##### Application Denial of Service : https://www.owasp.org/index.php/Application_Denial_of_Service 56 | 57 | ##### Testing for Denial of Service : https://www.owasp.org/index.php/Testing_for_Denial_of_Service 58 | 59 | ##### DRAFT Denial of Service Cheat Sheet : https://www.owasp.org/index.php/DRAFT_Denial_of_Service_Cheat_Sheet 60 | 61 | ##### Regular expression Denial of Service - ReDoS : https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS 62 | 63 | ### Published Website : 64 | 65 | ##### KitPloit - https://www.kitploit.com/2017/10/anti-ddos-anti-ddos-bash-script.html 66 | 67 | ##### CISOfy - https://linuxsecurity.expert/tools/anti-ddos/ 68 | 69 | ### Contact : 70 | 71 | ##### Mail : ismailtasdelen@protonmail.com 72 | 73 | ##### Linkedin : https://www.linkedin.com/in/ismailtasdelen 74 | 75 | ##### GitHub : https://github.com/ismailtasdelen 76 | 77 | ##### Telegram : https://t.me/ismailtasdelen 78 | -------------------------------------------------------------------------------- /_config.yml: -------------------------------------------------------------------------------- 1 | theme: jekyll-theme-hacker -------------------------------------------------------------------------------- /anti-ddos.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | ######################################################### 4 | # ANTI-DDOS BASH SCRIPT # 5 | ######################################################### 6 | # CONTACT # 7 | ######################################################### 8 | # DEVELOPER : İSMAİL TAŞDELEN # 9 | # GMAIL : ismailtasdelen@protonmail.com # 10 | # Linkedin : https://www.linkedin.com/in/ismailtasdelen # 11 | # Telegram : https://t.me/ismailtasdelen # 12 | ######################################################### 13 | 14 | # For debugging use iptables -v. 15 | IPTABLES="/sbin/iptables" 16 | IP6TABLES="/sbin/ip6tables" 17 | MODPROBE="/sbin/modprobe" 18 | RMMOD="/sbin/rmmod" 19 | ARP="/usr/sbin/arp" 20 | SSHPORT="22" 21 | 22 | # Logging options. 23 | #------------------------------------------------------------------------------ 24 | LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options" 25 | LOG="$LOG --log-ip-options" 26 | 27 | # Defaults for rate limiting 28 | #------------------------------------------------------------------------------ 29 | RLIMIT="-m limit --limit 3/s --limit-burst 8" 30 | 31 | # Unprivileged ports. 32 | #------------------------------------------------------------------------------ 33 | PHIGH="1024:65535" 34 | PSSH="1000:1023" 35 | 36 | # Load required kernel modules 37 | #------------------------------------------------------------------------------ 38 | "$MODPROBE" ip_conntrack_ftp 39 | "$MODPROBE" ip_conntrack_irc 40 | 41 | # Mitigate ARP spoofing/poisoning and similar attacks. 42 | #------------------------------------------------------------------------------ 43 | # Hardcode static ARP cache entries here 44 | # $ARP -s IP-ADDRESS MAC-ADDRESS 45 | 46 | # Kernel configuration. 47 | #------------------------------------------------------------------------------ 48 | 49 | # Disable IP forwarding. 50 | # On => Off = (reset) 51 | echo 1 > /proc/sys/net/ipv4/ip_forward 52 | echo 0 > /proc/sys/net/ipv4/ip_forward 53 | 54 | # Enable IP spoofing protection 55 | for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > "$i"; done 56 | 57 | # Protect against SYN flood attacks 58 | echo 1 > /proc/sys/net/ipv4/tcp_syncookies 59 | 60 | # Ignore all incoming ICMP echo requests 61 | echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all 62 | 63 | # Ignore ICMP echo requests to broadcast 64 | echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 65 | 66 | # Log packets with impossible addresses. 