What is MAXXSUITE

Scripts that I use to make life easier for creating servers and managing them. I actually use the same blacklist and firewall scripts between my servers and development laptop.

So far these scripts contain firewall and blacklists and also can generate openvpn configurations and keys quickly. They will work on Ubuntu 16 and 17.

Theme inspired from 'The Maxx' comic book series.

Functions

FIREWALL

ALLOWLOCALHOST - Allow localhost for firewall
ALLOWPORTS - Cycle through devices and allow in and out ports, with rate limiting
ALLOWSTATES - Allow states
BANIP - Bans an IP, adds to custom IPset list
CLEAR - Clears firewall rules
DROPALLIP - Will drop one IP address on all things
DROPEVERYTHING - Drop all remaining traffic that doesn't fit with the rules
LOADBL - Restores blacklists into the firewall
MASQ - Masquerading for devices, tun0 is generally used if you're routing with a VPN

IPLISTS

CLEANDL - Same as UPDATE, however it will totally clear out the raw and ipset lists beforehand
CLEANDOWNDIR - Cleans out the IP Black List directory without regrets.
CLEANIPSETDIR - Cleans out the IPSET lists.
DLALLLISTS - Download all free and paid lists (will split this later)
FLUSHIPSET - Removes all IP addresses in a blacklist.
GETFREELIST - Will download free blocklists and store them in the raw list dir
GETIPBLOCKLIST - Downloads iblocklist.com blacklists (you need an account)
IPSETMAKE - Makes a new IPSET list.
IPSETRESTOREALL - Restore all IPSET lists, used with iptables-persistent to restore firewall and lists on boot
IPSETRESTORE - Loads raw IPs into IPSET and restore the IPSET
IPSETSAVEALL - Save all IPSET lisst, used with iptables-persistent to restore firewall and lists on boot
IPSETSAVE - Save an IPSET list for later use
MAKELISTFROMTXT - Cycle through the list and restore IPSETs from raw lists
UPDATE - Updates the lists with latest IPs, good to have this on cron to keep the lists fresh

OPENVPN

BUILDCLIENTKEYS - Build client OpenVPN Key
BUILDSERVERKEYS - Build OpenVPN server TLS keys, with CA, DH and TA Key
DEFAULT - Runs whole process to make an OpenVPN conf
GENCLIENTCONF - Generate conf file for an OpenVPN client. It automatically adds the keys inline.
GENSERVERCONF - Generate conf file for OpenVPN server. It automatically adds the keys inline.
MAXXVARS - Update the vars file and source it

How to Use

Grab a copy of the maxxsuite by cloning the repo. I usually do into the home directory. To preserve settings with updates copy the ~/maxxsuite/.maxxsuite to the home directory.

git clone https://github.com/dreamfast/maxxsuite.git ~/maxxsuite
cp -r ~/maxxsuite/.maxxsuite ~/

The settings for each script are in ~/.maxxsuite/SCRIPT/SCRIPT.var. Settings shared between all scripts are in ~/.maxxsuite/.maxxvars.

A basic firewall is provided to start with. To edit which firewall ports are open or closed you edit the ~/.maxxsuite/FIREWALL/FIREWALL.vars.

The IPLISTS has two free blacklists which are okay, blocklist.de and Emerging Threats. The IPLISTS also supports IblockList however you need a subscription for some lists. Once you have that you can place your username and pin into the IPLISTS.var file to download the paid lists.

The ~/.maxxsuite/IPLISTS/iplists.csv has the lists available. You can also add free or iblock lists here. Lines that start with a # are ignored. By default the two free lists are uncommented.

The maxxinit.sh script may help turn a fresh Ubuntu server up and running with these basics. It wont work for all hosts though so be careful with it.

