#!/bin/bash
## IP-KKZ-LIST\
#--------------
#=-=-=-=-=-=-=-=-=-=-=-=-=-=
IPT=/sbin/iptables
EC=echo
ip138=212.26.
ip139=212.26.
ip140=212.26.
ip141=212.26.
ip142=212.26.
#Clean ifconfig
ifconfig eth0:0 212.26. netmask 255.255.255.248 down
ifconfig eth0:1 212.26. netmask 255.255.255.248 down
ifconfig eth0:2 212.26. netmask 255.255.255.248 down
ifconfig eth0:3 212.26. netmask 255.255.255.248 down
ifconfig eth1.60:0 11.1.1.1 netmask 255.255.255.0 down
#Add ifconfig
ifconfig eth0:0 212.26. netmask 255.255.255.248 up
ifconfig eth0:1 212.26. netmask 255.255.255.248 up
ifconfig eth0:2 212.26. netmask 255.255.255.248 up
#ifconfig eth0:3 212.26. netmask 255.255.255.248 up
ifconfig eth1.60:0 11.1.1.1 netmask 255.255.255.0 up
##ipset-UA-IX-traffic\
#---------------------
/bin/bash /root/UA-IX/ipset2.conf
#/bin/bash /etc/ipset.conf
$EC ipset-load-ok [ OK ]
##Clean-all-chains\
#------------------
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
$EC Clean [ OK ]
##Security\
#----------
$EC 1 > /proc/sys/net/ipv4/tcp_syncookies #SYN-flood disable
$EC 30 > /proc/sys/net/ipv4/tcp_fin_timeout #time to FIN close
$EC 14400 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established # Time wait to close connect
$EC 0 > /proc/sys/net/ipv4/tcp_sack # disable selective acknowledgements, RFC2018
$EC 0 > /proc/sys/net/ipv4/tcp_timestamps # disable TCP timestamps, RFC1323
#sysctl -w net.ipv4.tcp_max_syn_backlog=4096
#sysctl -w net.ipv4.tcp_keepalive_time=60
#sysctl -w net.ipv4.tcp_keepalive_intvl=10
#sysctl -w net.ipv4.tcp_keepalive_probes=5
#sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.tcp_synack_retries=1
#sysctl -w net.ipv4.tcp_fin_timeout=10
##TCP-buffer\
#------------
$EC 4096 87380 16777216 > /proc/sys/net/ipv4/tcp_wmem
$EC 4096 87380 16777216 > /proc/sys/net/ipv4/tcp_rmem
##auto-tuning-limits\
#--------------------
$EC 16777216 > /proc/sys/net/core/rmem_max
$EC 16777216 > /proc/sys/net/core/wmem_max
##queue-packets\
#---------------
/sbin/ifconfig eth0 txqueuelen 2000
/sbin/ifconfig eth1 txqueuelen 2000
##Policy-ipt\
#------------
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
# Создаем цепочку для проверки попыток соединений на защищаемый порт
$IPT -N ssh_brute_check
# Если за последние 5 минут (300 секунд) с одного адреса было 3 или более новых соединений — блокируем этот адрес
$IPT -A ssh_brute_check -m conntrack --ctstate NEW -m recent --update --seconds 300 --hitcount 3 -j DROP
#В противном случае — разрешаем, и при этом заносим в список
$IPT -A ssh_brute_check -m recent --set -j ACCEPT
# Все попытки открыть новое соединение по SSH направляем на проверку
$IPT -A INPUT -m conntrack --ctstate NEW -p tcp --dport 6050 -j ssh_brute_check
###---------------------------------###
### SCAN-logging ###
###---------------------------------###
$IPT -A INPUT -p tcp -m tcp --tcp-flags ACK,FIN FIN -j LOG --log-prefix "SCAN "
$IPT -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j LOG --log-prefix "SCAN "
$IPT -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j LOG --log-prefix "SCAN "
$IPT -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j LOG --log-prefix "SCAN "
$IPT -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG --log-prefix "SCAN "
$IPT -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "SCAN "
$IPT -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LOG --log-prefix "SCAN "
$IPT -I INPUT -m conntrack --ctstate NEW,INVALID -p tcp --tcp-flags SYN,ACK SYN,ACK -j REJECT --reject-with tcp-reset
##incomming\
#-----------
$IPT -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
##DOS-security\
#--------------
#$IPT -A INPUT -p tcp --tcp-flags SYN,ACK,FIN SYN -m limit --limit 10/s -j ACCEPT
#$IPT -A INPUT -p tcp --tcp-flags SYN,ACK,FIN SYN -j DROP
#$IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
#$IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j DROP
#$IPT -I INPUT -m conntrack --ctstate NEW,INVALID -p tcp --tcp-flags SYN,ACK SYN,ACK -j REJECT --reject-with tcp-reset
#$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
##ping-accept\
#-------------
$IPT -A INPUT -p icmp -m icmp -j ACCEPT
$EC DDos protected [ OK ]
##admin-access-accept\
#---------------------
$IPT -I INPUT 1 -p tcp -m tcp -s 10.60.0.10/32 -j ACCEPT #admin-ip-local
