@ -32,7 +32,7 @@ echo "Installing required dependencies: curl, iptables-persistent, ipset" 
			
		
	
		
			
				
					apt -y -qq install curl iptables-persistent ipset > /dev/null 
			
		
	
		
			
				
					echo  "Installed required depends."  
			
		
	
		
			
				
					# The port you want to protect. for ranges, use FROM:TO  
			
		
	
		
			
				
					protect_port = 25565   
			
		
	
		
			
				
					protect_port = 20003   
			
		
	
		
			
				
					
 
			
		
	
		
			
				
					
 
			
		
	
		
			
				
					# Max graylisted connections per second. This can be higher, and ensures an attack won't be too high for the second pass firewall.  
			
		
	
	
		
			
				
					
						
						
						
							
								 
						
					 
				
				@ -48,8 +48,8 @@ checker_minconn=26214400 
			
		
	
		
			
				
					# MISC. THESE VALUES MAY CHANGE IN THE FUTURE  
			
		
	
		
			
				
					
 
			
		
	
		
			
				
					
 
			
		
	
		
			
				
					country-list = "https://raw.githubusercontent.com/herrbischoff/country-ip-blocks/master/ipv4/"  
			
		
	
		
			
				
					safety-list = "https://api.entryrise.com/minewall/"  
			
		
	
		
			
				
					country_list = "https://raw.githubusercontent.com/herrbischoff/country-ip-blocks/master/ipv4/"  
			
		
	
		
			
				
					safety_list = "https://api.entryrise.com/minewall/"  
			
		
	
		
			
				
					
 
			
		
	
		
			
				
					wgetd = "wget -q -c --retry-connrefused -t 0"  
			
		
	
		
			
				
					
 
			
		
	
	
		
			
				
					
						
						
						
							
								 
						
					 
				
				@ -58,48 +58,48 @@ iptables -N MineWall 
			
		
	
		
			
				
					iptables -F MineWall 
			
		
	
		
			
				
					
 
			
		
	
		
			
				
					echo  "Preparing clean ipset configuration"  
			
		
	
		
			
				
					ipset -F  mw_blacklist 
			
		
	
		
			
				
					ipset -F  mw_graylist 
			
		
	
		
			
				
					ipset -F  mw_whitelist 
			
		
	
		
			
				
					ipset -F  mw_checklist 
			
		
	
		
			
				
					
 
			
		
	
		
			
				
					ipset -N -! mw_blacklist hash:net maxelem 1500000  timeout $timeout   
			
		
	
		
			
				
					ipset -N -! mw_graylist hash:net maxelem 10000  
			
		
	
		
			
				
					ipset -N -! mw_whitelist hash:net maxelem 10000  
			
		
	
		
			
				
					ipset destroy  mw_blacklist 
			
		
	
		
			
				
					ipset destroy  mw_graylist 
			
		
	
		
			
				
					ipset destroy  mw_whitelist 
			
		
	
		
			
				
					ipset destroy  mw_checklist 
			
		
	
		
			
				
					
 
			
		
	
		
			
				
					ipset -N -! mw_blacklist hash:net maxelem 100000  timeout 300   
			
		
	
		
			
				
					ipset -N -! mw_graylist hash:net maxelem 100000   
			
		
	
		
			
				
					ipset -N -! mw_whitelist hash:net maxelem 100000   
			
		
	
		
			
				
					ipset -N -! mw_checklist hash:net maxelem 30  timeout 300  
			
		
	
		
			
				
					
 
			
		
	
		
			
				
					  
			
		
	
		
			
				
					echo  "Generating whitelist for the firewall..."  
			
		
	
		
			
				
					for  ip in $( curl $safety -list /{ wireless,residential,business} .iplist) ;  do  
			
		
	
		
			
				
					for  ip in $( curl -L  $safety_list  /{ wireless,residential,business} .iplist) ;  do  
			
		
	
		
			
				
					  ipset -A mw_whitelist $ip  
			
		
	
		
			
				
					done  
			
		
	
		
			
				
					 # Create the graylist of safer countries. It's really important for the base check.  
			
		
	
		
			
				
					 echo  "Generating graylist for the firewall..."  
			