67 | for i in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > "$i"; done 68 | 69 | # Don't log invalid responses to broadcast 70 | echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 71 | 72 | # Don't accept or send ICMP redirects. 73 | for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > "$i"; done 74 | for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > "$i"; done 75 | 76 | # Don't accept source routed packets. 77 | for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > "$i"; done 78 | 79 | # Disable multicast routing 80 | for i in /proc/sys/net/ipv4/conf/*/mc_forwarding; do echo 0 > "$i"; done 81 | 82 | # Disable proxy_arp. 83 | for i in /proc/sys/net/ipv4/conf/*/proxy_arp; do echo 0 > "$i"; done 84 | 85 | # Enable secure redirects, i.e. only accept ICMP redirects for gateways 86 | # Helps against MITM attacks. 87 | for i in /proc/sys/net/ipv4/conf/*/secure_redirects; do echo 1 > "$i"; done 88 | 89 | # Disable bootp_relay 90 | for i in /proc/sys/net/ipv4/conf/*/bootp_relay; do echo 0 > "$i"; done 91 | 92 | # Default policies. 93 | #------------------------------------------------------------------------------ 94 | 95 | # Drop everything by default. 96 | "$IPTABLES" -P INPUT DROP 97 | "$IPTABLES" -P FORWARD DROP 98 | "$IPTABLES" -P OUTPUT DROP 99 | 100 | # Set the nat/mangle/raw tables' chains to ACCEPT 101 | "$IPTABLES" -t nat -P PREROUTING ACCEPT 102 | "$IPTABLES" -t nat -P OUTPUT ACCEPT 103 | "$IPTABLES" -t nat -P POSTROUTING ACCEPT 104 | 105 | "$IPTABLES" -t mangle -P PREROUTING ACCEPT 106 | "$IPTABLES" -t mangle -P INPUT ACCEPT 107 | "$IPTABLES" -t mangle -P FORWARD ACCEPT 108 | "$IPTABLES" -t mangle -P OUTPUT ACCEPT 109 | "$IPTABLES" -t mangle -P POSTROUTING ACCEPT 110 | 111 | # Cleanup. 112 | #------------------------------------------------------------------------------ 113 | 114 | # Delete all 115 | "$IPTABLES" -F 116 | "$IPTABLES" -t nat -F 117 | "$IPTABLES" -t mangle -F 118 | 119 | # Delete all 120 | "$IPTABLES" -X 121 | "$IPTABLES" -t nat -X 122 | "$IPTABLES" -t mangle -X 123 | 124 | # Zero all packets and counters. 125 | "$IPTABLES" -Z 126 | "$IPTABLES" -t nat -Z 127 | "$IPTABLES" -t mangle -Z 128 | 129 | # Completely disable IPv6. 130 | #------------------------------------------------------------------------------ 131 | 132 | # Block all IPv6 traffic 133 | # If the ip6tables command is available, try to block all IPv6 traffic. 134 | if test -x "$IP6TABLES"; then 135 | # Set the default policies 136 | # drop everything 137 | "$IP6TABLES" -P INPUT DROP 2>/dev/null 138 | "$IP6TABLES" -P FORWARD DROP 2>/dev/null 139 | "$IP6TABLES" -P OUTPUT DROP 2>/dev/null 140 | 141 | # The mangle table can pass everything 142 | "$IP6TABLES" -t mangle -P PREROUTING ACCEPT 2>/dev/null 143 | "$IP6TABLES" -t mangle -P INPUT ACCEPT 2>/dev/null 144 | "$IP6TABLES" -t mangle -P FORWARD ACCEPT 2>/dev/null 145 | "$IP6TABLES" -t mangle -P OUTPUT ACCEPT 2>/dev/null 146 | "$IP6TABLES" -t mangle -P POSTROUTING ACCEPT 2>/dev/null 147 | 148 | # Delete all rules. 149 | "$IP6TABLES" -F 2>/dev/null 150 | "$IP6TABLES" -t mangle -F 2>/dev/null 151 | 152 | # Delete all chains. 153 | "$IP6TABLES" -X 2>/dev/null 154 | "$IP6TABLES" -t mangle -X 2>/dev/null 155 | 156 | # Zero all packets and counters. 157 | "$IP6TABLES" -Z 2>/dev/null 158 | "$IP6TABLES" -t mangle -Z 2>/dev/null 159 | fi 160 | 161 | # Custom user-defined chains. 162 | #------------------------------------------------------------------------------ 163 | 164 | # LOG packets, then ACCEPT. 