$IPT -A INPUT -i lo -j ACCEPT #loop
$IPT -A OUTPUT -o lo -j ACCEPT
##SSH\
#-----
$IPT -A INPUT -p tcp -m tcp --dport 6050 -j ACCEPT
##YouTube-speed-up\
#------------------
$IPT -A INPUT -s 206.111.0.0/16 -j DROP
$IPT -A INPUT -s 173.194.55.0/24 -j DROP
$IPT -A OUTPUT -d 206.111.0.0/16 -j DROP
$IPT -A OUTPUT -d 173.194.55.0/24 -j DROP
$IPT -I FORWARD 1 -d 206.111.0.0/16 -j DROP
$IPT -I FORWARD 2 -d 173.194.55.0/24 -j DROP
##Web-apache/nginx\
#------------------
$IPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 8000 -j ACCEPT
##CS1.6-server\
#-----------
$IPT -A INPUT -p tcp -m tcp --dport 27015 -j ACCEPT
$IPT -A INPUT -p udp -m udp --dport 27015 -j ACCEPT
##Scout-Realtime-monitoring\
#---------------------------
$IPT -A INPUT -p tcp --dport 5555 -j ACCEPT
##Zabbix-monitoring\
#-------------------
$IPT -t nat -A PREROUTING -i eth0 -d $ip138 -p tcp --dport 55555 -j DNAT --to-destination 10.60.0.228:80
##Cacti\
#-------
$IPT -t nat -A PREROUTING -i eth0 -d $ip138 -p tcp --dport 55556 -j DNAT --to-destination 10.60.0.249:80
$IPT -t nat -A PREROUTING -i eth0 -d $ip138 -p tcp --dport 55557 -j DNAT --to-destination 10.60.0.249:22
##SNMP\
#------
$IPT -I INPUT -p udp -m udp --dport 161 -j ACCEPT
$IPT -I INPUT -p udp -m udp --dport 162 -j ACCEPT
##Cam-max-317\
#-------------
$IPT -t nat -A PREROUTING -d $ip138 -p tcp --dport 55559 -j DNAT --to-destination 10.60.0.29:55559
$IPT -t nat -A PREROUTING -d $ip138 -p tcp --dport 55560 -j DNAT --to-destination 10.60.0.29:55560
#$IPT -t nat -A PREROUTING -d $ip138 -p tcp --dport 55565 -j DNAT --to-destination 10.60.0.67:80
#$IPT -t nat -A PREROUTING -d $ip138 -p tcp --dport 55565 -j DNAT --to-destination camera.kkz.net.ua
##PPTP-vpn\
#----------
$IPT -A INPUT -i eth0 -p gre -j ACCEPT
$IPT -A INPUT -i eth0 -m tcp -p tcp --dport 1723 -j ACCEPT
$IPT -A INPUT -i eth1 -m tcp -p tcp --dport 1723 -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m udp --dport 1701 -m comment --comment "L2TP" -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m udp --dport 500 -m comment --comment "IKEv2" -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m udp --dport 4500 -m comment --comment "IKEv2" -j ACCEPT
##DNS\
#-----
$IPT -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
$IPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 953 -j ACCEPT
$IPT -A INPUT -p udp -m udp --dport 953 -j ACCEPT
##++++++++++++++++++++++++++++++++++++++++++
##+++++++++++++INPUT chains END+++++++++++++
##++++++++++++++++++++++++++++++++++++++++++
$EC INPUT chains load [ OK ]
#mark-packets-for-shape\
#-----------------------
$IPT -t mangle -A PREROUTING -i eth0 -m set --set ua-ix src -j MARK --set-mark 0x10
$IPT -t mangle -A PREROUTING -i eth0 -m mark --mark 0x10 -j RETURN
$IPT -t mangle -A PREROUTING -i eth0 -j MARK --set-mark 0x11
$IPT -t mangle -A PREROUTING -d 10.0.0.0/8 -i eth1 -j MARK --set-mark 0x12
$IPT -t mangle -A PREROUTING -i eth1 -m mark --mark 0x12 -j RETURN
$IPT -t mangle -A PREROUTING -s 10.0.0.0/8 -i eth1 -p tcp -m multiport --dports 20,21,80,443,5190,8080 -j MARK --set-mark 0x1
$IPT -t mangle -A PREROUTING -s 10.0.0.0/8 -i eth1 -p udp -m multiport --dports 80,443,5190,8080 -j MARK --set-mark 0x1
$EC mark-traffic-rules [ OK ]
##Proxmox-vm-cluster\
#--------------------
$IPT -t nat -A PREROUTING -d $ip138 -p tcp --dport 1488 -j DNAT --to-destination 10.60.0.31:8006 #vm0
$IPT -t nat -A PREROUTING -d $ip138 -p tcp --dport 5900 -j DNAT --to-destination 10.60.0.31:5900
$IPT -t nat -A PREROUTING -d $ip138 -p tcp --dport 5901 -j DNAT --to-destination 10.60.0.31:5901
$IPT -t nat -A PREROUTING -d $ip138 -p tcp --dport 5902 -j DNAT --to-destination 10.60.0.31:5902
$IPT -t nat -A PREROUTING -d $ip138 -p tcp --dport 1489 -j DNAT --to-destination 10.60.0.30:22 #vm2
#$IPT -t nat -A PREROUTING -d $ip138 -p tcp --dport 1490 -j DNAT --to-destination 10.60.0.31:8006 #vm1
##RDP-pc`s\
#----------
$IPT -t nat -A PREROUTING -d $ip139 -p tcp --dport 1313 -j DNAT --to-destination 10.60.0.10:3389 # ssdtux-RDP
$IPT -t nat -A PREROUTING -d $ip139 -p tcp --dport 1489 -j DNAT --to-destination 10.60.0.16:3389
#rtsp\
#-----
$IPT -t nat -A PREROUTING -d $ip138 -p tcp --dport 1550 -j DNAT --to-destination 10.60.0.13:554
