mam taki ip tables ale jest problem taki ze innym strona nie dziala + nie dziala ani ssh nie mogę sie polaczyć ze swoim vpsem
#!/bin/bash
########################################
# Firewall #
########################################
# Variaveis
# Interface Externa (YOUR NETWORK INTERFACE)
if_ext=eth0
# Politica Default - DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# ------------------------------------------------
# Protection against TCP syncookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Ignore ICMP
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
# Allow access to localhost
iptables -I INPUT -p all -s 127.0.0.1 -j ACCEPT
# Allow connections from origin
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow external access to ports
iptables -I INPUT -i $if_ext -p tcp --dport 80 -j ACCEPT # HTTP
iptables -I INPUT -i $if_ext -p tcp --dport 7171 -j ACCEPT # TIBIA
iptables -I INPUT -i $if_ext -p tcp --dport 7172 -j ACCEPT # TIBIA GAME PORT
# Limit connections on Tibia Ports
iptables -A INPUT -p tcp -m recent --rcheck --seconds 60 -j REJECT
iptables -A INPUT -p tcp --dport 7171 -m connlimit --connlimit-above 10 -m recent --set -j REJECT
iptables -A INPUT -p tcp --dport 7172 -m connlimit --connlimit-above 10 -m recent --set -j REJECT
# Allow SSH (PUTTY)
iptables -I INPUT -i $if_ext -p tcp --dport 22 -j ACCEPT
# Limit connections
iptables -I INPUT -p tcp -m state --state NEW,ESTABLISHED -m recent --set -j ACCEPT
iptables -I INPUT -p tcp -m state --state NEW -m recent --update --seconds 3 --hitcount 20 -j DROP
# Block TCP-CONNECT scan attempts (SYN bit packets)
#iptables -A INPUT -p tcp --syn -j DROP
# Block TCP-SYN scan attempts (only SYN bit packets)
iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH SYN -j DROP
# Block TCP-FIN scan attempts (only FIN bit packets)
iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH FIN -j DROP
# Block TCP-ACK scan attempts (only ACK bit packets)
iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH ACK -j DROP
# Block TCP-NULL scan attempts (packets without flag)
iptables -A INPUT -m conntrack --ctstate INVALID -p tcp --tcp-flags ! SYN,RST,ACK,FIN,URG,PSH SYN,RST,ACK,FIN,URG,PSH -j DROP
#Block "Christmas Tree" TCP-XMAS scan attempts (packets with FIN, URG, PSH bits)
iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH FIN,URG,PSH -j DROP
# Block DOS - Teardrop
iptables -A INPUT -p UDP -f -j DROP
# Block DDOS - Smurf
iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP
iptables -A INPUT -p ICMP --icmp-type echo-request -m pkttype --pkttype broadcast -j DROP
iptables -A INPUT -p ICMP --icmp-type echo-request -m limit --limit 3/s -j ACCEPT
# Block DDOS - SYN-flood
iptables -A INPUT -p TCP --syn -m iplimit --iplimit-above 9 -j DROP
# Block DDOS - SMBnuke
iptables -A INPUT -p UDP --dport 135:139 -j DROP
iptables -A INPUT -p TCP --dport 135:139 -j DROP
# Block DDOS - Jolt
iptables -A INPUT -p ICMP -f -j DROP
# Block DDOS - Fraggle
iptables -A INPUT -p UDP -m pkttype --pkt-type broadcast -j DROP
iptables -A INPUT -p UDP -m limit --limit 3/s -j ACCEPT
# Creates logs of the rest of the connections
iptables -A INPUT -i $if_ext -p all -j LOG --log-prefix " - FIREWALL: droped -> "