antiddos-yuki

#!/usr/bin/env bash
# Script is written to protect Linux servers.
# Enjoy! Made by yuki with love <3.

# --------------------------------

# Functions.

print_default() {
    # For printing gradient messages with auto-fallback.
	if command -v lolcat &>/dev/null; then
		echo -e "$1" | lolcat
	else
		echo -e "${BGray}$1"
	fi
}

print_default2() {
    # For printing gray messages.
    echo -e "${BGray}$1"
}

print_success() {
    # For printing gradient success messages with auto-fallback.
	if command -v lolcat &>/dev/null; then
		echo -e "✓ Success. $1" | lolcat
	else
		echo -e "${BGray}✓ Success. $1"
	fi
}

print_warning () {
    # For printing gradient warning messages with auto-fallback.
    if command -v lolcat &>/dev/null; then
        echo -e "⚠︎ Warning: $1" | lolcat >&2
    else
        echo -e "${BGray}⚠︎ Warning: $1" >&2
    fi
}

print_error() {
    # For printing gradient error messages with auto-fallback.
	if command -v lolcat &>/dev/null; then
		echo -e "✗ Fail. $1" | lolcat >&2
	else
		echo -e "${BRed}✗ Fail. $1" >&2
	fi
}

rootcheck() {
    if [[ $EUID -ne 0 ]]; then
        print_warning "This script must be run as root. Restarting with sudo/su..."

        if command -v sudo &> /dev/null; then
            print_default2 "Automatic choice: 'sudo' was selected and will be used."
            # shellcheck disable=SC2128
            sudo -E "$SHELL" "$BASH_SOURCE" "$@"
            exit $?
        elif command -v su &> /dev/null; then
            print_default2 "Automatic choice: 'su' was selected and will be used."
            # shellcheck disable=SC2128
            script_path="$(readlink -f "$BASH_SOURCE")"
            su -c "$script_path" "$@"
            exit $?
        else
            print_error "Automatic choice failed: neither sudo nor su was found. Exiting."
            exit 1
        fi
    fi
}

accidental_start_prevention() {
    print_default "Accidental start prevention: press 'enter' within 5 seconds to continue, CTRL+C to cancel."

    for counter in {1..5}; do
        if IFS= read -rt 1 -N 1 key; then
            case $key in
                $'\n') print_success "Starting the script..." && return ;;
                $'\x03') print_default2 "Ctrl+C detected. Exiting..." && exit 130 ;;
            esac
        fi
    done

    print_default2 "\nNo response within 5 seconds. Exiting..."
    exit 0
}

cleanup() {
    print_default "Received CTRL+C. Exiting..."
    tput sgr0
    exit 130
}

# ----------------------------------

rootcheck "$@"

# Distribution check.

# Check for the --skip_distro_check argument.
if [ "$1" != "--skip-distro-check" ]; then
    # Check the distribution
    if command -v lsb_release > /dev/null 2>&1; then
        distro=$(lsb_release -is)
    elif [ -e /etc/os-release ]; then
        distro=$(awk -F= '/^ID=/{print tolower($2)}' /etc/os-release)
    else
        print_error "Failed to determine the distribution. Make sure lsb-release is installed or /etc/os-release is accessible. If you're sure this is an error, use --skip-distro-check."
        exit 1
    fi
    
    case "$distro" in
        "Ubuntu" | "Debian")
            # The distribution is supported, no output.
            ;;
        *)
            print_error "Your distribution ($distro) is not supported. If you're sure this is an error, use --skip-distro-check and report it by opening an issue on GitHub."
            exit 1
            ;;
    esac
fi

# Check if all dependencies are installed.

dependencies=("iptables" "nftables" "ipset" "netfilter-persistent" "git")
missing_dependencies=()
for dep in "${dependencies[@]}"; do
    if ! dpkg -s "$dep" &>/dev/null; then
        missing_dependencies+=("$dep")
    fi
done

# If there are missing dependencies, prompt the user to install them
if [ "${#missing_dependencies[@]}" -gt 0 ]; then
    print_warning "The following dependencies are missing: ${missing_dependencies[*]}"
    
    # Check if user has sudo privileges
    if sudo -v >/dev/null 2>&1; then
        print_default2 "Do you want to install them with sudo? (y/n)"

        read -r install_response
        case "$install_response" in
            [yY])
                # Install missing dependencies
                apt install "${missing_dependencies[@]}" -y
                ;;
            [nN])
                print_warning "The script cannot run without them. Exiting..."
                exit 1
                ;;
            *)
                print_error "Incorrect answer. Please respond with 'y' or 'n'."
                exit 1
                ;;
        esac
    else
        print_warning "Cannot find sudo. Please install the following dependencies manually:"
        for dep in "${missing_dependencies[@]}"; do
            echo "  - $dep"
        done
        exit 1
    fi
fi

