Final testing commit

3 years ago · d3a321a0d9
2 changed files with 49 additions and 6 deletions
--- a/Tools/firewall.sh
+++ b/Tools/firewall.sh
@ -29,7 +29,8 @@
 #    (!): You can also set it to share your found proxies so they can be blocked later mainstream.
 echo "Installing required dependencies: curl, iptables-persistent, ipset"
 apt -y -qq install curl iptables-persistent ipset > /dev/null
 apt -y -qq install curl iptables-persistent ipset conntrack > /dev/null
 yum -y install curl iptables-service ipset-service conntrack > /dev/null
 echo "Installed required depends."
 # The port you want to protect. for ranges, use FROM:TO
 protect_port=20003
@ -46,7 +47,7 @@ graylist_concurrent=3
 checker_minconn=26214400
 # MISC. THESE VALUES MAY CHANGE IN THE FUTURE
 target_chain=INPUT
 country_list="https://raw.githubusercontent.com/herrbischoff/country-ip-blocks/master/ipv4/"
 safety_list="https://api.entryrise.com/minewall/"
@ -87,8 +88,6 @@ done
 # The blacklist makes sure any "smart bots" are blocked in time on your server after a while.
 # Off the table just allow the whitelisted users and drop the blacklisted ones.
 iptables -A MineWall -p tcp --tcp-flags FIN FIN --dport $protect_port -m connbytes --connbytes $checker_minconn --connbytes-dir reply --connbytes-mode bytes -j SET --add-set mw_checklist src
 iptables -A MineWall -p tcp --dport $protect_port -m set --match-set mw_whitelist src -j ACCEPT
 iptables -A MineWall -p tcp --dport $protect_port -m set --match-set mw_blacklist src -j DROP
@ -99,7 +98,14 @@ iptables -A MineWall -p tcp --dport $protect_port --syn -m connlimit ! --connlim
 iptables -A MineWall -p tcp --dport $protect_port --syn -j DROP
 # Add MineWall to iptables and remove it just in case it is already there.
 iptables -D DOCKER -p tcp -j MineWall
 iptables -I DOCKER -p tcp -j MineWall
 iptables -D $target_chain -p tcp -j MineWall
 iptables -I $target_chain -p tcp -j MineWall
 # REDHAT BASED
 iptables-save > /etc/sysconfig/iptables
 # DEBIAN BASED
 iptables-save > /etc/iptables/rules.v4
 # Having 2 files is not ideal but not an issue
 # TODO: Check OS and apply specific commands only.
 echo "Firewall applied successfully. Please add the whitelister script to crontab (each minute) to finish installation"
--- a/Tools/whitelister.sh
+++ b/Tools/whitelister.sh
@ -1,2 +1,39 @@
 #!/bin/bash
 safety_list="https://api.entryrise.com/minewall/"
 # Make sure to change protect port to your own protect port.
 # $6 > X means the packet count before validating user.
 # Recommending a value for X between 10k (~100 seconds) and 50k (~500 seconds) for validation)
 command_check=$(conntrack -L | awk '{if ($6 > 10000 && $4 == "ESTABLISHED" && $8 == "dport=20003") print $5}');
 #command_check=$(conntrack -L | awk '{if ($6 > PACKETS_TO_WHITELIST && $4 == "CONNECTION FULLY RUNNING" && $8 == "dport=PORT OF SERVER") print $5}');
 echo "Updating blacklist for firewall."
 for ip in $(curl -L $safety_list/{others}.iplist); do
  ipset -A mw_blacklist $ip
 done
 echo "Updating whitelist for the firewall."
 for ip in $(curl -L $safety_list/{wireless,residential,business}.iplist); do
  ipset -A mw_whitelist $ip
 done
 echo "Sending actual players to remote database."
 for data in $command_check; do
  if [[ $data == "src="* ]]
  then
    curl -X POST -d 'ip='$(echo $data | cut -c 5-) $safety_list
  fi
 done
 echo "Done"
 #
 #
 #
 #
 #
 # PUT THIS ON A CRONTAB TO RUN EACH 5 MINUTES!!!!