$IPT -t nat -A PREROUTING -d $ip138 -p tcp --dport 1551 -j DNAT --to-destination 10.40.0.45:554
$IPT -t nat -A PREROUTING -d $ip138 -p tcp --dport 1552 -j DNAT --to-destination 10.60.0.11:554
##asterisk-max\
#--------------
$IPT -t nat -A PREROUTING -d $ip139 -p tcp --dport 7881 -j DNAT --to-destination 10.103.0.203:22
$IPT -t nat -A PREROUTING -d $ip139 -p tcp --dport 7882 -j DNAT --to-destination 10.103.0.203:443
##NAS\
#-----
$IPT -t nat -A PREROUTING -d $ip139 -p tcp --dport 55555 -j DNAT --to-destination 10.60.0.20:80
#nas-ftp-config
$IPT -t nat -A PREROUTING -d $ip138 -p tcp --dport 55552 -j DNAT --to-destination 10.60.0.20:21
$IPT -t nat -A PREROUTING -d $ip138 -p tcp --dport 55536:55663 -j DNAT --to-destination 10.60.0.20
##ESXi-1\
#-------
$IPT -t nat -A PREROUTING -d $ip138 -p tcp --dport 6070 -j DNAT --to-destination 10.60.0.254:443
##kkz.net.ua/kkzcore.pp.ua\
#--------------------------
#old-config--->|
#ifconfig eth1.30:0 11.1.1.1 netmask 255.255.255.0 up
#conf-to-DC--->|
$IPT -t nat -A PREROUTING -d $ip142 -j DNAT --to-destination 11.1.1.245 #kkzcore
$IPT -t nat -A POSTROUTING -s 11.1.1.245/32 -o eth0 -j SNAT --to-source $ip142 #kkzcore
#max-ip-telephony
#$IPT -t nat -A POSTROUTING -s 10.60.0.223/32 -o eth0 -j SNAT --to-source $ip141 #ip316
#$IPT -t nat -A PREROUTING -d $ip141 -j DNAT --to-destination 10.60.0.223 #ip316
#$IPT -t nat -A POSTROUTING -s 10.60.0.254/32 -o eth0 -j SNAT --to-source $ip141 #esxi
#$IPT -t nat -A PREROUTING -d $ip141 -j DNAT --to-destination 10.60.0.254 #esxi
##kkz.net.ua-new-site-config\
#----------------------------
#pratsko
$IPT -t nat -A PREROUTING -d $ip140 -j DNAT --to-destination 10.60.0.80 #kkz(newsite)
##SNAT-kkz-lan-all\
#-----------------
#$IPT -t nat -A POSTROUTING -s 11.1.1.245/32 -o eth0 -j SNAT --to-source $ip138 #kkzcore
$IPT -t filter -A FORWARD -d 11.1.1.245/32 -j ACCEPT
$IPT -t nat -A POSTROUTING -s 10.10.0.0/24 -o eth0 -j SNAT --to-source $ip138 #f1
$IPT -t filter -A FORWARD -d 10.10.0.0/24 -j ACCEPT
$IPT -t nat -A POSTROUTING -s 10.20.0.0/24 -o eth0 -j SNAT --to-source $ip138 #f2
$IPT -t filter -A FORWARD -d 10.20.0.0/24 -j ACCEPT
$IPT -t nat -A POSTROUTING -s 10.30.0.0/24 -o eth0 -j SNAT --to-source $ip138 #f3
$IPT -t filter -A FORWARD -d 10.30.0.0/24 -j ACCEPT
$IPT -t nat -A POSTROUTING -s 10.40.0.0/24 -o eth0 -j SNAT --to-source $ip138 #f4
$IPT -t filter -A FORWARD -d 10.40.0.0/24 -j ACCEPT
$IPT -t nat -A POSTROUTING -s 10.50.0.0/24 -o eth0 -j SNAT --to-source $ip138 #f5
$IPT -t filter -A FORWARD -d 10.50.0.0/24 -j ACCEPT
$IPT -t nat -A POSTROUTING -s 10.60.0.0/24 -o eth0 -j SNAT --to-source $ip139 #lab518
$IPT -t filter -A FORWARD -d 10.60.0.0/24 -j ACCEPT
#$IPT -t nat -A POSTROUTING -s 10.102.0.0/24 -o eth0 -j SNAT --to-source $ip138 #zapas
#$IPT -t filter -A FORWARD -d 10.102.0.0/24 -j ACCEPT
$IPT -t nat -A POSTROUTING -s 10.103.0.0/24 -o eth0 -j SNAT --to-source $ip138 #pristroika
$IPT -t filter -A FORWARD -d 10.103.0.0/24 -j ACCEPT
$EC SNAT kkz lan load [ OK ]
###---------------------------------###
### V.I.P. Level.1 ###
###---------------------------------###
$IPT -I FORWARD 1 -s 10.60.0.10/32 -j ACCEPT
$IPT -I FORWARD 2 -s 10.60.0.7/32 -j ACCEPT
$IPT -I FORWARD 3 -s 10.60.0.8/32 -j ACCEPT
$IPT -I FORWARD 4 -s 10.60.0.17/32 -j ACCEPT
$IPT -I FORWARD 5 -s 10.60.0.196/32 -j ACCEPT
###---------------------------------###
### ban ###
###---------------------------------###
$IPT -A INPUT -s 111.111.111.111/32 -j DROP
$IPT -A OUTPUT -d 111.111.111.111/32 -j DROP
$IPT -A FORWARD -d 111.111.111.111/32 -j DROP
###---------------------------------###
### kkz-full-ban ###
###---------------------------------###
#$IPT -t filter -A FORWARD -s 10.20.0.49/32 -j DROP
#$IPT -t filter -A FORWARD -s 10.30.0.49/32 -j DROP
#$IPT -t filter -A FORWARD -s 10.40.0.49/32 -j DROP
#$IPT -t filter -A FORWARD -s 10.50.0.49/32 -j DROP
#$IPT -t filter -A FORWARD -s 10.10.0.2/24 -j DROP
#$IPT -t filter -A FORWARD -s 10.20.0.2/24 -j DROP
#$IPT -t filter -A FORWARD -s 10.30.0.2/24 -j DROP
#$IPT -t filter -A FORWARD -s 10.40.0.2/24 -j DROP
#$IPT -t filter -A FORWARD -s 10.50.0.2/24 -j DROP
###---------------------------------###
### SW-access ###
###---------------------------------###
