#! /bin/sh # By simonsays - BlueBox Underground v1.2 - Dec. 2005 # # Version Changes: # - Added more DOD & reserved networks per IANA ipv4 latest assignments # - Added Cyveillance networks. They sell mined data to agencies. # - Added verified Netcraft probe servers. # # This is a simple iptables firewall script drops most US Government, some data mining bots that contract # and sell data to the US Government, most Netcraft probes, logs the attemtps, and drops any other unsolicited # traffic to your machine. It is probably best suited for workstation use. # # The specific government IP's in the drop section of the ruleset are probably reduntant since we DROP all # traffic at the end of the script. Having the specific networks dropped first allows for rules to be inserted # after if you want to accept traffic to specific protocols (http, ssh, ftp, et al). # # Compatability: Should work on all *nix platforms that have iptables/netfilter support in their kernel. # This script is best launched at boot. IPTables logs to /var/log/messages by default. echo "Configuring Firewall:" echo -n "Flushing Tables..." iptables --flush INPUT iptables --flush OUTPUT iptables --flush FORWARD echo "Done." echo -n "Starting Logs..." # Log all connection attempts from banned networks #gov iptables -A INPUT -s 198.81.128.0/18 -j LOG --log-prefix "CIA: " iptables -A INPUT -s 162.81.0.0/16 -j LOG --log-prefix "NCE: " iptables -A INPUT -s 144.51.0.0/16 -j LOG --log-prefix "NCSC/NSA: " iptables -A INPUT -s 199.196.128.0/19 -j LOG --log-prefix "IRS: " iptables -A INPUT -s 198.137.240.0/23 -j LOG --log-prefix "EOP: " iptables -A INPUT -s 164.117.0.0/16 -j LOG --log-prefix "DOD: " iptables -A INPUT -s 131.84.0.0/16 -j LOG --log-prefix "DTIC: " iptables -A INPUT -m iprange --src-range 140.0.0.0-140.75.255.255 -j LOG --log-prefix "DOD NIC: " iptables -A INPUT -m iprange --src-range 214.0.0.0-215.255.255.255 -j LOG --log-prefix "DOD NIC: " #data ming bots. these ignore robots.txt iptables -A INPUT -s 63.148.99.224/27 -j LOG --log-prefix "Cyveillance SpyBots: " iptables -A INPUT -s 65.118.41.192/27 -j LOG --log-prefix "Cyveillance SpyBots: " iptables -A INPUT -s 216.32.64.0/24 -j LOG --log-prefix "Cyveillance SpyBots: " #netcraft probe servers iptables -A INPUT -s 83.138.189.0/24 -j LOG --log-prefix "Netcraft Probe: " iptables -A INPUT -s 194.72.238.0/24 -j LOG --log-prefix "Netcraft Probe: " iptables -A INPUT -s 195.92.0.0/16 -j LOG --log-prefix "Netcraft Probe: " iptables -A INPUT -s 64.160.19.0/24 -j LOG --log-prefix "Netcraft Probe: " iptables -A INPUT -s 65.170.220.0/24 -j LOG --log-prefix "Netcraft Probe: " iptables -A INPUT -s 68.10.141.0/24 -j LOG --log-prefix "Netcraft Probe: " iptables -A INPUT -s 71.133.134.0/24 -j LOG --log-prefix "Netcraft Probe: " iptables -A INPUT -s 128.223.189.0/24 -j LOG --log-prefix "Netcraft Probe: " iptables -A INPUT -s 141.154.104.0/24 -j LOG --log-prefix "Netcraft Probe: " iptables -A INPUT -s 142.103.93.0/24 -j LOG --log-prefix "Netcraft Probe: " # End Logging echo "Done." echo "Loading Ruleset..." # Drop ALL Traffic from the following networks. # US GOVT iptables -A INPUT -s 198.81.128.0/18 -j DROP #Central Intelligence Agency Networks iptables -A INPUT -s 162.81.0.0/16 -j DROP #National Counterintelligence Executive iptables -A INPUT -s 144.51.0.0/16 -j DROP #National Computer Security Center aka NAVY/NSA/.mil iptables -A INPUT -s 199.196.128.0/19 -j DROP #Executive Office of Asset Forfeiture aka IRS/Treasury iptables -A INPUT -s 198.137.240.0/23 -j DROP #Executive Office Of The President USA aka Whitehouse/EOP iptables -A INPUT -s 164.117.0.0/16 -j DROP #Defense Information Systems Agency aka DOD iptables -A INPUT -s 131.84.0.0/16 -j DROP #Defense Technical Information Cntr iptables -A INPUT -s 140.185.0.0/16 -j DROP #Single Agency Manager aka Pentagon iptables -A INPUT -m iprange --src-range 140.0.0.0-140.75.0.0 -j DROP #DOD Defense Informations Center iptables -A INPUT -m iprange --src-range 214.0.0.0-215.255.255.255 -j DROP #DOD NIC # netcraft probe servers iptables -A INPUT -s 83.138.189.0/24 -j DROP #Netcraft Owned Class C #1 iptables -A INPUT -s 194.72.238.0/24 -j DROP #Netcraft Owned Class C #2 iptables -A INPUT -s 195.92.0.0/16 -j DROP #Netcraft Owned Class B iptables -A INPUT -s 64.160.19.0/24 -j DROP #Probe Server Network iptables -A INPUT -s 65.170.220.0/24 -j DROP #Probe Server Network iptables -A INPUT -s 68.10.141.0/24 -j DROP #Probe Server Network iptables -A INPUT -s 71.133.134.0/24 -j DROP #Probe Server Network iptables -A INPUT -s 128.223.189.0/24 -j DROP #Probe Server Network iptables -A INPUT -s 141.154.104.0/24 -j DROP #Probe Server Network iptables -A INPUT -s 142.103.93.0/24 -j DROP #Probe Server Network # private networks iptables -A INPUT -s 0.0.0.0/8 -j DROP iptables -A INPUT -s 10.0.0.0/8 -j DROP iptables -A INPUT -s 127.0.0.0/8 -j DROP iptables -A INPUT -s 172.16.0.0/12 -j DROP iptables -A INPUT -m iprange --src-range 173.0.0.0-187.255.255.255 -j DROP iptables -A INPUT -s 192.168.0.0/16 -j DROP iptables -A INPUT -s 255.255.255.255/32 -j DROP # End Network Specific Droppings # Begin SYN Flood Protection iptables -A INPUT -p tcp -m state --state INVALID -j DROP iptables -A INPUT -p tcp --syn -m limit --limit 1/second -j ACCEPT iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT # End SYN # Allow Localhost Connections iptables -A INPUT -i lo -p all -j ACCEPT iptables -A OUTPUT -o lo -p all -j ACCEPT # End Localhost # Allow External Traffic To Reply To You iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset # End Reply # Drop everything else not specified iptables -A INPUT -d 0/0 -j DROP # End Drop echo "Done." echo "Firewall Configuration Complete."