165 | "$IPTABLES" -N ACCEPTLOG 166 | "$IPTABLES" -A ACCEPTLOG -j "$LOG" "$RLIMIT" --log-prefix "ACCEPT " 167 | "$IPTABLES" -A ACCEPTLOG -j ACCEPT 168 | 169 | # LOG packets, then DROP. 170 | "$IPTABLES" -N DROPLOG 171 | "$IPTABLES" -A DROPLOG -j "$LOG" "$RLIMIT" --log-prefix "DROP " 172 | "$IPTABLES" -A DROPLOG -j DROP 173 | 174 | # LOG packets, then REJECT. 175 | # TCP packets are rejected with a TCP reset. 176 | "$IPTABLES" -N REJECTLOG 177 | "$IPTABLES" -A REJECTLOG -j "$LOG" "$RLIMIT" --log-prefix "REJECT " 178 | "$IPTABLES" -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset 179 | "$IPTABLES" -A REJECTLOG -j REJECT 180 | 181 | # Only allows RELATED ICMP types 182 | # (destination-unreachable, time-exceeded, and parameter-problem). 183 | # TODO: Rate-limit this traffic? 184 | # TODO: Allow fragmentation-needed? 185 | # TODO: Test. 186 | "$IPTABLES" -N RELATED_ICMP 187 | "$IPTABLES" -A RELATED_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT 188 | "$IPTABLES" -A RELATED_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT 189 | "$IPTABLES" -A RELATED_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT 190 | "$IPTABLES" -A RELATED_ICMP -j DROPLOG 191 | 192 | # Make It Even Harder To Multi-PING 193 | "$IPTABLES" -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j ACCEPT 194 | "$IPTABLES" -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix PING-DROP: 195 | "$IPTABLES" -A INPUT -p icmp -j DROP 196 | "$IPTABLES" -A OUTPUT -p icmp -j ACCEPT 197 | 198 | # Only allow the minimally required/recommended parts of ICMP. Block the rest. 199 | #------------------------------------------------------------------------------ 200 | 201 | # TODO: This section needs a lot of testing! 202 | 203 | # First, drop all fragmented ICMP packets (almost always malicious). 204 | "$IPTABLES" -A INPUT -p icmp --fragment -j DROPLOG 205 | "$IPTABLES" -A OUTPUT -p icmp --fragment -j DROPLOG 206 | "$IPTABLES" -A FORWARD -p icmp --fragment -j DROPLOG 207 | 208 | # Allow all ESTABLISHED ICMP traffic. 209 | "$IPTABLES" -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT "$RLIMIT" 210 | "$IPTABLES" -A OUTPUT -p icmp -m state --state ESTABLISHED -j ACCEPT "$RLIMIT" 211 | 212 | # Allow some parts of the RELATED ICMP traffic, block the rest. 213 | "$IPTABLES" -A INPUT -p icmp -m state --state RELATED -j RELATED_ICMP "$RLIMIT" 214 | "$IPTABLES" -A OUTPUT -p icmp -m state --state RELATED -j RELATED_ICMP "$RLIMIT" 215 | 216 | # Allow incoming ICMP echo requests (ping), but only rate-limited. 217 | "$IPTABLES" -A INPUT -p icmp --icmp-type echo-request -j ACCEPT "$RLIMIT" 218 | 219 | # Allow outgoing ICMP echo requests (ping), but only rate-limited. 220 | "$IPTABLES" -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT "$RLIMIT" 221 | 222 | # Drop any other ICMP traffic. 223 | "$IPTABLES" -A INPUT -p icmp -j DROPLOG 224 | "$IPTABLES" -A OUTPUT -p icmp -j DROPLOG 225 | "$IPTABLES" -A FORWARD -p icmp -j DROPLOG 226 | 227 | # Selectively allow certain special types of traffic. 228 | #------------------------------------------------------------------------------ 229 | 230 | # Allow loopback interface to do anything. 231 | "$IPTABLES" -A INPUT -i lo -j ACCEPT 232 | "$IPTABLES" -A OUTPUT -o lo -j ACCEPT 233 | 234 | # Allow incoming connections related to existing allowed connections. 235 | "$IPTABLES" -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 236 | 237 | # Allow outgoing connections EXCEPT invalid 238 | "$IPTABLES" -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 239 | 240 | # Miscellaneous. 