@ -32,7 +32,7 @@ echo "Installing required dependencies: curl, iptables-persistent, ipset"
apt -y -qq install curl iptables-persistent ipset > /dev/null
echo "Installed required depends."
# The port you want to protect. for ranges, use FROM:TO
protect_port = 25565
protect_port = 20003
# Max graylisted connections per second. This can be higher, and ensures an attack won't be too high for the second pass firewall.
@ -48,8 +48,8 @@ checker_minconn=26214400
country-list = "https://raw.githubusercontent.com/herrbischoff/country-ip-blocks/master/ipv4/"
safety-list = "https://api.entryrise.com/minewall/"
country_list = "https://raw.githubusercontent.com/herrbischoff/country-ip-blocks/master/ipv4/"
safety_list = "https://api.entryrise.com/minewall/"
wgetd = "wget -q -c --retry-connrefused -t 0"
@ -58,48 +58,48 @@ iptables -N MineWall
iptables -F MineWall
echo "Preparing clean ipset configuration"
ipset -F mw_blacklist
ipset -F mw_graylist
ipset -F mw_whitelist
ipset -F mw_checklist
ipset -N -! mw_blacklist hash:net maxelem 1500000 timeout $timeout
ipset -N -! mw_graylist hash:net maxelem 10000
ipset -N -! mw_whitelist hash:net maxelem 10000
ipset destroy mw_blacklist
ipset destroy mw_graylist
ipset destroy mw_whitelist
ipset destroy mw_checklist
ipset -N -! mw_blacklist hash:net maxelem 100000 timeout 300
ipset -N -! mw_graylist hash:net maxelem 100000
ipset -N -! mw_whitelist hash:net maxelem 100000
ipset -N -! mw_checklist hash:net maxelem 30 timeout 300
echo "Generating whitelist for the firewall..."
for ip in $( curl $safety -list /{ wireless,residential,business} .iplist) ; do
for ip in $( curl -L $safety_list /{ wireless,residential,business} .iplist) ; do
ipset -A mw_whitelist $ip
# Create the graylist of safer countries. It's really important for the base check.
echo "Generating graylist for the firewall..."
for ip in $( curl $country -list /{ ro,hu,gb,au,dk,bg,ie,pt,gr} .cidr) ; do
for ip in $( curl -L $country_list /{ ro,hu,gb,au,dk,bg,ie,pt,gr} .cidr) ; do
ipset -A mw_graylist $ip
echo "Generating blacklist for firewall."
for ip in $( curl $safety -list /{ others} .iplist) ; do
for ip in $( curl -L $safety_list /{ others} .iplist) ; do
ipset -A mw_blacklist $ip
# The blacklist makes sure any "smart bots" are blocked in time on your server after a while.
# Off the table just allow the whitelisted users and drop the blacklisted ones.
iptables -A MineWall -p tcp --dport $protect_port -m connbytes --connbytes $checker_minconn --connbytes-dir reply --connbytes-mode bytes -j SET --add-set mw_checklist
iptables -A MineWall -p tcp --tcp-flags FIN FIN -- dport $protect_port -m connbytes --connbytes $checker_minconn --connbytes-dir reply --connbytes-mode bytes -j SET --add-set mw_checklist src
iptables -A MineWall -p tcp --dport $protect_port -m set --match-set mw_whitelist src -j ACCEPT
iptables -A MineWall -p tcp --dport $protect_port -m set --match-set mw_blacklist src -j DROP
iptables -A MineWall -p tcp --dport $protect_port --syn -m set --match-set mw_graylist -m limit --limit $graylist_verified /s src -j ACCEPT
iptables -A MineWall -p tcp --dport $protect_port --syn -m set --match-set mw_graylist src -m limit --limit $graylist_verified /s -j ACCEPT
iptables -A MineWall -p tcp --dport $protect_port --syn -m limit --limit $graylist_unverified /s -j ACCEPT
iptables -A MineWall -p tcp --dport $protect_port --syn -m connlimit ! --connlimit-above $graylist_concurrent -j ACCEPT
iptables -A MineWall -p tcp --dport $protect_port --syn -j DROP
# Add MineWall to iptables and remove it just in case it is already there.
$iptables -D INPUT -p tcp -j MineWall
$iptables -A INPUT -p tcp -j MineWall
iptables -D DOCKER -p tcp -j MineWall
iptables -I DOCKER -p tcp -j MineWall
echo "Firewall applied successfully. Please add the whitelister script to crontab (each minute) to finish installation"