# Various checks of the config and blacklist files.
config_file="config.sh"
blacklist_file="blacklist"
github_repo="https://raw.githubusercontent.com/yuk1c/antiddos/master"

check_config() {
    if [ ! -f "$config_file" ]; then
        print_error "No config file found. Attempting to download it from GitHub..."

        if wget -q "$github_repo/$config_file" -O "$config_file"; then
            print_success "The config file was downloaded. Script will be restarted automatically."
        else
            print_error "Unable to load the config file from GitHub. Please check your internet connectivity and GitHub availability."
            exit 1
        fi
    fi

    if [ ! -r "$config_file" ]; then
        print_error "$config_file is not readable. Please check file permissions."
        exit 1
    fi

    if [ ! -s "$config_file" ]; then
        print_error "$config_file is empty. Restore it from the repository."
        exit 1
    fi
}

check_blacklist() {
    if [ ! -f "$blacklist_file" ]; then
        print_error "No blacklist file found. Attempting to download it from GitHub..."

        if wget -q "$github_repo/$blacklist_file" -O "$blacklist_file"; then
            print_success "The blacklist file was downloaded. Script will be restarted automatically."
        else
            print_error "Unable to load the blacklist file from GitHub. Please check your internet connectivity and GitHub availability."
            exit 1
        fi
    fi

    if [ ! -r "$blacklist_file" ]; then
        print_error "$blacklist_file is not readable. Please check file permissions."
        exit 1
    fi
    
    if [ ! -s "$blacklist_file" ]; then
        print_error "$blacklist_file is empty. Restore it from the repository."
        exit 1
    fi
}

check_blacklist
check_config

# Parse script arguments.
while [[ "$#" -gt 0 ]]; do
    case $1 in
        --skip-update-check) SKIP_UPDATE_CHECK=true; shift ;;
        *) print_error "Unknown parameter passed: $1"; exit 1 ;;
    esac
done

# Store the script's directory.
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"

# If --skip_update_check is not present, check for updates.
if [ "$SKIP_UPDATE_CHECK" != "true" ]; then
    # Go to the script's directory
    cd "$SCRIPT_DIR"

    # Fetch updates from the remote repository.
    git fetch

    # Compare local branch with the remote branch.
    if [ "$(git rev-parse HEAD)" != "$(git rev-parse @{u})" ]; then
        print_default "Updates available. Do you want to upgrade the script to continue? (y/n)"
        
        read -r response
        case "$response" in
            [yY])
                # Attempt to pull updates, handle errors quietly
                if ! git pull -q origin main; then
                    print_error "Unable to update script. You can skip the update check with the '--skip-update-check' argument if you think this is an mistake."
                    exit 1
                fi

                print_success "Script updated. Restarting..."
                exec "$SCRIPT_DIR/$(basename "$0")" "$@"  # Restart the updated script with the original arguments
                exit 0  # Make sure to exit after the exec command
                ;;

            [nN])
                print_default "You chose not to upgrade. You can skip the update check with the '--skip-update-check' argument."
                exit 1
                ;;
            *)
                print_error "Incorrect answer."
                exit 1
                ;;
        esac
    fi
fi

# --------------------------------

# Execute the contents of config.sh in the current context.
# Needed to import and use the config file.
. config.sh

# Call the protection against accidental starts.
accidental_start_prevention

# Flush all rules and add the 'filter' table.
 "$NFT" flush ruleset
 "$NFT" add table filter > /dev/null 2>&1 &

# Delete the "blacklist" ip set.
 "$IPS" destroy blacklist > /dev/null 2>&1 &

# --------------------------------

# Set default input policy to DROP.
# Drop policy swiftly deals with any unwanted traffic.
 "$IP" -P INPUT DROP

# Allow the local interface.
 "$IP" -A INPUT -i lo -s 127.0.0.0/8 -j ACCEPT

# Allow established and related connections.
 "$IP" -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allow SSH. You can implement whitelisting here.
 "$IP" -A INPUT -p tcp --dport "$SSH" -j ACCEPT

# Allow some protocols. This is optional, but may be needed in some cases.
# "$IP" -A INPUT -p mptcp -j ACCEPT - If you need MultiPath TCP
# "$IP" -A INPUT -p igmp -j ACCEPT  - If you need IGMP
# "$IP" -A INPUT -p gre -j ACCEPT   - If you need GRE
# "$IP" -A INPUT -p esp -j ACCEPT   - If you need IPsec
# "$IP" -A INPUT -p ah -j ACCEPT    - If you need IPsec