Once you have reviewed the settings for the firewall and lists we can run these programs. If it all goes well it should look like this.

maxx@server:~/maxxsuite$ sudo ./MAXX IPLISTS CLEANDL
 ----------------------------------------------------------------
   __  __         __   ___   __ _____ _    _ _____ _______ ______
  |  \/  |   /\   \ \ / \ \ / // ____| |  | |_   _|__   __|  ____|
  | \  / |  /  \   \ V / \ V /| (___ | |  | | | |    | |  | |__
  | |\/| | / /\ \   > <   > <  \___ \| |  | | | |    | |  |  __|
  | |  | |/ ____ \ / . \ / . \ ____) | |__| |_| |_   | |  | |____
  |_|  |_/_/    \_/_/ \_/_/ \_|_____/ \____/|_____|  |_|  |______|
  ----------------------------------------------------------------
  |  * Ubuntu16.04  - MAXXVARS [ ok ] *
  ----------------------------------------------------------------
 * Cleaned out /home/maxx/.maxxsuite/IPLISTS/rawlistout/...
 * Cleaned out /home/maxx/.maxxsuite/IPLISTS/ipsetout/...
 * Downloading lists...
 * Saving blocklist.de...
 * Saving emergingthreats...
 * Saving spammers...
 * Saving hijacked...
 * Saving dshield...
 * Saving forumspam...
Restoring lists...
 * Total lists found:
 * Restoring blocklist.de...
	 * IPSet list blocklist.de appears to alredy exist...
	 * Flushing blocklist.de...
 * Restored IPSET blocklist.de.
 * Restoring emergingthreats...
	 * IPSet list emergingthreats appears to alredy exist...
	 * Flushing emergingthreats...
 * Restored IPSET emergingthreats.
 * Restoring spammers...
	 * IPSet list spammers appears to alredy exist...
	 * Flushing spammers...
 * Restored IPSET spammers.
 * Restoring hijacked...
	 * IPSet list hijacked appears to alredy exist...
	 * Flushing hijacked...
 * Restored IPSET hijacked.
 * Restoring dshield...
	 * IPSet list dshield appears to alredy exist...
	 * Flushing dshield...
 * Restored IPSET dshield.
 * Restoring forumspam...
	 * IPSet list forumspam appears to alredy exist...
	 * Flushing forumspam...
 * Restored IPSET forumspam.

maxx@server:~/maxxsuite$ sudo ./MAXX FIREWALL DEFAULT
 ----------------------------------------------------------------
   __  __         __   ___   __ _____ _    _ _____ _______ ______
  |  \/  |   /\   \ \ / \ \ / // ____| |  | |_   _|__   __|  ____|
  | \  / |  /  \   \ V / \ V /| (___ | |  | | | |    | |  | |__
  | |\/| | / /\ \   > <   > <  \___ \| |  | | | |    | |  |  __|
  | |  | |/ ____ \ / . \ / . \ ____) | |__| |_| |_   | |  | |____
  |_|  |_/_/    \_/_/ \_/_/ \_|_____/ \____/|_____|  |_|  |______|
  ----------------------------------------------------------------
  |  * Ubuntu16.04  - MAXXVARS [ ok ] *
  ----------------------------------------------------------------
 * Clearing IPTABLES rules...
 * Allowing Localhost...
 * Loading blacklists...
  * Restoring blacklist blocklist.de:
  * Restoring blacklist dshield:
  * Restoring blacklist emergingthreats:
  * Restoring blacklist forumspam:
  * Restoring blacklist hijacked:
  * Restoring blacklist spammers:
 * Allowing TCP IN eth0:
 22 7722 * Allowing TCP OUT eth0:
 80 443 7722 * Allowing UDP IN eth0:
 * Allowing UDP OUT eth0:
 53 * Dropping everything else on TCP and UDP...
 * Saving firewall state...
 * All done.