$IPT -A FORWARD -d 10.99.0.10/32 -j LOG --log-prefix "DANGER-SW1 "
$IPT -A FORWARD -d 10.99.0.20/32 -j LOG --log-prefix "DANGER-SW2 "
$IPT -A FORWARD -d 10.99.0.30/32 -j LOG --log-prefix "DANGER-SW3 "
$IPT -A FORWARD -d 10.99.0.40/32 -j LOG --log-prefix "DANGER-SW4 "
$IPT -A FORWARD -d 10.99.0.50/32 -j LOG --log-prefix "DANGER-SW5 "
$IPT -A FORWARD -d 10.99.0.100/32 -j LOG --log-prefix "DANGER-RSW "
$IPT -A FORWARD -d 10.99.0.10/32 -j DROP #sw1-disable-access-for-all
$IPT -A FORWARD -d 10.99.0.20/32 -j DROP #sw2-disable-access-for-all
$IPT -A FORWARD -d 10.99.0.30/32 -j DROP #sw3-disable-access-for-all
$IPT -A FORWARD -d 10.99.0.40/32 -j DROP #sw5-disable-access-for-all
$IPT -A FORWARD -d 10.99.0.50/32 -j DROP #sw5-disable-access-for-all
$IPT -A FORWARD -d 10.99.0.100/32 -j DROP #RSW-disable-access-for-all
$EC FILTER-sites for kkz-lan [ OK ]
###---------------------------------###
### Torrents ###
###---------------------------------###
$IPT -A FORWARD -s 10.0.0.0/8 -m string --string "BitTorrent" --algo bm --to 65535 -j DROP
$IPT -A FORWARD -s 10.0.0.0/8 -m string --string "BitTorrent protocol" --algo bm --to 65535 -j DROP
$IPT -A FORWARD -s 10.0.0.0/8 -m string --string "peer_id=" --algo bm --to 65535 -j DROP
$IPT -A FORWARD -s 10.0.0.0/8 -m string --string ".torrent" --algo bm --to 65535 -j DROP
$IPT -A FORWARD -s 10.0.0.0/8 -m string --string "announce.php?passkey=" --algo bm --to 65535 -j DROP
$IPT -A FORWARD -s 10.0.0.0/8 -m string --string "torrent" --algo bm --to 65535 -j DROP
$IPT -A FORWARD -s 10.0.0.0/8 -m string --string "announce" --algo bm --to 65535 -j DROP
$IPT -A FORWARD -s 10.0.0.0/8 -m string --string "peer_id" --algo kmp --to 65535 -j DROP
$IPT -A FORWARD -s 10.0.0.0/8 -m string --string "BitTorrent" --algo kmp --to 65535 -j DROP
$IPT -A FORWARD -s 10.0.0.0/8 -m string --string "BitTorrent protocol" --algo kmp --to 65535 -j DROP
$IPT -A FORWARD -s 10.0.0.0/8 -m string --string "bittorrent-announce" --algo kmp --to 65535 -j DROP
$IPT -A FORWARD -s 10.0.0.0/8 -m string --string "announce.php?passkey=" --algo kmp --to 65535 -j DROP
$IPT -A FORWARD -s 10.0.0.0/8 -m string --string "find_node" --algo kmp --to 65535 -j DROP
$IPT -A FORWARD -s 10.0.0.0/8 -m string --string "get_peers" --algo kmp --to 65535 -j DROP
$IPT -A FORWARD -s 10.0.0.0/8 -m string --string "announce" --algo kmp --to 65535 -j DROP
$IPT -A FORWARD -s 10.0.0.0/8 -m string --string "announce_peers" --algo kmp --to 65535 -j DROP
#VK-lock\
#---------
#$IPT -A FORWARD -s 10.0.0.0/8 -m string --string "vk.com" --algo kmp --to 65535 -j DROP
$EC torrents-lock [ OK ]
###---------------------------------###
### biblio-wifi-router ###
###---------------------------------###
$IPT -A FORWARD -s 10.30.0.2/32 -m string --string "vk.com" --algo kmp --to 65535 -j DROP
$IPT -A FORWARD -s 10.30.0.2/32 -m string --string "youtube.com" --algo kmp --to 65535 -j DROP
$IPT -A FORWARD -s 10.30.0.2/32 -m string --string "m.vk.com" --algo kmp --to 65535 -j DROP
$IPT -A FORWARD -s 10.30.0.2/32 -m string --string "m.youtube.com" --algo kmp --to 65535 -j DROP
$IPT -A FORWARD -s 10.30.0.2/32 -m string --string "ex.ua" --algo kmp --to 65535 -j DROP
$IPT -A FORWARD -s 10.30.0.2/32 -m string --string ".avi" --algo kmp --to 65535 -j DROP
$IPT -A FORWARD -s 10.30.0.2/32 -m string --string "fs.to" --algo kmp --to 65535 -j DROP
$IPT -A FORWARD -s 10.30.0.2/32 -m string --string "brb.to" --algo kmp --to 65535 -j DROP
$IPT -A FORWARD -s 10.30.0.2/32 -m string --string ".mkv" --algo kmp --to 65535 -j DROP
###---------------------------------###
### wifi-kkz ###
###---------------------------------###
$IPT -A FORWARD -s 10.20.0.49/32 -m string --string "youtube.com" --algo kmp --to 65535 -j DROP
$IPT -A FORWARD -s 10.30.0.49/32 -m string --string "youtube.com" --algo kmp --to 65535 -j DROP
$IPT -A FORWARD -s 10.40.0.49/32 -m string --string "youtube.com" --algo kmp --to 65535 -j DROP
$IPT -A FORWARD -s 10.50.0.49/32 -m string --string "youtube.com" --algo kmp --to 65535 -j DROP
##///////////////////////////////////////////////////////////////
$EC Firewall load modules [ OK ]
## IP-KKZ-LIST\
#--------------
#=-=-=-=-=-=-=-=-=-=-=-=-=-=
IPT=/sbin/iptables
EC=echo
ip138=212.26.
ip139=212.26.
ip140=212.26.
ip141=212.26.
ip142=212.26.
