diff --git a/Img/minewall.png b/Img/minewall.png new file mode 100644 index 0000000..1def0a8 Binary files /dev/null and b/Img/minewall.png differ diff --git a/README.md b/README.md index 86a8bb5..3b62fcd 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# MineWall +![MineWall Explanation Schema](/Img/minewall.png) MineWall is a Layer 3 mitigation toolset for protocol specifications like Minecraft. It uses forensic data from multiple providers and experience working with 4 figure player Minecraft networks. diff --git a/Tools/firewall.sh b/Tools/firewall.sh index 2d60bfc..d34dd4c 100644 --- a/Tools/firewall.sh +++ b/Tools/firewall.sh @@ -32,7 +32,7 @@ echo "Installing required dependencies: curl, iptables-persistent, ipset" apt -y -qq install curl iptables-persistent ipset > /dev/null echo "Installed required depends." # The port you want to protect. for ranges, use FROM:TO -protect_port=25565 +protect_port=20003 # Max graylisted connections per second. This can be higher, and ensures an attack won't be too high for the second pass firewall. @@ -48,8 +48,8 @@ checker_minconn=26214400 # MISC. THESE VALUES MAY CHANGE IN THE FUTURE -country-list="https://raw.githubusercontent.com/herrbischoff/country-ip-blocks/master/ipv4/" -safety-list="https://api.entryrise.com/minewall/" +country_list="https://raw.githubusercontent.com/herrbischoff/country-ip-blocks/master/ipv4/" +safety_list="https://api.entryrise.com/minewall/" wgetd="wget -q -c --retry-connrefused -t 0" @@ -58,48 +58,48 @@ iptables -N MineWall iptables -F MineWall echo "Preparing clean ipset configuration" -ipset -F mw_blacklist -ipset -F mw_graylist -ipset -F mw_whitelist -ipset -F mw_checklist - -ipset -N -! mw_blacklist hash:net maxelem 1500000 timeout $timeout -ipset -N -! mw_graylist hash:net maxelem 10000 -ipset -N -! mw_whitelist hash:net maxelem 10000 +ipset destroy mw_blacklist +ipset destroy mw_graylist +ipset destroy mw_whitelist +ipset destroy mw_checklist + +ipset -N -! mw_blacklist hash:net maxelem 100000 timeout 300 +ipset -N -! mw_graylist hash:net maxelem 100000 +ipset -N -! mw_whitelist hash:net maxelem 100000 ipset -N -! mw_checklist hash:net maxelem 30 timeout 300 echo "Generating whitelist for the firewall..." -for ip in $(curl $safety-list/{wireless,residential,business}.iplist); do +for ip in $(curl -L $safety_list/{wireless,residential,business}.iplist); do ipset -A mw_whitelist $ip done # Create the graylist of safer countries. It's really important for the base check. echo "Generating graylist for the firewall..." - for ip in $(curl $country-list/{ro,hu,gb,au,dk,bg,ie,pt,gr}.cidr); do + for ip in $(curl -L $country_list/{ro,hu,gb,au,dk,bg,ie,pt,gr}.cidr); do ipset -A mw_graylist $ip done echo "Generating blacklist for firewall." -for ip in $(curl $safety-list/{others}.iplist); do +for ip in $(curl -L $safety_list/{others}.iplist); do ipset -A mw_blacklist $ip done # # The blacklist makes sure any "smart bots" are blocked in time on your server after a while. # Off the table just allow the whitelisted users and drop the blacklisted ones. -iptables -A MineWall -p tcp --dport $protect_port -m connbytes --connbytes $checker_minconn --connbytes-dir reply --connbytes-mode bytes -j SET --add-set mw_checklist +iptables -A MineWall -p tcp --tcp-flags FIN FIN --dport $protect_port -m connbytes --connbytes $checker_minconn --connbytes-dir reply --connbytes-mode bytes -j SET --add-set mw_checklist src iptables -A MineWall -p tcp --dport $protect_port -m set --match-set mw_whitelist src -j ACCEPT iptables -A MineWall -p tcp --dport $protect_port -m set --match-set mw_blacklist src -j DROP -iptables -A MineWall -p tcp --dport $protect_port --syn -m set --match-set mw_graylist -m limit --limit $graylist_verified/s src -j ACCEPT +iptables -A MineWall -p tcp --dport $protect_port --syn -m set --match-set mw_graylist src -m limit --limit $graylist_verified/s -j ACCEPT iptables -A MineWall -p tcp --dport $protect_port --syn -m limit --limit $graylist_unverified/s -j ACCEPT iptables -A MineWall -p tcp --dport $protect_port --syn -m connlimit ! --connlimit-above $graylist_concurrent -j ACCEPT iptables -A MineWall -p tcp --dport $protect_port --syn -j DROP # Add MineWall to iptables and remove it just in case it is already there. -$iptables -D INPUT -p tcp -j MineWall -$iptables -A INPUT -p tcp -j MineWall +iptables -D DOCKER -p tcp -j MineWall +iptables -I DOCKER -p tcp -j MineWall -echo "Firewall applied successfully. Please add the whitelister script to crontab (each minute) to finish installation" \ No newline at end of file +echo "Firewall applied successfully. Please add the whitelister script to crontab (each minute) to finish installation"