# --------------------------------
# Default ruleset.

# Mitigate some TCP Floods with hashlimits.
# You can try to set srcmask lower than /32.
# It will limit not only the source address, but also IPs from the netmask.
# Also, you can configure dstmask to protect your IP neighbors.
# ----------------------------------------------------------------
 "$IP" -t raw -A PREROUTING -p tcp --syn \
  -m hashlimit --hashlimit-mode srcip --hashlimit-srcmask 32 \
  --hashlimit-dstmask 32 --hashlimit-name synflood \
  --hashlimit-above "$SPL" --hashlimit-htable-expire "$HTE" \
  --hashlimit-htable-size "$HTS" --hashlimit-htable-max "$HTM" -j DROP
 "$IP" -t raw -A PREROUTING -p tcp --tcp-flags SYN,ACK SYN,ACK \
  -m hashlimit --hashlimit-mode srcip --hashlimit-srcmask 32 \
  --hashlimit-dstmask 32 --hashlimit-name synackflood \
  --hashlimit-above "$SAPL" --hashlimit-burst 2 \
  --hashlimit-htable-expire "$HTE" --hashlimit-htable-size "$HTS" \
  --hashlimit-htable-max "$HTM" -j DROP
 "$IP" -t raw -A PREROUTING -p tcp --tcp-flags RST RST \
  -m hashlimit --hashlimit-mode srcip --hashlimit-srcmask 32 \
  --hashlimit-dstmask 32 --hashlimit-name rstflood \
  --hashlimit-above "$RPL" --hashlimit-burst 2 --hashlimit-htable-expire "$HTE" \
  --hashlimit-htable-size "$HTS" --hashlimit-htable-max "$HTM" -j DROP

# Mitigate UDP Floods with hashlimit.
# ----------------------------------------------------------------
 "$IP" -t raw -A PREROUTING -p udp -m hashlimit --hashlimit-above "$UPL" \
  --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-dstmask 32 \
  --hashlimit-name udp-flood-limit --hashlimit-burst "$UPL" \
  --hashlimit-htable-size "$HTS" --hashlimit-htable-max 65536 \
  --hashlimit-htable-expire "$HTE" -j DROP

# Mitigate ICMP Floods with hashlimits. Also, block some ICMP types for enhanced security.
# ----------------------------------------------------------------
 "$IP" -t raw -A PREROUTING -p icmp -m comment --comment "ICMP hashlimit" -m hashlimit \
  --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-dstmask 32 \
  --hashlimit-name icmp-limit --hashlimit-above "$IPL" --hashlimit-burst 2 \
  --hashlimit-htable-size "$HTS" --hashlimit-htable-max 65536 \
  --hashlimit-htable-expire "$HTE" -j DROP
 "$IP" -t raw -A PREROUTING -p icmp --icmp-type address-mask-request -j DROP
 "$IP" -t raw -A PREROUTING -p icmp --icmp-type router-solicitation -j DROP
 "$IP" -t raw -A PREROUTING -p icmp --icmp-type timestamp-request -j DROP
 "$IP" -t raw -A PREROUTING -p icmp --icmp-type redirect -j DROP

# To relieve server load during UDP Floods, restrict the outgoing ICMP 'Port-Unreach' packets per second (PPS).
# ----------------------------------------------------------------
 "$IP" -t raw -A OUTPUT -p icmp --icmp-type port-unreach -m limit --limit "$OPL" --limit-burst 2 -j ACCEPT
 "$IP" -t raw -A OUTPUT -p icmp --icmp-type port-unreach -j DROP

# To relieve server load during TCP Out-Of-State Floods, restrict the outgoing TCP RST packets per second (PPS).
# ----------------------------------------------------------------
 "$IP" -t raw -A OUTPUT -p tcp --tcp-flags RST RST -m limit --limit "$OTRL" -j ACCEPT
 "$IP" -t raw -A OUTPUT -p tcp --tcp-flags RST RST -j DROP

# Enhance security and block basic attacks by filtering TCP packets with invalid flag combinations.
# If you're trying to optimize the ruleset, and your server is well-protected on upstream, you can comment rules.
# ----------------------------------------------------------------
 "$IP" -t raw -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j "$ITFPA"
 "$IP" -t raw -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j "$ITFPA"
 "$IP" -t raw -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j "$ITFPA"
 "$IP" -t raw -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j "$ITFPA"
 "$IP" -t raw -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j "$ITFPA"
 "$IP" -t raw -A PREROUTING -p tcp --tcp-flags ALL NONE -j "$ITFPA"
 "$IP" -t raw -A PREROUTING -p tcp --tcp-flags ALL ALL -j "$ITFPA"

# Safeguard against CPU overload during amplificated DDoS attacks by limiting DNS/NTP packets per second rate (PPS).
# ----------------------------------------------------------------
 "$IP" -t raw -A PREROUTING -p udp -m multiport --sports "$LUSP" -m hashlimit \
  --hashlimit-mode srcip,srcport --hashlimit-name Amplification-Limit \
  --hashlimit-above 256/m -j DROP

# Drop SYN packets with source-port <1024 to prevent some attacks.
# ----------------------------------------------------------------
 "$IP" -t raw -I PREROUTING -p tcp --syn ! --sport 1024:65535 -m comment --comment "SYN: Invalid Source Port" -j DROP

