@ -32,7 +32,7 @@ echo "Installing required dependencies: curl, iptables-persistent, ipset"
apt -y -qq install curl iptables-persistent ipset > /dev/null
apt -y -qq install curl iptables-persistent ipset > /dev/null
echo "Installed required depends."
echo "Installed required depends."
# The port you want to protect. for ranges, use FROM:TO
# The port you want to protect. for ranges, use FROM:TO
protect_port = 25565
protect_port = 20003
# Max graylisted connections per second. This can be higher, and ensures an attack won't be too high for the second pass firewall.
# Max graylisted connections per second. This can be higher, and ensures an attack won't be too high for the second pass firewall.
@ -48,8 +48,8 @@ checker_minconn=26214400
# MISC. THESE VALUES MAY CHANGE IN THE FUTURE
# MISC. THESE VALUES MAY CHANGE IN THE FUTURE
country-list = "https://raw.githubusercontent.com/herrbischoff/country-ip-blocks/master/ipv4/"
safety-list = "https://api.entryrise.com/minewall/"
country_list = "https://raw.githubusercontent.com/herrbischoff/country-ip-blocks/master/ipv4/"
safety_list = "https://api.entryrise.com/minewall/"
wgetd = "wget -q -c --retry-connrefused -t 0"
wgetd = "wget -q -c --retry-connrefused -t 0"
@ -58,48 +58,48 @@ iptables -N MineWall
iptables -F MineWall
iptables -F MineWall
echo "Preparing clean ipset configuration"
echo "Preparing clean ipset configuration"
ipset -F mw_blacklist
ipset -F mw_graylist
ipset -F mw_whitelist
ipset -F mw_checklist
ipset -N -! mw_blacklist hash:net maxelem 1500000 timeout $timeout
ipset -N -! mw_graylist hash:net maxelem 10000
ipset -N -! mw_whitelist hash:net maxelem 10000
ipset destroy mw_blacklist
ipset destroy mw_graylist
ipset destroy mw_whitelist
ipset destroy mw_checklist
ipset -N -! mw_blacklist hash:net maxelem 100000 timeout 300
ipset -N -! mw_graylist hash:net maxelem 100000
ipset -N -! mw_whitelist hash:net maxelem 100000
ipset -N -! mw_checklist hash:net maxelem 30 timeout 300
ipset -N -! mw_checklist hash:net maxelem 30 timeout 300
echo "Generating whitelist for the firewall..."
echo "Generating whitelist for the firewall..."
for ip in $( curl $safety -list /{ wireless,residential,business} .iplist) ; do
for ip in $( curl -L $safety_list /{ wireless,residential,business} .iplist) ; do
ipset -A mw_whitelist $ip
ipset -A mw_whitelist $ip
done
done
# Create the graylist of safer countries. It's really important for the base check.
# Create the graylist of safer countries. It's really important for the base check.
echo "Generating graylist for the firewall..."
echo "Generating graylist for the firewall..."
for ip in $( curl $country -list /{ ro,hu,gb,au,dk,bg,ie,pt,gr} .cidr) ; do
for ip in $( curl -L $country_list /{ ro,hu,gb,au,dk,bg,ie,pt,gr} .cidr) ; do
ipset -A mw_graylist $ip
ipset -A mw_graylist $ip
done
done
echo "Generating blacklist for firewall."
echo "Generating blacklist for firewall."
for ip in $( curl $safety -list /{ others} .iplist) ; do
for ip in $( curl -L $safety_list /{ others} .iplist) ; do
ipset -A mw_blacklist $ip
ipset -A mw_blacklist $ip
done
done
#
#
# The blacklist makes sure any "smart bots" are blocked in time on your server after a while.
# The blacklist makes sure any "smart bots" are blocked in time on your server after a while.
# Off the table just allow the whitelisted users and drop the blacklisted ones.
# Off the table just allow the whitelisted users and drop the blacklisted ones.
iptables -A MineWall -p tcp --dport $protect_port -m connbytes --connbytes $checker_minconn --connbytes-dir reply --connbytes-mode bytes -j SET --add-set mw_checklist
iptables -A MineWall -p tcp --tcp-flags FIN FIN -- dport $protect_port -m connbytes --connbytes $checker_minconn --connbytes-dir reply --connbytes-mode bytes -j SET --add-set mw_checklist src
iptables -A MineWall -p tcp --dport $protect_port -m set --match-set mw_whitelist src -j ACCEPT
iptables -A MineWall -p tcp --dport $protect_port -m set --match-set mw_whitelist src -j ACCEPT
iptables -A MineWall -p tcp --dport $protect_port -m set --match-set mw_blacklist src -j DROP
iptables -A MineWall -p tcp --dport $protect_port -m set --match-set mw_blacklist src -j DROP
iptables -A MineWall -p tcp --dport $protect_port --syn -m set --match-set mw_graylist -m limit --limit $graylist_verified /s src -j ACCEPT
iptables -A MineWall -p tcp --dport $protect_port --syn -m set --match-set mw_graylist src -m limit --limit $graylist_verified /s -j ACCEPT
iptables -A MineWall -p tcp --dport $protect_port --syn -m limit --limit $graylist_unverified /s -j ACCEPT
iptables -A MineWall -p tcp --dport $protect_port --syn -m limit --limit $graylist_unverified /s -j ACCEPT
iptables -A MineWall -p tcp --dport $protect_port --syn -m connlimit ! --connlimit-above $graylist_concurrent -j ACCEPT
iptables -A MineWall -p tcp --dport $protect_port --syn -m connlimit ! --connlimit-above $graylist_concurrent -j ACCEPT
iptables -A MineWall -p tcp --dport $protect_port --syn -j DROP
iptables -A MineWall -p tcp --dport $protect_port --syn -j DROP
# Add MineWall to iptables and remove it just in case it is already there.
# Add MineWall to iptables and remove it just in case it is already there.
$iptables -D INPUT -p tcp -j MineWall
$iptables -A INPUT -p tcp -j MineWall
iptables -D DOCKER -p tcp -j MineWall
iptables -I DOCKER -p tcp -j MineWall
echo "Firewall applied successfully. Please add the whitelister script to crontab (each minute) to finish installation"
echo "Firewall applied successfully. Please add the whitelister script to crontab (each minute) to finish installation"