You can then take a look at at the firewall with sudo iptables -L

maxx@server:~/maxxsuite$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere             match-set blocklist.de src LOG level debug prefix "blocklist.de-bl-in: "
DROP       all  --  anywhere             anywhere             match-set blocklist.de src
LOG        all  --  anywhere             anywhere             match-set dshield src LOG level debug prefix "dshield-bl-in: "
DROP       all  --  anywhere             anywhere             match-set dshield src
LOG        all  --  anywhere             anywhere             match-set emergingthreats src LOG level debug prefix "emergingthreats-bl-in: "
DROP       all  --  anywhere             anywhere             match-set emergingthreats src
LOG        all  --  anywhere             anywhere             match-set forumspam src LOG level debug prefix "forumspam-bl-in: "
DROP       all  --  anywhere             anywhere             match-set forumspam src
LOG        all  --  anywhere             anywhere             match-set hijacked src LOG level debug prefix "hijacked-bl-in: "
DROP       all  --  anywhere             anywhere             match-set hijacked src
LOG        all  --  anywhere             anywhere             match-set spammers src LOG level debug prefix "spammers-bl-in: "
DROP       all  --  anywhere             anywhere             match-set spammers src
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:7722
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DROP       udp  --  anywhere             anywhere
DROP       tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             match-set blocklist.de dst LOG level debug prefix "blocklist.de-bl-fwd-out: "
DROP       all  --  anywhere             anywhere             match-set blocklist.de dst
LOG        all  --  anywhere             anywhere             match-set blocklist.de src LOG level debug prefix "blocklist.de-bl-fwd-in: "
DROP       all  --  anywhere             anywhere             match-set blocklist.de src
LOG        all  --  anywhere             anywhere             match-set dshield dst LOG level debug prefix "dshield-bl-fwd-out: "
DROP       all  --  anywhere             anywhere             match-set dshield dst
LOG        all  --  anywhere             anywhere             match-set dshield src LOG level debug prefix "dshield-bl-fwd-in: "
DROP       all  --  anywhere             anywhere             match-set dshield src
LOG        all  --  anywhere             anywhere             match-set emergingthreats dst LOG level debug prefix "emergingthreats-bl-fwd-out: "
DROP       all  --  anywhere             anywhere             match-set emergingthreats dst
LOG        all  --  anywhere             anywhere             match-set emergingthreats src LOG level debug prefix "emergingthreats-bl-fwd-in: "
DROP       all  --  anywhere             anywhere             match-set emergingthreats src
LOG        all  --  anywhere             anywhere             match-set forumspam dst LOG level debug prefix "forumspam-bl-fwd-out: "
DROP       all  --  anywhere             anywhere             match-set forumspam dst
LOG        all  --  anywhere             anywhere             match-set forumspam src LOG level debug prefix "forumspam-bl-fwd-in: "
DROP       all  --  anywhere             anywhere             match-set forumspam src
LOG        all  --  anywhere             anywhere             match-set hijacked dst LOG level debug prefix "hijacked-bl-fwd-out: "
DROP       all  --  anywhere             anywhere             match-set hijacked dst
LOG        all  --  anywhere             anywhere             match-set hijacked src LOG level debug prefix "hijacked-bl-fwd-in: "
DROP       all  --  anywhere             anywhere             match-set hijacked src
LOG        all  --  anywhere             anywhere             match-set spammers dst LOG level debug prefix "spammers-bl-fwd-out: "
DROP       all  --  anywhere             anywhere             match-set spammers dst
LOG        all  --  anywhere             anywhere             match-set spammers src LOG level debug prefix "spammers-bl-fwd-in: "
DROP       all  --  anywhere             anywhere             match-set spammers src

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere             match-set blocklist.de dst LOG level debug prefix "blocklist.de-bl-out: "
DROP       all  --  anywhere             anywhere             match-set blocklist.de dst
LOG        all  --  anywhere             anywhere             match-set dshield dst LOG level debug prefix "dshield-bl-out: "
DROP       all  --  anywhere             anywhere             match-set dshield dst
LOG        all  --  anywhere             anywhere             match-set emergingthreats dst LOG level debug prefix "emergingthreats-bl-out: "
DROP       all  --  anywhere             anywhere             match-set emergingthreats dst
LOG        all  --  anywhere             anywhere             match-set forumspam dst LOG level debug prefix "forumspam-bl-out: "
DROP       all  --  anywhere             anywhere             match-set forumspam dst
LOG        all  --  anywhere             anywhere             match-set hijacked dst LOG level debug prefix "hijacked-bl-out: "
DROP       all  --  anywhere             anywhere             match-set hijacked dst
LOG        all  --  anywhere             anywhere             match-set spammers dst LOG level debug prefix "spammers-bl-out: "
DROP       all  --  anywhere             anywhere             match-set spammers dst
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:7722
ACCEPT     udp  --  anywhere             anywhere             udp spt:domain
ACCEPT     all  --  anywhere             anywhere             ctstate ESTABLISHED