# Drop all packets with the invalid state.
# ----------------------------------------------------------------
 "$IP" -t mangle -I PREROUTING -p all -m conntrack --ctstate "$ST" -m comment --comment "Packet State Filter" -j DROP

# Restrict the number of connections per IP to mitigate the impact of Handshake and Slowloris attacks.
# ----------------------------------------------------------------
 "$IP" -t mangle -A PREROUTING -p tcp -m connlimit --connlimit-above "$CL" --connlimit-mask 32 \
  -m comment --comment "Connection Limit" -j "$CLA"

# Drop new non-SYN TCP packets to mitigate common TCP attacks.
# If you're trying to optimize the ruleset, check this rule. It may affect performance.
# ----------------------------------------------------------------
 "$IP" -t mangle -I PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -m comment --comment "State NEW but not SYN" -j DROP

# Drop TCP packets with invalid MSS to mitigate certain attack types.
# Try to set max MSS to 8960/1460 if you want stricter protection.
# But then you'll need to modify the rule and do this only for your NIC.
# ----------------------------------------------------------------
 "$IP" -t mangle -I PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss "$MSS" -m comment --comment "Invalid MSS" -j DROP

# Limit SYN/ICMPv6 packets per second (PPS) & drop fragmented packets to mitigate certain IPv6 attacks, though they aren't currently common.
# ----------------------------------------------------------------
 "$IP6" -t raw -A PREROUTING -p icmpv6 -m limit --limit 3/s -j ACCEPT
 "$IP6" -t raw -A PREROUTING -p icmpv6 -j DROP
 "$IP6" -t raw -A PREROUTING -p tcp --syn -m limit --limit 7/s --limit-burst 4 -j ACCEPT
 "$IP6" -t raw -A PREROUTING -p tcp --syn -j DROP
 "$IP6" -t raw -A PREROUTING -m frag -j DROP

# Block some IP addresses to enhance security.
# This rule does not impact performance a lot.
# ----------------------------------------------------------------
"$IPS" create blacklist nethash hashsize 260000 > /dev/null 2>&1
while IFS= read -r bad_ip; do
    "$IPS" add blacklist "$bad_ip" > /dev/null 2>&1
done <"./blacklist"
"$IP" -t raw -A PREROUTING -m set --match-set blacklist src -j "$IBA" > /dev/null 2>&1

# Advanced ruleset.
# ----------------------------------------------------------------

#################
# Generic rules #
#################

# Filtering by TCP options.
# "$IP" -t raw -A PREROUTING -p tcp --tcp-option 1 -j DROP (NOP/RFC9293)
# "$IP" -t raw -A PREROUTING -p tcp --tcp-option 3 -j DROP (WinScale/RFC7372)
# "$IP" -t raw -A PREROUTING -p tcp --tcp-option 5 -j DROP (SACK/RFC2018)
# "$IP" -t raw -A PREROUTING -p tcp --tcp-option 8 -j DROP (Timestamps/RFC7323)
# "$IP" -t raw -A PREROUTING -p tcp --tcp-option 27 -j DROP (QuickStartResp/RFC7882)
# "$IP" -t raw -A PREROUTING -p tcp --tcp-option 34 -j DROP (TFO Cookie)

# Filtering by ECN bits.
# Note: These packets are also legitimate. (ece/cwr)
# "$IP" -t raw -A PREROUTING -p tcp -m ecn --ecn-tcp-ece -j DROP
# "$IP" -t raw -A PREROUTING -p tcp -m ecn --ecn-tcp-cwr -j DROP

# Prevent SQL Injection attempts. These rules are need to be configured if you want to use them.
# "$IP" -t raw -I PREROUTING -p tcp --dport 3306 -m string --string "union select" --algo bm -j DROP
# "$IP" -t raw -I PREROUTING -p tcp --dport 3306 -m string --string "information_schema" --algo bm -j DROP

# Block HTTP 1.1 packets received on non-HTTP port(s). (common attack pattern)
# "$IP" -t raw -A PREROUTING -p tcp -m multiport --dports "$HTTP" -m string ! --string "HTTP/1.1 OK" --algo kmp -j DROP

# Block malformed DNS Flood.
# These rules are tested well, and can be used if you experience a lot of DNS amplification attacks. 
# "$IP" -t raw -A PREROUTING -p udp --sport 53 -m string --string "Refused" --algo bm -j DROP
# "$IP" -t raw -A PREROUTING -p udp --sport 53 -m string --string "0000000000000000" --algo bm -j DROP
# "$IP" -t raw -A PREROUTING -p udp --sport 53 -m string --hex-string "|3000300030003000300030003000300030003000300030003000|" --algo bm -j DROP

# Prevent NTP Reflection attacks by blocking incoming NTP Reflection packets received on the default NTP server port.
# This rule isn't checked.
# "$IP" -t raw -A PREROUTING -p udp --dport 123 -m u32 --u32 "0>>22&0x3C@8&0xFF" -j DROP

