Browse Source

Initial firewall commit

master
Stefatorus 3 years ago
parent
commit
7c51770456
  1. 80
      Tools/firewall.sh

80
Tools/firewall.sh

@ -0,0 +1,80 @@
#!/bin/bash
#
# __ __ _ __ __ _ _
# | \/ (_) by \ \ENTRYRISE / | | |
# | \ / |_ _ __ __\ \ /\ / /_ _| | |
# | |\/| | | '_ \ / _ \ \/ \/ / _` | | |
# | | | | | | | | __/\ /\ / (_| | | |
# |_| |_|_|_| |_|\___| \/ \/ \__,_|_|_|
#
# Minewall provides a firewall-based implementation for mitigating attacks in Minecraft.
# Unlike layer 7 antibots, MineWall uses a novel approach combining both Layer 3 checks with Layer 7 traffic analysis and
# categorization to provide a better, more accurate solution for finding, and tackling bots
#
#
# FAQ:
#
# 1) How does the whitelisting system work? Usually, volumetric attacks rely on dumb bots that are not capable of joining your
# subserver or taking actions that normally your players would take. By leveraging this activity, this antibot can automatically
# whitelist your actual players (or highly probable players) while leaving bots blocked.
#
# 2) How does the country whitelist system work? By using the fact that most bots come from high risk countries, we can often run
# statistical decisions to help us allow a majority of players while blocking high risk ones. This is highly useful in production,
# and can have great effects on the effectiveness of the firewall.
#
# 3) How does the cloud system work? Cloudflare allows us to host a decentralized platform to optionally enhance the way that the firewall
# works with self updated proxy lists. It automatically pulls proxies from multiple proxy lists, prepares them from blocking and provides
# them in an ipset compatible format.
#
# (!): You can also set it to share your found proxies so they can be blocked later mainstream.
echo "Installing required dependencies: curl, iptables-persistent, ipset"
apt -y -qq install curl iptables-persistent ipset > /dev/null
echo "Installed required depends."
# The port you want to protect. for ranges, use FROM:TO
protect_port=25565
# Max graylisted connections per second. This can be higher, and ensures an attack won't be too high for the second pass firewall.
graylist_verified=100
graylist_unverified=15
# MISC. THESE VALUES MAY CHANGE IN THE FUTURE
country-list="https://raw.githubusercontent.com/herrbischoff/country-ip-blocks/master/ipv4/"
wgetd="wget -q -c --retry-connrefused -t 0"
echo "Preparing clean iptables configuration"
iptables -N MineWall
iptables -F MineWall
echo "Preparing clean ipset configuration"
ipset -F mw_blacklist
ipset -F mw_graylist
ipset -F mw_whitelist
ipset -N -! mw_blacklist hash:net maxelem 1500000 timeout $timeout
ipset -N -! mw_graylist hash:net maxelem 10000
ipset -N -! mw_whitelist hash:net maxelem 10000
# Create the graylist of safer countries. It's really important for the base check.
echo "Generating graylist for the firewall..."
for ip in $(curl $country-list/{ro,ua,tr,nl,de}.cidr); do
ipset -A mw_graylist $ip
done
echo "Graylist finished generating."
# Off the table just allow the whitelisted users and drop the blacklisted ones.
$iptables -A MineWall -p tcp --dport $protect_port -m set --match-set mw_whitelist src -j ACCEPT
$iptables -A MineWall -p tcp --dport $protect_port -m set --match-set mw_blacklist src -j DROP
$iptables -A MineWall -p tcp --dport $protect_port --syn -m set --match-set mw_graylist -m limit --limit $graylist_verified/s src -j ACCEPT
$iptables -A MineWall -p tcp --dport $protect_port --syn -m limit --limit $graylist_unverified/s -j ACCEPT
$iptables -A MineWall -p tcp --dport $protect_port --syn -j DROP
# Add MineWall to iptables and remove it just in case it is already there.
$iptables -D INPUT -p tcp -j MineWall
$iptables -A INPUT -p tcp -j MineWall
echo "Firewall applied successfully."
Loading…
Cancel
Save