#Clean ifconfig
ifconfig eth0:0 212.26. netmask 255.255.255.248 down
ifconfig eth0:1 212.26. netmask 255.255.255.248 down
ifconfig eth0:2 212.26. netmask 255.255.255.248 down
ifconfig eth0:3 212.26. netmask 255.255.255.248 down
ifconfig eth1.60:0 11.1.1.1 netmask 255.255.255.0 down
#Add ifconfig
ifconfig eth0:0 212.26. netmask 255.255.255.248 up
ifconfig eth0:1 212.26. netmask 255.255.255.248 up
ifconfig eth0:2 212.26. netmask 255.255.255.248 up
#ifconfig eth0:3 212.26. netmask 255.255.255.248 up
ifconfig eth1.60:0 11.1.1.1 netmask 255.255.255.0 up
##ipset-UA-IX-traffic\
#---------------------
/bin/bash /root/UA-IX/ipset2.conf
#/bin/bash /etc/ipset.conf
$EC ipset-load-ok [ OK ]
##Clean-all-chains\
#------------------
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
$EC Clean [ OK ]
##Security\
#----------
$EC 1 > /proc/sys/net/ipv4/tcp_syncookies #SYN-flood disable
$EC 30 > /proc/sys/net/ipv4/tcp_fin_timeout #time to FIN close
$EC 14400 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established # Time wait to close connect
$EC 0 > /proc/sys/net/ipv4/tcp_sack # disable selective acknowledgements, RFC2018
$EC 0 > /proc/sys/net/ipv4/tcp_timestamps # disable TCP timestamps, RFC1323
#sysctl -w net.ipv4.tcp_max_syn_backlog=4096
#sysctl -w net.ipv4.tcp_keepalive_time=60
#sysctl -w net.ipv4.tcp_keepalive_intvl=10
#sysctl -w net.ipv4.tcp_keepalive_probes=5
#sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.tcp_synack_retries=1
#sysctl -w net.ipv4.tcp_fin_timeout=10
##TCP-buffer\
#------------
$EC 4096 87380 16777216 > /proc/sys/net/ipv4/tcp_wmem
$EC 4096 87380 16777216 > /proc/sys/net/ipv4/tcp_rmem
##auto-tuning-limits\
#--------------------
$EC 16777216 > /proc/sys/net/core/rmem_max
$EC 16777216 > /proc/sys/net/core/wmem_max
##queue-packets\
#---------------
/sbin/ifconfig eth0 txqueuelen 2000
/sbin/ifconfig eth1 txqueuelen 2000
##Policy-ipt\
#------------
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
# Создаем цепочку для проверки попыток соединений на защищаемый порт
$IPT -N ssh_brute_check
# Если за последние 5 минут (300 секунд) с одного адреса было 3 или более новых соединений — блокируем этот адрес
$IPT -A ssh_brute_check -m conntrack --ctstate NEW -m recent --update --seconds 300 --hitcount 3 -j DROP
#В противном случае — разрешаем, и при этом заносим в список
$IPT -A ssh_brute_check -m recent --set -j ACCEPT
# Все попытки открыть новое соединение по SSH направляем на проверку
$IPT -A INPUT -m conntrack --ctstate NEW -p tcp --dport 6050 -j ssh_brute_check
###---------------------------------###
### SCAN-logging ###
###---------------------------------###
$IPT -A INPUT -p tcp -m tcp --tcp-flags ACK,FIN FIN -j LOG --log-prefix "SCAN "
$IPT -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j LOG --log-prefix "SCAN "
$IPT -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j LOG --log-prefix "SCAN "
$IPT -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j LOG --log-prefix "SCAN "
$IPT -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG --log-prefix "SCAN "
$IPT -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "SCAN "
$IPT -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LOG --log-prefix "SCAN "
$IPT -I INPUT -m conntrack --ctstate NEW,INVALID -p tcp --tcp-flags SYN,ACK SYN,ACK -j REJECT --reject-with tcp-reset
##incomming\
#-----------
$IPT -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
##DOS-security\
#--------------
#$IPT -A INPUT -p tcp --tcp-flags SYN,ACK,FIN SYN -m limit --limit 10/s -j ACCEPT
#$IPT -A INPUT -p tcp --tcp-flags SYN,ACK,FIN SYN -j DROP
#$IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
#$IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j DROP
#$IPT -I INPUT -m conntrack --ctstate NEW,INVALID -p tcp --tcp-flags SYN,ACK SYN,ACK -j REJECT --reject-with tcp-reset
#$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
##ping-accept\
#-------------
$IPT -A INPUT -p icmp -m icmp -j ACCEPT
$EC DDos protected [ OK ]
##admin-access-accept\
#---------------------
$IPT -I INPUT 1 -p tcp -m tcp -s 10.60.0.10/32 -j ACCEPT #admin-ip-local
$IPT -A INPUT -i lo -j ACCEPT #loop
$IPT -A OUTPUT -o lo -j ACCEPT