# SourcePort;ProtocolFilter against some attacks.
# The last rule may cause problems with apt.
# These rules are recommended for a better protection, but you need to test them well.
# "$IP" -t raw -A PREROUTING -p udp --sport 53 -m string ! --string "DNS" --algo kmp -j DROP
# "$IP" -t raw -A PREROUTING -p udp --sport 123 -m string ! --string "NTP" --algo kmp -j DROP
# "$IP" -t raw -A PREROUTING -p tcp --sport 80 -m string ! --string "HTTP" --algo kmp -j DROP

# Patch some random attack.
# "$IP" -t raw -A PReROUTING -p tcp --syn -m u32 --u32 "0>>22&0x3C@12>>26&0x3F=0" -j DROP

# SYN/ACK Reflection mitigation.
# Optimization tip: comment the default rule that limits SYN-ACK when using these.
# "$IP" -t mangle -A PREROUTING -p tcp --syn -m recent --name blacklist --set -j DROP
# "$IP" -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,ACK -m recent --name blacklist --rcheck --seconds 60 --hitcount 10 -j DROP

# Drop ACK-PSH Packets that do not contain any data.
# Shouldn't cause problems because these packets aren't legitimate.
# "$IP" -t raw -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -m u32 --u32 "0>>22&0x3C@12=0" -j DROP

# [BETA] Drop TFO (TCP Fast Open) Packets. (SYN with data)
# "$IP" -t raw -A PREROUTING -p tcp --syn -m u32 --u32 "12&0xFFFF=0x0" -j DROP

# Length filter. Allows only packets with correct length.
# The two first rules are configured for 1500 
# Maximum is 1500, but you can have 9000 MTU - and in this case, you should set 9000 as the maximum value.
# "$IP" -t raw -A PREROUTING -p tcp -m length ! --length 40:1500 -j DROP
# "$IP" -t raw -A PREROUTING -p udp -m length ! --length 20:1500 -j DROP
# "$IP" -t raw -A PREROUTING -p icmp -m length ! --length 64:72 -j DROP

##################
# OpenVPN Shield #
##################

# Whitelisting.
# "$IP" -t raw -I PREROUTING -p <tcp/udp> --dport 1194 ! -s <trusted_ip> -j DROP

# 'Application-layer' filter. (UDP)
# "$IP" -t mangle -A PREROUTING -p udp --dport 1194 --match bpf --bytecode "16,48 0 0 0,84 0 0 240,21 0 12 64,48 0 0 9,21 0 10 17,40 0 0 6,69 8 0 8191,177 0 0 0,80 0 0 8,21 0 5 56,64 0 0 17,21 0 3 1,72 0 0 4,21 0 1 62,6 0 0 65535,6 0 0 0" -m conntrack --ctstate NEW -m hashlimit --hashlimit-upto 1/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name accept-openvpn -j ACCEPT

# Flow limiter. Limits the number of 'flows' - or conn-track entries.
# "$IP" -t mangle -A PREROUTING -p udp --dport 1194 -m connlimit --connlimit-above 2 -j DROP

##############
# SSH Shield #
##############

# Protection against 'socket methods'.
# "$IP" -t mangle -A PREROUTING -p tcp --dport "$SSH" -m connlimit --connlimit-above 3 -j REJECT

###############
# HTTP Shield #
###############

# Connlimit-based protection for HTTP/HTTPS server(s).
# "$IP" -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 32 -j DROP
# "$IP" -A INPUT -p tcp --dport 443 -m connlimit --connlimit-above 20 --connlimit-mask 32 -j DROP

# User-agent filtering.
# "$IP" -t raw -A PREROUTING -p tcp -m multiport --dports "$HTTP" -m string --string 'python-requests' --algo kmp -j DROP
# "$IP" -t raw -A PREROUTING -p tcp -m multiport --dports "$HTTP" -m string --string 'benchmark' --algo kmp -j DROP
# "$IP" -t raw -A PREROUTING -p tcp -m multiport --dports "$HTTP" -m string --string 'MD5(' --algo kmp -j DROP
# "$IP" -t raw -A PREROUTING -p tcp -m multiport --dports "$HTTP" -m string --string 'censys' --algo kmp -j DROP
# "$IP" -t raw -A PREROUTING -p tcp -m multiport --dports "$HTTP" -m string --string 'inspect' --algo kmp -j DROP
# "$IP" -t raw -A PREROUTING -p tcp -m multiport --dports "$HTTP" -m string --string 'scanner' --algo kmp -j DROP
# "$IP" -t raw -A PREROUTING -p tcp -m multiport --dports "$HTTP" -m string --string 'shodan' --algo kmp -j DROP

# Drop SSL packets.
# SSL is obsolete, use TLS instead.
# "$IP" -A INPUT -p tcp --dport 443 -m string --string "SSL" --algo bm -j DROP