		
	
		
			
				
					 for  ip in $( curl $country -list /{ ro,hu,gb,au,dk,bg,ie,pt,gr} .cidr) ;  do  
			
		
	
		
			
				
					 for  ip in $( curl -L  $country_list  /{ ro,hu,gb,au,dk,bg,ie,pt,gr} .cidr) ;  do  
			
		
	
		
			
				
					  ipset -A mw_graylist $ip  
			
		
	
		
			
				
					 done  
			
		
	
		
			
				
					
 
			
		
	
		
			
				
					echo  "Generating blacklist for firewall."  
			
		
	
		
			
				
					for  ip in $( curl $safety -list /{ others} .iplist) ;  do  
			
		
	
		
			
				
					for  ip in $( curl -L  $safety_list  /{ others} .iplist) ;  do  
			
		
	
		
			
				
					  ipset -A mw_blacklist $ip  
			
		
	
		
			
				
					done  
			
		
	
		
			
				
					#  
			
		
	
		
			
				
					# The blacklist makes sure any "smart bots" are blocked in time on your server after a while.  
			
		
	
		
			
				
					  
			
		
	
		
			
				
					# Off the table just allow the whitelisted users and drop the blacklisted ones.  
			
		
	
		
			
				
					iptables -A MineWall -p tcp --dport $protect_port  -m connbytes --connbytes $checker_minconn  --connbytes-dir reply --connbytes-mode bytes -j SET --add-set mw_checklist 
			
		
	
		
			
				
					iptables -A MineWall -p tcp --tcp-flags FIN FIN -- dport $protect_port  -m connbytes --connbytes $checker_minconn  --connbytes-dir reply --connbytes-mode bytes -j SET --add-set mw_checklist src  
			
		
	
		
			
				
					
 
			
		
	
		
			
				
					iptables -A MineWall -p tcp --dport $protect_port  -m set  --match-set mw_whitelist src -j ACCEPT 
			
		
	
		
			
				
					iptables -A MineWall -p tcp --dport $protect_port  -m set  --match-set mw_blacklist src -j DROP 
			
		
	
		
			
				
					
 
			
		
	
		
			
				
					iptables -A MineWall -p tcp --dport $protect_port  --syn -m set  --match-set mw_graylist -m limit --limit $graylist_verified /s src  -j ACCEPT 
			
		
	
		
			
				
					iptables -A MineWall -p tcp --dport $protect_port  --syn -m set  --match-set mw_graylist src  -m limit --limit $graylist_verified /s -j ACCEPT 
			
		
	
		
			
				
					iptables -A MineWall -p tcp --dport $protect_port  --syn -m limit --limit $graylist_unverified /s -j ACCEPT 
			
		
	
		
			
				
					iptables -A MineWall -p tcp --dport $protect_port  --syn -m connlimit ! --connlimit-above $graylist_concurrent  -j ACCEPT 
			
		
	
		
			
				
					
 
			
		
	
		
			
				
					iptables -A MineWall -p tcp --dport $protect_port  --syn -j DROP 
			
		
	
		
			
				
					
 
			
		
	
		
			
				
					# Add MineWall to iptables and remove it just in case it is already there.  
			
		
	
		
			
				
					$iptables  -D INPUT 
			
		
	
		
			
				
					$iptables  -A INPUT 
			
		
	
		
			
				
					iptables -D DOCKER  -p tcp -j MineWall 
			
		
	
		
			
				
					iptables -I DOCKER  -p tcp -j MineWall 
			
		
	
		
			
				
					
 
			
		
	
		
			
				
					echo  "Firewall applied successfully. Please add the whitelister script to crontab (each minute) to finish installation"