##SSH\
#-----
$IPT -A INPUT -p tcp -m tcp --dport 6050 -j ACCEPT
##YouTube-speed-up\
#------------------
$IPT -A INPUT -s 206.111.0.0/16 -j DROP
$IPT -A INPUT -s 173.194.55.0/24 -j DROP
$IPT -A OUTPUT -d 206.111.0.0/16 -j DROP
$IPT -A OUTPUT -d 173.194.55.0/24 -j DROP
$IPT -I FORWARD 1 -d 206.111.0.0/16 -j DROP
$IPT -I FORWARD 2 -d 173.194.55.0/24 -j DROP
##Web-apache/nginx\
#------------------
$IPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 8000 -j ACCEPT
##CS1.6-server\
#-----------
$IPT -A INPUT -p tcp -m tcp --dport 27015 -j ACCEPT
$IPT -A INPUT -p udp -m udp --dport 27015 -j ACCEPT
##Scout-Realtime-monitoring\
#---------------------------
$IPT -A INPUT -p tcp --dport 5555 -j ACCEPT
##Zabbix-monitoring\
#-------------------
$IPT -t nat -A PREROUTING -i eth0 -d $ip138 -p tcp --dport 55555 -j DNAT --to-destination 10.60.0.228:80
##Cacti\
#-------
$IPT -t nat -A PREROUTING -i eth0 -d $ip138 -p tcp --dport 55556 -j DNAT --to-destination 10.60.0.249:80
$IPT -t nat -A PREROUTING -i eth0 -d $ip138 -p tcp --dport 55557 -j DNAT --to-destination 10.60.0.249:22
##SNMP\
#------
$IPT -I INPUT -p udp -m udp --dport 161 -j ACCEPT
$IPT -I INPUT -p udp -m udp --dport 162 -j ACCEPT
##Cam-max-317\
#-------------
$IPT -t nat -A PREROUTING -d $ip138 -p tcp --dport 55559 -j DNAT --to-destination 10.60.0.29:55559
$IPT -t nat -A PREROUTING -d $ip138 -p tcp --dport 55560 -j DNAT --to-destination 10.60.0.29:55560
#$IPT -t nat -A PREROUTING -d $ip138 -p tcp --dport 55565 -j DNAT --to-destination 10.60.0.67:80
#$IPT -t nat -A PREROUTING -d $ip138 -p tcp --dport 55565 -j DNAT --to-destination camera.kkz.net.ua
##PPTP-vpn\
#----------
$IPT -A INPUT -i eth0 -p gre -j ACCEPT
$IPT -A INPUT -i eth0 -m tcp -p tcp --dport 1723 -j ACCEPT
$IPT -A INPUT -i eth1 -m tcp -p tcp --dport 1723 -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m udp --dport 1701 -m comment --comment "L2TP" -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m udp --dport 500 -m comment --comment "IKEv2" -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m udp --dport 4500 -m comment --comment "IKEv2" -j ACCEPT
##DNS\
#-----
$IPT -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
$IPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 953 -j ACCEPT
$IPT -A INPUT -p udp -m udp --dport 953 -j ACCEPT
##++++++++++++++++++++++++++++++++++++++++++
##+++++++++++++INPUT chains END+++++++++++++
##++++++++++++++++++++++++++++++++++++++++++
$EC INPUT chains load [ OK ]
#mark-packets-for-shape\
#-----------------------
$IPT -t mangle -A PREROUTING -i eth0 -m set --set ua-ix src -j MARK --set-mark 0x10
$IPT -t mangle -A PREROUTING -i eth0 -m mark --mark 0x10 -j RETURN
$IPT -t mangle -A PREROUTING -i eth0 -j MARK --set-mark 0x11
$IPT -t mangle -A PREROUTING -d 10.0.0.0/8 -i eth1 -j MARK --set-mark 0x12
$IPT -t mangle -A PREROUTING -i eth1 -m mark --mark 0x12 -j RETURN
$IPT -t mangle -A PREROUTING -s 10.0.0.0/8 -i eth1 -p tcp -m multiport --dports 20,21,80,443,5190,8080 -j MARK --set-mark 0x1
$IPT -t mangle -A PREROUTING -s 10.0.0.0/8 -i eth1 -p udp -m multiport --dports 80,443,5190,8080 -j MARK --set-mark 0x1
$EC mark-traffic-rules [ OK ]
##Proxmox-vm-cluster\
#--------------------
$IPT -t nat -A PREROUTING -d $ip138 -p tcp --dport 1488 -j DNAT --to-destination 10.60.0.31:8006 #vm0
$IPT -t nat -A PREROUTING -d $ip138 -p tcp --dport 5900 -j DNAT --to-destination 10.60.0.31:5900
$IPT -t nat -A PREROUTING -d $ip138 -p tcp --dport 5901 -j DNAT --to-destination 10.60.0.31:5901
$IPT -t nat -A PREROUTING -d $ip138 -p tcp --dport 5902 -j DNAT --to-destination 10.60.0.31:5902
$IPT -t nat -A PREROUTING -d $ip138 -p tcp --dport 1489 -j DNAT --to-destination 10.60.0.30:22 #vm2
#$IPT -t nat -A PREROUTING -d $ip138 -p tcp --dport 1490 -j DNAT --to-destination 10.60.0.31:8006 #vm1
##RDP-pc`s\
#----------
$IPT -t nat -A PREROUTING -d $ip139 -p tcp --dport 1313 -j DNAT --to-destination 10.60.0.10:3389 # ssdtux-RDP
$IPT -t nat -A PREROUTING -d $ip139 -p tcp --dport 1489 -j DNAT --to-destination 10.60.0.16:3389
#rtsp\
#-----
$IPT -t nat -A PREROUTING -d $ip138 -p tcp --dport 1550 -j DNAT --to-destination 10.60.0.13:554