# Drop "trace" HTTP method packets.
# Already blocked by most http-webservers.
# "$IP" -A INPUT -p tcp --dport 80 -m string --string "TRACE" --algo bm -j DROP

######################
# AntiSpoofing rules #
######################

# Block IPv4 options.
# "$IP" -t raw -A PREROUTING -m ipv4options --ssrr -j DROP
# "$IP" -t raw -A PREROUTING -m ipv4options --lsrr -j DROP
# "$IP" -t raw -A PREROUTING -m ipv4options --rr -j DROP
# "$IP" -t raw -A PREROUTING -m ipv4options --ts -j DROP
# "$IP" -t raw -A PREROUTING -m ipv4options --ra -j DROP

# Advanced AntiSpoofing [NOT RECOMMENDED]
# "$IP" -A INPUT -p all ! -d <ip_of_your_server> -j DROP

###############
# Other rules #
###############

# Drop SIP server scans.
# "$IP" -A INPUT -p udp --dport 5060 -m string --string "sipvicious" --algo bm -j DROP
# "$IP" -A INPUT -p udp --dport 5060 -m string --string "friendly-scanner" --algo bm -j DROP

# Drop SMTP packets with malicious payload.
# "$IP" -t raw -A PREROUTING -p tcp --dport 25 -m string --string "HELO" --algo bm --to 65535 -j DROP
# "$IP" -t raw -A PREROUTING -p tcp --dport 25 -m string --string "EHLO" --algo bm --to 65535 -j DROP

# Drop packets of BitTorrent amplification.
# "$IP" -t raw -A PREROUTING -m string --string "Torrent" --algo bm -j DROP

# Drop FTP packets with malicious payload.
# "$IP" -t raw -A PREROUTING -p tcp --dport 21 -m string --string "SITE EXEC" --algo bm -j DROP

# Drop DNS recursion/zone transfer operations packets.
# "$IP" -t raw -A PREROUTING -p udp --dport 53 -m string --string "recursion" --algo bm -j DROP
# "$IP" -t raw -A PREROUTING -p tcp --dport 53 -m string --hex-string "|0d 0a 0d 0a|" --algo bm -j DROP

# Geo blocking (in this rule, we block China, for example).
# "$IP" -t raw -I PREROUTING -m geoip --src-cc CN -j DROP

# Drop packets sent to DNS/NTP port but which are not related to those protocols.
# You can make multiple rules like that.
# "$IP" -t raw -A PREROUTING -p udp --dport 53 -m udp -m string ! --string "DNS" --algo bm --to 65535 -j ACCEPT
# "$IP" -t raw -A PREROUTING -p udp --dport 123 -m udp -m string ! --string "NTP" --algo bm --to 65535 -j ACCEPT

# Block heartbleed (1) / shellshock (2) attacks.
# "$IP" -t raw -A PREROUTING -p tcp --dport 443 -m u32 --u32 "52=0x18030000 && 56=0x00000000" -j DROP
# "$IP" -t raw -A PREROUTING -p tcp --dport 80 -m string --algo bm --string '() {' -j DROP

# Proxy with iptables. (example: redirect TCP packets from 25565 to your home 25500)
# "$IP" -t nat -A PREROUTING -i eth0 -p tcp --dport 25565 -j DNAT --to-destination your_home_ip:25500
# "$IP" -t nat -A POSTROUTING -o eth0 -p tcp --dport 25565 -d your_home_ip -j SNAT --to-source your_server_ext_IP

# Another patch against some weird attacks.
# "$IP" -t raw -A PREROUTING -p icmp --icmp-type 3/4 -j DROP

# Block all protocols except TCP.
# VERY Not recommended! Shouldn't be used always.
# "$IP" -A INPUT ! -p tcp -j DROP

# Limit ARP packets per MAC address.
# Needs testing.
# arptables -A INPUT --limit-rate 3/s --limit-burst 5 -j ACCEPT

# TCP Ratelimit (All flags).
# Using this rule may make other TCP rate limits redundant or conflicting.
# "$IP" -t raw -A PREROUTING -p tcp -m hashlimit --hashlimit-name tcp --hashlimit-mode srcip --hashlimit --hashlimit-above 10000/s -j DROP

# Block some unusual attacks by blocking zero TTL.
# "$IP" -t raw -A PREROUTING -m ttl --ttl-eq 0 -j DROP

# Block source-ports 0, 1 because they don't serve a legitimate purpose.
# "$IP" -t raw -A PREROUTING -p tcp -m multiport --sports 0,1 -j DROP
# "$IP" -t raw -A PREROUTING -p udp -m multiport --sports 0,1 -j DROP

# ACK & ACK-PSH Limits (against most TCP bypasses).
# Note: these rules can impact legitimate traffic due to their strict nature.
# "$IP" -t raw -A PREROUTING -p tcp --tcp-flags ACK ACK -m hashlimit --hashlimit-mode srcip --hashlimit-name ackflood --hashlimit-above 1000/s --hashlimit-burst 2 -j DROP
# "$IP" -t raw -A PREROUTING -p tcp --tcp-flags ACK,PSH ACK,PSH -m hashlimit --hashlimit-mode srcip --hashlimit-name ackpshflood --hashlimit-above 1000/s --hashlimit-burst 2 -j DROP