241 | #------------------------------------------------------------------------------ 242 | 243 | # We don't care about Milkosoft, Drop SMB/CIFS/etc.. 244 | "$IPTABLES" -A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP 245 | "$IPTABLES" -A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP 246 | 247 | # Explicitly drop invalid incoming traffic 248 | "$IPTABLES" -A INPUT -m state --state INVALID -j DROP 249 | 250 | # Drop invalid outgoing traffic, too. 251 | "$IPTABLES" -A OUTPUT -m state --state INVALID -j DROP 252 | 253 | # If we would use NAT, INVALID packets would pass - BLOCK them anyways 254 | "$IPTABLES" -A FORWARD -m state --state INVALID -j DROP 255 | 256 | # PORT Scanners (stealth also) 257 | "$IPTABLES" -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP 258 | "$IPTABLES" -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP 259 | 260 | # TODO: Some more anti-spoofing rules? For example: 261 | # "$IPTABLES" -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP 262 | # "$IPTABLES" -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP 263 | # "$IPTABLES" -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP 264 | "$IPTABLES" -N SYN_FLOOD 265 | "$IPTABLES" -A INPUT -p tcp --syn -j SYN_FLOOD 266 | "$IPTABLES" -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN 267 | "$IPTABLES" -A SYN_FLOOD -j DROP 268 | 269 | # TODO: Block known-bad IPs (see http://www.dshield.org/top10.php). 270 | # "$IPTABLES" -A INPUT -s INSERT-BAD-IP-HERE -j DROPLOG 271 | 272 | # Drop any traffic from IANA-reserved IPs. 273 | #------------------------------------------------------------------------------ 274 | 275 | "$IPTABLES" -A INPUT -s 0.0.0.0/7 -j DROP 276 | "$IPTABLES" -A INPUT -s 2.0.0.0/8 -j DROP 277 | "$IPTABLES" -A INPUT -s 5.0.0.0/8 -j DROP 278 | "$IPTABLES" -A INPUT -s 7.0.0.0/8 -j DROP 279 | "$IPTABLES" -A INPUT -s 10.0.0.0/8 -j DROP 280 | "$IPTABLES" -A INPUT -s 23.0.0.0/8 -j DROP 281 | "$IPTABLES" -A INPUT -s 27.0.0.0/8 -j DROP 282 | "$IPTABLES" -A INPUT -s 31.0.0.0/8 -j DROP 283 | "$IPTABLES" -A INPUT -s 36.0.0.0/7 -j DROP 284 | "$IPTABLES" -A INPUT -s 39.0.0.0/8 -j DROP 285 | "$IPTABLES" -A INPUT -s 42.0.0.0/8 -j DROP 286 | "$IPTABLES" -A INPUT -s 49.0.0.0/8 -j DROP 287 | "$IPTABLES" -A INPUT -s 50.0.0.0/8 -j DROP 288 | "$IPTABLES" -A INPUT -s 77.0.0.0/8 -j DROP 289 | "$IPTABLES" -A INPUT -s 78.0.0.0/7 -j DROP 290 | "$IPTABLES" -A INPUT -s 92.0.0.0/6 -j DROP 291 | "$IPTABLES" -A INPUT -s 96.0.0.0/4 -j DROP 292 | "$IPTABLES" -A INPUT -s 112.0.0.0/5 -j DROP 293 | "$IPTABLES" -A INPUT -s 120.0.0.0/8 -j DROP 294 | "$IPTABLES" -A INPUT -s 169.254.0.0/16 -j DROP 295 | "$IPTABLES" -A INPUT -s 172.16.0.0/12 -j DROP 296 | "$IPTABLES" -A INPUT -s 173.0.0.0/8 -j DROP 297 | "$IPTABLES" -A INPUT -s 174.0.0.0/7 -j DROP 298 | "$IPTABLES" -A INPUT -s 176.0.0.0/5 -j DROP 299 | "$IPTABLES" -A INPUT -s 184.0.0.0/6 -j DROP 300 | "$IPTABLES" -A INPUT -s 192.0.2.0/24 -j DROP 301 | "$IPTABLES" -A INPUT -s 197.0.0.0/8 -j DROP 302 | "$IPTABLES" -A INPUT -s 198.18.0.0/15 -j DROP 303 | "$IPTABLES" -A INPUT -s 223.0.0.0/8 -j DROP 304 | "$IPTABLES" -A INPUT -s 224.0.0.0/3 -j DROP 305 | 306 | # Selectively allow certain outbound connections, block the rest. 307 | #------------------------------------------------------------------------------ 308 | 309 | # Allow outgoing DNS requests. Few things will work without this. 310 | "$IPTABLES" -A OUTPUT -m state --state NEW -p udp --dport 53 -j ACCEPT 311 | "$IPTABLES" -A OUTPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT 312 | 313 | # Allow outgoing HTTP requests. Unencrypted, use with care. 314 | "$IPTABLES" -A OUTPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT 315 | 316 | # Allow outgoing HTTPS requests. 