#!/bin/bash

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp

rm /root/.dyn*

echo “Setting kernel tcp parameters to reduct DoS effects”

#Reduce DoS’ing ability by reducing timeouts

echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog

#ANTISPOOFING

for a in /proc/sys/net/ipv4/conf/*/rp_filter;

do
echo 1 > $a
done

##

#NO SOURCE ROUTE
for z in /proc/sys/net/ipv4/conf/*/accept_source_route;
do
echo 0 > $z
done
#SYN COOKIES
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#echo $ICMP_ECHOREPLY_RATE > /proc/sys/net/ipv4/icmp_echoreply_rate
echo “1” > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo “1” > /proc/sys/net/ipv4/conf/all/accept_redirects
echo “1” > /proc/sys/net/ipv4/conf/all/log_martians

# NUMBER OF CONNECTIONS TO TRACK

echo “65535” > /proc/sys/net/ipv4/ip_conntrack_max

# Set default policies

/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD DROP

/sbin/iptables -F

/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F -t mangle
/sbin/iptables -X

/sbin/iptables -A INPUT -i lo -j ACCEPT

/sbin/iptables -A INPUT -d 127.0.0.0/8 -j REJECT

/sbin/iptables -A INPUT -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -m state –state INVALID -j DROP

### chains to DROP too many SYNs

/sbin/iptables -N syn-flood
/sbin/iptables -A syn-flood -m limit –limit 100/second –limit-burst 150 -j RETURN
/sbin/iptables -A syn-flood -j LOG –log-prefix “SYN flood: “
/sbin/iptables -A syn-flood -j DROP

### pericarding SYNs

/sbin/iptables -A INPUT -i eth0 -p tcp –tcp-flags ALL ACK,RST,SYN,FIN -j DROP
/sbin/iptables -A INPUT -i eth0 -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
/sbin/iptables -A INPUT -i eth0 -p tcp –tcp-flags SYN,RST SYN,RST