# Block STUN by source-port or string. You can combine them into one rule or use together.
# "$IP" -t raw -A PREROUTING -p udp --sport 3478 -j DROP
# "$IP" -t raw -A PREROUTING -p udp -m string --string "STUN" --algo kmp -j DROP

# Limit connection establishing speed. (per source IP) (we don't use --rsource because it is already set by default)
# Limiting upto 30 SYN_RECV per 5 seconds from each new IP.
# "$IP" -t raw -A PREROUTING -p tcp --syn -m conntrack --ctstate NEW -m recent --set
# "$IP" -t raw -A PREROUTING -p tcp --syn -m conntrack --ctstate NEW -m recent --update --rcheck --rttl --seconds 5 --hitcount 30 

# Filtering by source IP address routing type.
# It wasn't tested a lot and can do nothing.
# "$IP" -t mangle -A PREROUTING -m addrtype --src-type UNREACHABLE -j DROP
# "$IP" -t mangle -A PREROUTING -m addrtype --src-type BLACKHOLE -j DROP
# "$IP" -t mangle -A PREROUTING -m addrtype --src-type MULTICAST -j DROP
# "$IP" -t mangle -A PREROUTING -m addrtype --src-type THROW -j DROP

# Filtering by conntrack status.
# Drops the packet if it has no known conntrack status.
# "$IP" -t mangle -A PREROUTING -p all -m conntrack --ctstatus NONE -j DROP

# --------------------------------

###############
#   Logging   #
###############

# If you want to enable logging to dmesg, uncomment the following first rule:

# The rule below enables logging with the limit of 5 messages per second:
# "$IP" -A INPUT -m limit --limit 5/m -j LOG --log-prefix "[yuki-script] DROP:" --log-ip-options --log-tcp-options --log-tcp-sequence

# The rule below actually drops packets:
 "$IP" -A INPUT -j DROP

# Sysctl.conf tweaks.
# --------------------------------

# Backup management.
# Note: the backups are located in /etc/sysctl_backups/.

# If the backup directory is not exist, create it.
# If cannot create it - show an error and exit.
if [ ! -d "$backup_dir" ]; then
    if ! mkdir -p "$backup_dir"; then
        print_error "Cannot create backup directory: $backup_dir" >&2
        exit 1
    fi
fi

# Make a backup of the sysctl.conf.
# If cannot create it - show an error and exit.
if ! cp "$sysctl_conf" "$backup_file"; then
    print_error "Failed to create backup." >&2
    exit 1
fi

# Scan for old backup files, and delete them, if needed.
# If cannot delete them - show an error and exit.
if [ "$num_backups" -gt "$max_backups" ]; then
    if ! find "$backup_dir" -maxdepth 1 -type f -printf '%T@ %p\n' | sort -k1,1n | head -n -"$max_backups" | cut -d' ' -f2- | xargs -I {} rm "{}"; then
        print_error "Failed to remove old backups." >&2
        exit 1
    fi
fi

# Apply the tweaked sysctl.conf file.

echo -e "
#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables.
# See sysctl.conf (5) for information.
#

#kernel.domainname = example.com

#
# Tweaks by https://github.com/yuk1c/antiddos
#


# Custom conntrack timeouts - specially against DDoS attacks.
# --------------------------------
 net.netfilter.nf_conntrack_tcp_timeout_last_ack = 10
 net.netfilter.nf_conntrack_tcp_timeout_close = 5
 net.netfilter.nf_conntrack_tcp_timeout_close_wait = 5
 net.netfilter.nf_conntrack_tcp_timeout_time_wait = 5
 net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 20
 net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 20
 net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 25
 net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 20
 net.netfilter.nf_conntrack_generic_timeout = 300
 net.netfilter.nf_conntrack_udp_timeout = 10
 net.netfilter.nf_conntrack_icmp_timeout = 2
 net.netfilter.nf_conntrack_icmpv6_timeout = 3

# Enabling SYN-Cookies.
# Facilitates SYN Flood DDoS mitigation.
# If your server frequently faces TCP DDoS attacks,
# you can set the value to '2' here.
# Caution: certain hosting providers might block syncookies.
# Verify if your hoster enforces this. If yes, set it to '0'.
# --------------------------------
 net.ipv4.tcp_syncookies = 1

# Set custom SYN/SYN-ACK retries count.
# Helps in TCP DDoS mitigation.
# Try 1/1 instead of 2/2 if you have time for testing :)
# --------------------------------
 net.ipv4.tcp_synack_retries = 2
 net.ipv4.tcp_syn_retries = 2