317 | "$IPTABLES" -A OUTPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT 318 | 319 | # Allow outgoing SMTPS requests. Do NOT allow unencrypted SMTP! 320 | # "$IPTABLES" -A OUTPUT -m state --state NEW -p tcp --dport 465 -j ACCEPT 321 | 322 | # Allow outgoing "submission" (RFC 2476) requests. 323 | "$IPTABLES" -A OUTPUT -m state --state NEW -p tcp --dport 587 -j ACCEPT 324 | 325 | # Allow outgoing POP3S requests. 326 | "$IPTABLES" -A OUTPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT 327 | 328 | # Allow outgoing SSH requests. 329 | "$IPTABLES" -A OUTPUT -m state --state NEW -p tcp --dport "$SSHPORT" -j ACCEPT 330 | 331 | # Allow outgoing FTP requests. Unencrypted, use with care. 332 | "$IPTABLES" -A OUTPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT 333 | 334 | # Allow outgoing NNTP requests. Unencrypted, use with care. 335 | # "$IPTABLES" -A OUTPUT -m state --state NEW -p tcp --dport 119 -j ACCEPT 336 | 337 | # Allow outgoing NTP requests. Unencrypted, use with care. 338 | # "$IPTABLES" -A OUTPUT -m state --state NEW -p udp --dport 123 -j ACCEPT 339 | 340 | # Allow outgoing IRC requests. Unencrypted, use with care. 341 | # Note: This usually needs the ip_conntrack_irc kernel module. 342 | # "$IPTABLES" -A OUTPUT -m state --state NEW -p tcp --dport 6667 -j ACCEPT 343 | 344 | # Allow outgoing requests to various proxies. Unencrypted, use with care. 345 | # "$IPTABLES" -A OUTPUT -m state --state NEW -p tcp --dport 8080 -j ACCEPT 346 | # "$IPTABLES" -A OUTPUT -m state --state NEW -p tcp --dport 8090 -j ACCEPT 347 | 348 | # Allow outgoing DHCP requests. Unencrypted, use with care. 349 | # TODO: This is completely untested, I have no idea whether it works! 350 | # TODO: I think this can be tightened a bit more. 351 | "$IPTABLES" -A OUTPUT -m state --state NEW -p udp --sport 67:68 --dport 67:68 -j ACCEPT 352 | 353 | # Allow outgoing CVS requests. Unencrypted, use with care. 354 | # "$IPTABLES" -A OUTPUT -m state --state NEW -p tcp --dport 2401 -j ACCEPT 355 | 356 | # Allow outgoing MySQL requests. Unencrypted, use with care. 357 | # "$IPTABLES" -A OUTPUT -m state --state NEW -p tcp --dport 3306 -j ACCEPT 358 | 359 | # Allow outgoing SVN requests. Unencrypted, use with care. 360 | # "$IPTABLES" -A OUTPUT -m state --state NEW -p tcp --dport 3690 -j ACCEPT 361 | 362 | # Allow outgoing PLESK requests. Unencrypted, use with care. 363 | # "$IPTABLES" -A OUTPUT -m state --state NEW -p tcp --dport 8443 -j ACCEPT 364 | 365 | # Allow outgoing Tor (http://tor.eff.org) requests. 366 | # Note: Do _not_ use unencrypted protocols over Tor (sniffing is possible)! 367 | # "$IPTABLES" -A OUTPUT -m state --state NEW -p tcp --dport 9001 -j ACCEPT 368 | # "$IPTABLES" -A OUTPUT -m state --state NEW -p tcp --dport 9002 -j ACCEPT 369 | # "$IPTABLES" -A OUTPUT -m state --state NEW -p tcp --dport 9030 -j ACCEPT 370 | # "$IPTABLES" -A OUTPUT -m state --state NEW -p tcp --dport 9031 -j ACCEPT 371 | # "$IPTABLES" -A OUTPUT -m state --state NEW -p tcp --dport 9090 -j ACCEPT 372 | # "$IPTABLES" -A OUTPUT -m state --state NEW -p tcp --dport 9091 -j ACCEPT 373 | 374 | # Allow outgoing OpenVPN requests. 375 | "$IPTABLES" -A OUTPUT -m state --state NEW -p udp --dport 1194 -j ACCEPT 376 | 377 | # TODO: ICQ, MSN, GTalk, Skype, Yahoo, etc... 378 | 379 | # Selectively allow certain inbound connections, block the rest. 380 | #------------------------------------------------------------------------------ 381 | 382 | # Allow incoming DNS requests. 383 | "$IPTABLES" -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT 384 | "$IPTABLES" -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT 385 | 386 | # Allow incoming HTTP requests. 387 | "$IPTABLES" -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT 388 | 389 | # Allow incoming HTTPS requests. 