Browse Source

Added logo

master
Stefatorus 2 years ago
parent
commit
5ebe37a522
  1. BIN
      Img/minewall.png
  2. 2
      README.md
  3. 38
      Tools/firewall.sh

BIN
Img/minewall.png

Binary file not shown.

After

Width:  |  Height:  |  Size: 74 KiB

2
README.md

@ -1,4 +1,4 @@
# MineWall
![MineWall Explanation Schema](/Img/minewall.png)
MineWall is a Layer 3 mitigation toolset for protocol specifications like Minecraft. It uses forensic data from multiple providers and experience working with 4 figure player Minecraft networks.

38
Tools/firewall.sh

@ -32,7 +32,7 @@ echo "Installing required dependencies: curl, iptables-persistent, ipset"
apt -y -qq install curl iptables-persistent ipset > /dev/null
echo "Installed required depends."
# The port you want to protect. for ranges, use FROM:TO
protect_port=25565
protect_port=20003
# Max graylisted connections per second. This can be higher, and ensures an attack won't be too high for the second pass firewall.
@ -48,8 +48,8 @@ checker_minconn=26214400
# MISC. THESE VALUES MAY CHANGE IN THE FUTURE
country-list="https://raw.githubusercontent.com/herrbischoff/country-ip-blocks/master/ipv4/"
safety-list="https://api.entryrise.com/minewall/"
country_list="https://raw.githubusercontent.com/herrbischoff/country-ip-blocks/master/ipv4/"
safety_list="https://api.entryrise.com/minewall/"
wgetd="wget -q -c --retry-connrefused -t 0"
@ -58,48 +58,48 @@ iptables -N MineWall
iptables -F MineWall
echo "Preparing clean ipset configuration"
ipset -F mw_blacklist
ipset -F mw_graylist
ipset -F mw_whitelist
ipset -F mw_checklist
ipset -N -! mw_blacklist hash:net maxelem 1500000 timeout $timeout
ipset -N -! mw_graylist hash:net maxelem 10000
ipset -N -! mw_whitelist hash:net maxelem 10000
ipset destroy mw_blacklist
ipset destroy mw_graylist
ipset destroy mw_whitelist
ipset destroy mw_checklist
ipset -N -! mw_blacklist hash:net maxelem 100000 timeout 300
ipset -N -! mw_graylist hash:net maxelem 100000
ipset -N -! mw_whitelist hash:net maxelem 100000
ipset -N -! mw_checklist hash:net maxelem 30 timeout 300
echo "Generating whitelist for the firewall..."
for ip in $(curl $safety-list/{wireless,residential,business}.iplist); do
for ip in $(curl -L $safety_list/{wireless,residential,business}.iplist); do
ipset -A mw_whitelist $ip
done
# Create the graylist of safer countries. It's really important for the base check.
echo "Generating graylist for the firewall..."
for ip in $(curl $country-list/{ro,hu,gb,au,dk,bg,ie,pt,gr}.cidr); do
for ip in $(curl -L $country_list/{ro,hu,gb,au,dk,bg,ie,pt,gr}.cidr); do
ipset -A mw_graylist $ip
done
echo "Generating blacklist for firewall."
for ip in $(curl $safety-list/{others}.iplist); do
for ip in $(curl -L $safety_list/{others}.iplist); do
ipset -A mw_blacklist $ip
done
#
# The blacklist makes sure any "smart bots" are blocked in time on your server after a while.
# Off the table just allow the whitelisted users and drop the blacklisted ones.
iptables -A MineWall -p tcp --dport $protect_port -m connbytes --connbytes $checker_minconn --connbytes-dir reply --connbytes-mode bytes -j SET --add-set mw_checklist
iptables -A MineWall -p tcp --tcp-flags FIN FIN --dport $protect_port -m connbytes --connbytes $checker_minconn --connbytes-dir reply --connbytes-mode bytes -j SET --add-set mw_checklist src
iptables -A MineWall -p tcp --dport $protect_port -m set --match-set mw_whitelist src -j ACCEPT
iptables -A MineWall -p tcp --dport $protect_port -m set --match-set mw_blacklist src -j DROP
iptables -A MineWall -p tcp --dport $protect_port --syn -m set --match-set mw_graylist -m limit --limit $graylist_verified/s src -j ACCEPT
iptables -A MineWall -p tcp --dport $protect_port --syn -m set --match-set mw_graylist src -m limit --limit $graylist_verified/s -j ACCEPT
iptables -A MineWall -p tcp --dport $protect_port --syn -m limit --limit $graylist_unverified/s -j ACCEPT
iptables -A MineWall -p tcp --dport $protect_port --syn -m connlimit ! --connlimit-above $graylist_concurrent -j ACCEPT
iptables -A MineWall -p tcp --dport $protect_port --syn -j DROP
# Add MineWall to iptables and remove it just in case it is already there.
$iptables -D INPUT -p tcp -j MineWall
$iptables -A INPUT -p tcp -j MineWall
iptables -D DOCKER -p tcp -j MineWall
iptables -I DOCKER -p tcp -j MineWall
echo "Firewall applied successfully. Please add the whitelister script to crontab (each minute) to finish installation"
echo "Firewall applied successfully. Please add the whitelister script to crontab (each minute) to finish installation"

Loading…
Cancel
Save