$IPT -t nat -A PREROUTING -d $ip138 -p tcp --dport 1551 -j DNAT --to-destination 10.40.0.45:554
$IPT -t nat -A PREROUTING -d $ip138 -p tcp --dport 1552 -j DNAT --to-destination 10.60.0.11:554
##asterisk-max\
#--------------
$IPT -t nat -A PREROUTING -d $ip139 -p tcp --dport 7881 -j DNAT --to-destination 10.103.0.203:22
$IPT -t nat -A PREROUTING -d $ip139 -p tcp --dport 7882 -j DNAT --to-destination 10.103.0.203:443
##NAS\
#-----
$IPT -t nat -A PREROUTING -d $ip139 -p tcp --dport 55555 -j DNAT --to-destination 10.60.0.20:80
#nas-ftp-config
$IPT -t nat -A PREROUTING -d $ip138 -p tcp --dport 55552 -j DNAT --to-destination 10.60.0.20:21
$IPT -t nat -A PREROUTING -d $ip138 -p tcp --dport 55536:55663 -j DNAT --to-destination 10.60.0.20
##ESXi-1\
#-------
$IPT -t nat -A PREROUTING -d $ip138 -p tcp --dport 6070 -j DNAT --to-destination 10.60.0.254:443
##kkz.net.ua/kkzcore.pp.ua\
#--------------------------
#old-config--->|
#ifconfig eth1.30:0 11.1.1.1 netmask 255.255.255.0 up
#conf-to-DC--->|
$IPT -t nat -A PREROUTING -d $ip142 -j DNAT --to-destination 11.1.1.245 #kkzcore
$IPT -t nat -A POSTROUTING -s 11.1.1.245/32 -o eth0 -j SNAT --to-source $ip142 #kkzcore
#max-ip-telephony
#$IPT -t nat -A POSTROUTING -s 10.60.0.223/32 -o eth0 -j SNAT --to-source $ip141 #ip316
#$IPT -t nat -A PREROUTING -d $ip141 -j DNAT --to-destination 10.60.0.223 #ip316
#$IPT -t nat -A POSTROUTING -s 10.60.0.254/32 -o eth0 -j SNAT --to-source $ip141 #esxi
#$IPT -t nat -A PREROUTING -d $ip141 -j DNAT --to-destination 10.60.0.254 #esxi
##kkz.net.ua-new-site-config\
#----------------------------
#pratsko
$IPT -t nat -A PREROUTING -d $ip140 -j DNAT --to-destination 10.60.0.80 #kkz(newsite)
##SNAT-kkz-lan-all\
#-----------------
#$IPT -t nat -A POSTROUTING -s 11.1.1.245/32 -o eth0 -j SNAT --to-source $ip138 #kkzcore
$IPT -t filter -A FORWARD -d 11.1.1.245/32 -j ACCEPT
$IPT -t nat -A POSTROUTING -s 10.10.0.0/24 -o eth0 -j SNAT --to-source $ip138 #f1
$IPT -t filter -A FORWARD -d 10.10.0.0/24 -j ACCEPT
$IPT -t nat -A POSTROUTING -s 10.20.0.0/24 -o eth0 -j SNAT --to-source $ip138 #f2
$IPT -t filter -A FORWARD -d 10.20.0.0/24 -j ACCEPT
$IPT -t nat -A POSTROUTING -s 10.30.0.0/24 -o eth0 -j SNAT --to-source $ip138 #f3
$IPT -t filter -A FORWARD -d 10.30.0.0/24 -j ACCEPT
$IPT -t nat -A POSTROUTING -s 10.40.0.0/24 -o eth0 -j SNAT --to-source $ip138 #f4
$IPT -t filter -A FORWARD -d 10.40.0.0/24 -j ACCEPT
$IPT -t nat -A POSTROUTING -s 10.50.0.0/24 -o eth0 -j SNAT --to-source $ip138 #f5
$IPT -t filter -A FORWARD -d 10.50.0.0/24 -j ACCEPT
$IPT -t nat -A POSTROUTING -s 10.60.0.0/24 -o eth0 -j SNAT --to-source $ip139 #lab518
$IPT -t filter -A FORWARD -d 10.60.0.0/24 -j ACCEPT
#$IPT -t nat -A POSTROUTING -s 10.102.0.0/24 -o eth0 -j SNAT --to-source $ip138 #zapas
#$IPT -t filter -A FORWARD -d 10.102.0.0/24 -j ACCEPT
$IPT -t nat -A POSTROUTING -s 10.103.0.0/24 -o eth0 -j SNAT --to-source $ip138 #pristroika
$IPT -t filter -A FORWARD -d 10.103.0.0/24 -j ACCEPT
$EC SNAT kkz lan load [ OK ]
###---------------------------------###
### V.I.P. Level.1 ###
###---------------------------------###
$IPT -I FORWARD 1 -s 10.60.0.10/32 -j ACCEPT
$IPT -I FORWARD 2 -s 10.60.0.7/32 -j ACCEPT
$IPT -I FORWARD 3 -s 10.60.0.8/32 -j ACCEPT
$IPT -I FORWARD 4 -s 10.60.0.17/32 -j ACCEPT
$IPT -I FORWARD 5 -s 10.60.0.196/32 -j ACCEPT
###---------------------------------###
### ban ###
###---------------------------------###
$IPT -A INPUT -s 111.111.111.111/32 -j DROP
$IPT -A OUTPUT -d 111.111.111.111/32 -j DROP
$IPT -A FORWARD -d 111.111.111.111/32 -j DROP
###---------------------------------###
### kkz-full-ban ###
###---------------------------------###
#$IPT -t filter -A FORWARD -s 10.20.0.49/32 -j DROP
#$IPT -t filter -A FORWARD -s 10.30.0.49/32 -j DROP
#$IPT -t filter -A FORWARD -s 10.40.0.49/32 -j DROP
#$IPT -t filter -A FORWARD -s 10.50.0.49/32 -j DROP
#$IPT -t filter -A FORWARD -s 10.10.0.2/24 -j DROP
#$IPT -t filter -A FORWARD -s 10.20.0.2/24 -j DROP
#$IPT -t filter -A FORWARD -s 10.30.0.2/24 -j DROP
#$IPT -t filter -A FORWARD -s 10.40.0.2/24 -j DROP
#$IPT -t filter -A FORWARD -s 10.50.0.2/24 -j DROP
###---------------------------------###