390 | "$IPTABLES" -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT 391 | 392 | # Allow incoming POP3 requests. 393 | "$IPTABLES" -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT 394 | 395 | # Allow incoming IMAP4 requests. 396 | "$IPTABLES" -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT 397 | 398 | # Allow incoming POP3S requests. 399 | "$IPTABLES" -A INPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT 400 | 401 | # Allow incoming SMTP requests. 402 | "$IPTABLES" -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT 403 | 404 | # Allow incoming SSH requests. 405 | "$IPTABLES" -A INPUT -m state --state NEW -p tcp --dport "$SSHPORT" -j ACCEPT 406 | 407 | # Allow incoming FTP requests. 408 | "$IPTABLES" -A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT 409 | 410 | # Allow incoming NNTP requests. 411 | # "$IPTABLES" -A INPUT -m state --state NEW -p tcp --dport 119 -j ACCEPT 412 | 413 | # Allow incoming MySQL requests. 414 | # "$IPTABLES" -A INPUT -m state --state NEW -p tcp --dport 3306 -j ACCEPT 415 | 416 | # Allow incoming PLESK requests. 417 | # "$IPTABLES" -A INPUT -m state --state NEW -p tcp --dport 8843 -j ACCEPT 418 | 419 | # Allow incoming BitTorrent requests. 420 | # TODO: Are these already handled by ACCEPTing established/related traffic? 421 | # "$IPTABLES" -A INPUT -m state --state NEW -p tcp --dport 6881 -j ACCEPT 422 | # "$IPTABLES" -A INPUT -m state --state NEW -p udp --dport 6881 -j ACCEPT 423 | 424 | # Allow incoming nc requests. 425 | # "$IPTABLES" -A INPUT -m state --state NEW -p tcp --dport 2030 -j ACCEPT 426 | # "$IPTABLES" -A INPUT -m state --state NEW -p udp --dport 2030 -j ACCEPT 427 | 428 | # Explicitly log and reject everything else. 429 | #------------------------------------------------------------------------------ 430 | 431 | # Use REJECT instead of REJECTLOG if you don't need/want logging. 432 | "$IPTABLES" -A INPUT -j REJECTLOG 433 | "$IPTABLES" -A OUTPUT -j REJECTLOG 434 | "$IPTABLES" -A FORWARD -j REJECTLOG 435 | 436 | #------------------------------------------------------------------------------ 437 | # Testing the firewall. 438 | #------------------------------------------------------------------------------ 439 | 440 | # You should check/test that the firewall really works, using 441 | # iptables -vnL, nmap, ping, telnet, ... 442 | 443 | # Appending rules : Let’s add some more IPv6 rules to our firewall. 444 | 445 | sudo ip6tables -A INPUT -p tcp --dport "$SSHPORT" -s HOST_IPV6_IP -j ACCEPT 446 | sudo ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT 447 | sudo ip6tables -A INPUT -p tcp --dport 21 -j ACCEPT 448 | sudo ip6tables -A INPUT -p tcp --dport 25 -j ACCEPT 449 | 450 | # To see the IPv6 rules with line numbers, type the following command: 451 | 452 | sudo ip6tables -L -n --line-numbers 453 | 454 | # Deleting rules 455 | 456 | sudo ip6tables -D INPUT -p tcp --dport 21 -j ACCEPT 457 | 458 | # Exit gracefully. 459 | #------------------------------------------------------------------------------ 460 | 461 | exit 0 462 | -------------------------------------------------------------------------------- /upload/img/anti-ddos.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/anti-ddos/Anti-DDOS/59632bf2442b5f4a0c42decdba5fbf907ed44c79/upload/img/anti-ddos.png -------------------------------------------------------------------------------- /upload/img/bash-ico.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/anti-ddos/Anti-DDOS/59632bf2442b5f4a0c42decdba5fbf907ed44c79/upload/img/bash-ico.png --------------------------------------------------------------------------------