# Set custom NIC rmem/wmem buffer size.
# --------------------------------
 net.core.rmem_max = 33554432
 net.core.wmem_max = 33554432

# Network security hardening.
# Usually causes problems on routers.
# --------------------------------
 net.ipv4.conf.all.accept_redirects = 0
 net.ipv4.conf.all.secure_redirects = 0
 net.ipv4.conf.all.send_redirects = 0
 net.ipv4.conf.all.accept_source_route = 0
 net.ipv6.conf.all.accept_source_route = 0
 net.ipv6.conf.all.accept_ra = 0
 net.ipv4.conf.all.secure_redirects = 1
 net.ipv6.conf.all.drop_unsolicited_na = 1
 net.ipv6.conf.all.use_tempaddr = 2
 net.ipv4.conf.all.drop_unicast_in_l2_multicast = 1
 net.ipv6.conf.all.drop_unicast_in_l2_multicast = 1
 net.ipv6.conf.default.dad_transmits = 0
 net.ipv6.conf.default.autoconf = 0
 # net.ipv4.ip_forward = 0 # Disables ip_forward (blocks VPNs/NATs)
 # net.ipv4.ip_no_pmtu_disc = 3 # Hardened PMTU Discover Mode (usually not needed)

# Prevent ARP Spoofing.
# --------------------------------
 net.ipv4.conf.all.drop_gratuitous_arp = 1
 net.ipv4.conf.all.arp_ignore = 1
 net.ipv4.conf.all.arp_filter = 1

# Disable IGMP Multicast reports.
# --------------------------------
 net.ipv4.igmp_link_local_mcast_reports = 0

# Overall security hardening.
# --------------------------------
 kernel.dmesg_restrict = 1
 kernel.kptr_restrict = 1
 fs.protected_symlinks = 1
 fs.protected_hardlinks = 1
 fs.protected_fifos = 2
 fs.protected_regular = 2
 kernel.unprivileged_bpf_disabled = 1
 kernel.unprivileged_userns_clone = 0
 kernel.printk = 3 3 3 3
 net.core.bpf_jit_harden = 2
 vm.unprivileged_userfaultfd = 0
 kernel.kexec_load_disabled = 1
 #kernel.sysrq = 0 # Disables sysrq (not recommended)

# Performance tuning.
# Set somaxconn to 3240000 if you have a very powerful server.
# Your server would then manage over 3 million connections. 0_0
# Additionally, you can activate commented-out settings at the end (in this scenario).
# We've also disabled checksum verification in NF because the NIC usually already calculates checksums.
# --------------------------------
 kernel.sched_tunable_scaling = 1
 kernel.shmmax = 268435456
 net.ipv4.tcp_tw_reuse = 1
 vm.swappiness = 20
 net.core.somaxconn = 32000
 net.ipv4.tcp_keepalive_probes = 5
 net.netfilter.nf_conntrack_checksum = 0
 # Tweaks for very powerful servers
 # net.ipv4.tcp_max_tw_buckets = 600000000
 # net.core.netdev_max_backlog = 50000
 # net.ipv4.tcp_max_syn_backlog = 3240000

# Set max conntrack table size.
# --------------------------------
 net.nf_conntrack_max = 20971520
 net.netfilter.nf_conntrack_max = 20971520

# Enable ExecShield to block some remote attacks.
# --------------------------------
 kernel.exec-shield = 2

# Don't log bogus ICMP responses.
# --------------------------------
 net.ipv4.icmp_ignore_bogus_error_responses = 1

# Allow to use more ports as a source ones.
# --------------------------------
 net.ipv4.ip_local_port_range=1024 65535

# Conntrack strict mode.
# --------------------------------
 net.netfilter.nf_conntrack_tcp_loose = 0

# Reverse-path filter.
# You should set '1' to '2' if you're using an assymetric routing.
# --------------------------------
 net.ipv4.conf.all.rp_filter = 1

# Custom ratelimit for invalid TCP packets.
# --------------------------------
net.ipv4.tcp_invalid_ratelimit = 1000" > /etc/sysctl.conf

"$SC" -p > /dev/null 2>&1 &
"$IPS" save > /dev/null 2>&1 &
systemctl enable --now netfilter-persistent > /dev/null 2>&1 &
clear

print_success "All changes, except for ruleset saving, were done.\
 Now, make sure your networking is okay, if yes - do 'sudo netfilter-persistent save'."
print_default2 "Note: The 'Drop' policy drops all incoming traffic that isn't explicitly allowed (SSH is already allowed).
If you want to allow a specific TCP port: 'iptables-nft -A INPUT -p tcp --dport PORT -j ACCEPT'
For UDP ports, use: 'iptables-nft -A INPUT -p udp --dport PORT -j ACCEPT'
You can also view the current ruleset and its statistics with: 'nft list ruleset'"

tput sgr0 # Reset terminal color. We use this to prevent the terminal from being colored after the script exits.
exit 0 # Exit.