### SW-access ###
###---------------------------------###
$IPT -A FORWARD -d 10.99.0.10/32 -j LOG --log-prefix "DANGER-SW1 "
$IPT -A FORWARD -d 10.99.0.20/32 -j LOG --log-prefix "DANGER-SW2 "
$IPT -A FORWARD -d 10.99.0.30/32 -j LOG --log-prefix "DANGER-SW3 "
$IPT -A FORWARD -d 10.99.0.40/32 -j LOG --log-prefix "DANGER-SW4 "
$IPT -A FORWARD -d 10.99.0.50/32 -j LOG --log-prefix "DANGER-SW5 "
$IPT -A FORWARD -d 10.99.0.100/32 -j LOG --log-prefix "DANGER-RSW "
$IPT -A FORWARD -d 10.99.0.10/32 -j DROP #sw1-disable-access-for-all
$IPT -A FORWARD -d 10.99.0.20/32 -j DROP #sw2-disable-access-for-all
$IPT -A FORWARD -d 10.99.0.30/32 -j DROP #sw3-disable-access-for-all
$IPT -A FORWARD -d 10.99.0.40/32 -j DROP #sw5-disable-access-for-all
$IPT -A FORWARD -d 10.99.0.50/32 -j DROP #sw5-disable-access-for-all
$IPT -A FORWARD -d 10.99.0.100/32 -j DROP #RSW-disable-access-for-all
$EC FILTER-sites for kkz-lan [ OK ]
###---------------------------------###
### Torrents ###
###---------------------------------###
$IPT -A FORWARD -s 10.0.0.0/8 -m string --string "BitTorrent" --algo bm --to 65535 -j DROP
$IPT -A FORWARD -s 10.0.0.0/8 -m string --string "BitTorrent protocol" --algo bm --to 65535 -j DROP
$IPT -A FORWARD -s 10.0.0.0/8 -m string --string "peer_id=" --algo bm --to 65535 -j DROP
$IPT -A FORWARD -s 10.0.0.0/8 -m string --string ".torrent" --algo bm --to 65535 -j DROP
$IPT -A FORWARD -s 10.0.0.0/8 -m string --string "announce.php?passkey=" --algo bm --to 65535 -j DROP
$IPT -A FORWARD -s 10.0.0.0/8 -m string --string "torrent" --algo bm --to 65535 -j DROP
$IPT -A FORWARD -s 10.0.0.0/8 -m string --string "announce" --algo bm --to 65535 -j DROP
$IPT -A FORWARD -s 10.0.0.0/8 -m string --string "peer_id" --algo kmp --to 65535 -j DROP
$IPT -A FORWARD -s 10.0.0.0/8 -m string --string "BitTorrent" --algo kmp --to 65535 -j DROP
$IPT -A FORWARD -s 10.0.0.0/8 -m string --string "BitTorrent protocol" --algo kmp --to 65535 -j DROP
$IPT -A FORWARD -s 10.0.0.0/8 -m string --string "bittorrent-announce" --algo kmp --to 65535 -j DROP
$IPT -A FORWARD -s 10.0.0.0/8 -m string --string "announce.php?passkey=" --algo kmp --to 65535 -j DROP
$IPT -A FORWARD -s 10.0.0.0/8 -m string --string "find_node" --algo kmp --to 65535 -j DROP
$IPT -A FORWARD -s 10.0.0.0/8 -m string --string "get_peers" --algo kmp --to 65535 -j DROP
$IPT -A FORWARD -s 10.0.0.0/8 -m string --string "announce" --algo kmp --to 65535 -j DROP
$IPT -A FORWARD -s 10.0.0.0/8 -m string --string "announce_peers" --algo kmp --to 65535 -j DROP
#VK-lock\
#---------
#$IPT -A FORWARD -s 10.0.0.0/8 -m string --string "vk.com" --algo kmp --to 65535 -j DROP
$EC torrents-lock [ OK ]
###---------------------------------###
### biblio-wifi-router ###
###---------------------------------###
$IPT -A FORWARD -s 10.30.0.2/32 -m string --string "vk.com" --algo kmp --to 65535 -j DROP
$IPT -A FORWARD -s 10.30.0.2/32 -m string --string "youtube.com" --algo kmp --to 65535 -j DROP
$IPT -A FORWARD -s 10.30.0.2/32 -m string --string "m.vk.com" --algo kmp --to 65535 -j DROP
$IPT -A FORWARD -s 10.30.0.2/32 -m string --string "m.youtube.com" --algo kmp --to 65535 -j DROP
$IPT -A FORWARD -s 10.30.0.2/32 -m string --string "ex.ua" --algo kmp --to 65535 -j DROP
$IPT -A FORWARD -s 10.30.0.2/32 -m string --string ".avi" --algo kmp --to 65535 -j DROP
$IPT -A FORWARD -s 10.30.0.2/32 -m string --string "fs.to" --algo kmp --to 65535 -j DROP
$IPT -A FORWARD -s 10.30.0.2/32 -m string --string "brb.to" --algo kmp --to 65535 -j DROP
$IPT -A FORWARD -s 10.30.0.2/32 -m string --string ".mkv" --algo kmp --to 65535 -j DROP
###---------------------------------###
### wifi-kkz ###
###---------------------------------###
$IPT -A FORWARD -s 10.20.0.49/32 -m string --string "youtube.com" --algo kmp --to 65535 -j DROP
$IPT -A FORWARD -s 10.30.0.49/32 -m string --string "youtube.com" --algo kmp --to 65535 -j DROP
$IPT -A FORWARD -s 10.40.0.49/32 -m string --string "youtube.com" --algo kmp --to 65535 -j DROP
$IPT -A FORWARD -s 10.50.0.49/32 -m string --string "youtube.com" --algo kmp --to 65535 -j DROP
##///////////////////////////////////////////////////////////////
$EC Firewall load modules [ OK ]