Final testing commit

3 years ago · d3a321a0d9
2 changed files with 49 additions and 6 deletions
--- a/Tools/firewall.sh
+++ b/Tools/firewall.sh
@ -29,7 +29,8 @@
 # (!): You can also set it to share your found proxies so they can be blocked later mainstream.

 echo "Installing required dependencies: curl, iptables-persistent, ipset"
-apt -y -qq install curl iptables-persistent ipset > /dev/null
+apt -y -qq install curl iptables-persistent ipset conntrack > /dev/null
+yum -y install curl iptables-service ipset-service conntrack > /dev/null
 echo "Installed required depends."
 # The port you want to protect. for ranges, use FROM:TO
 protect_port=20003
@ -46,7 +47,7 @@ graylist_concurrent=3
 checker_minconn=26214400

 # MISC. THESE VALUES MAY CHANGE IN THE FUTURE
-
+target_chain=INPUT

 country_list="https://raw.githubusercontent.com/herrbischoff/country-ip-blocks/master/ipv4/"
 safety_list="https://api.entryrise.com/minewall/"
@ -87,8 +88,6 @@ done
 # The blacklist makes sure any "smart bots" are blocked in time on your server after a while.
 
 # Off the table just allow the whitelisted users and drop the blacklisted ones.
-iptables -A MineWall -p tcp --tcp-flags FIN FIN --dport $protect_port -m connbytes --connbytes $checker_minconn --connbytes-dir reply --connbytes-mode bytes -j SET --add-set mw_checklist src
-
 iptables -A MineWall -p tcp --dport $protect_port -m set --match-set mw_whitelist src -j ACCEPT
 iptables -A MineWall -p tcp --dport $protect_port -m set --match-set mw_blacklist src -j DROP

@ -99,7 +98,14 @@ iptables -A MineWall -p tcp --dport $protect_port --syn -m connlimit ! --connlim
 iptables -A MineWall -p tcp --dport $protect_port --syn -j DROP

 # Add MineWall to iptables and remove it just in case it is already there.
-iptables -D DOCKER -p tcp -j MineWall
-iptables -I DOCKER -p tcp -j MineWall
+iptables -D $target_chain -p tcp -j MineWall
+iptables -I $target_chain -p tcp -j MineWall
+
+# REDHAT BASED
+iptables-save > /etc/sysconfig/iptables
+# DEBIAN BASED
+iptables-save > /etc/iptables/rules.v4
+# Having 2 files is not ideal but not an issue
+# TODO: Check OS and apply specific commands only.

 echo "Firewall applied successfully. Please add the whitelister script to crontab (each minute) to finish installation"
--- a/Tools/whitelister.sh
+++ b/Tools/whitelister.sh
@ -1,2 +1,39 @@
 #!/bin/bash

+safety_list="https://api.entryrise.com/minewall/"
+
+# Make sure to change protect port to your own protect port.
+# $6 > X means the packet count before validating user.
+# Recommending a value for X between 10k (~100 seconds) and 50k (~500 seconds) for validation)
+command_check=$(conntrack -L | awk '{if ($6 > 10000 && $4 == "ESTABLISHED" && $8 == "dport=20003") print $5}');
+#command_check=$(conntrack -L | awk '{if ($6 > PACKETS_TO_WHITELIST && $4 == "CONNECTION FULLY RUNNING" && $8 == "dport=PORT OF SERVER") print $5}');
+
+echo "Updating blacklist for firewall."
+for ip in $(curl -L $safety_list/{others}.iplist); do
+ ipset -A mw_blacklist $ip
+done
+
+echo "Updating whitelist for the firewall."
+for ip in $(curl -L $safety_list/{wireless,residential,business}.iplist); do
+ ipset -A mw_whitelist $ip
+done
+
+echo "Sending actual players to remote database."
+for data in $command_check; do
+ if [[ $data == "src="* ]]
+ then
+ curl -X POST -d 'ip='$(echo $data | cut -c 5-) $safety_list
+ fi
+done
+
+
+
+echo "Done"
+
+
+#
+#
+#
+#
+#
+# PUT THIS ON A CRONTAB TO RUN EACH 5 MINUTES!!!!