You can also check the /var/log/syslog to see the blocklists dropping bad traffic. This is a edited down version of what should be there.

blocklist.de-bl-in: IN=eth0 OUT= MAC= SRC=144.217.126.187 DST=***.***.***.221 LEN=52 TOS=0x1A PREC=0x00 TTL=115 ID=17126 DF PROTO=TCP SPT=62145 DPT=25 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0
blocklist.de-bl-in: IN=eth0 OUT= MAC= SRC=144.217.126.187 DST=***.***.***.221 LEN=52 TOS=0x1A PREC=0x00 TTL=115 ID=17127 DF PROTO=TCP SPT=62145 DPT=25 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0
blocklist.de-bl-in: IN=eth0 OUT= MAC= SRC=144.217.126.187 DST=***.***.***.221 LEN=48 TOS=0x18 PREC=0x00 TTL=115 ID=17128 DF PROTO=TCP SPT=62145 DPT=25 WINDOW=8192 RES=0x00 SYN URGP=0
blocklist.de-bl-in: IN=eth0 OUT= MAC= SRC=181.214.87.11 DST=***.***.***.221 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=42308 PROTO=TCP SPT=50037 DPT=20119 WINDOW=1024 RES=0x00 SYN URGP=0
blocklist.de-bl-in: IN=eth0 OUT= MAC= SRC=104.236.25.156 DST=***.***.***.221 LEN=57 TOS=0x00 PREC=0x00 TTL=246 ID=54321 PROTO=UDP SPT=41728 DPT=53413 LEN=37
emergingthreats-bl-in: IN=eth0 OUT= MAC= SRC=5.188.10.242 DST=***.***.***.221 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=30137 PROTO=TCP SPT=58053 DPT=4785 WINDOW=1024 RES=0x00 SYN URGP=0
emergingthreats-bl-in: IN=eth0 OUT= MAC= SRC=5.188.10.108 DST=***.***.***.220 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=173 PROTO=TCP SPT=52708 DPT=13889 WINDOW=1024 RES=0x00 SYN URGP=0
blocklist.de-bl-in: IN=eth0 OUT= MAC= SRC=181.214.87.252 DST=***.***.***.221 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=31515 PROTO=TCP SPT=58353 DPT=3135 WINDOW=1024 RES=0x00 SYN URGP=0
emergingthreats-bl-in: IN=eth0 OUT= MAC= SRC=5.188.10.108 DST=***.***.***.221 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=45802 PROTO=TCP SPT=52708 DPT=13889 WINDOW=1024 RES=0x00 SYN URGP=0
emergingthreats-bl-in: IN=eth0 OUT= MAC= SRC=5.188.10.242 DST=***.***.***.220 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=12261 PROTO=TCP SPT=58053 DPT=4785 WINDOW=1024 RES=0x00 SYN URGP=0
emergingthreats-bl-in: IN=eth0 OUT= MAC= SRC=123.249.26.159 DST=***.***.***.221 LEN=37 TOS=0x00 PREC=0x00 TTL=49 ID=37212 DF PROTO=UDP SPT=51870 DPT=123 LEN=17
emergingthreats-bl-in: IN=eth0 OUT= MAC= SRC=123.249.26.159 DST=***.***.***.221 LEN=37 TOS=0x00 PREC=0x00 TTL=49 ID=54286 DF PROTO=UDP SPT=51870 DPT=123 LEN=17

Changes

26/11/17

Added persistent firewall and blacklist rules on reboot

04/11/17

Restructured the directories and fixed a bug.
Started maxxinit, which turns a fresh ubuntu system into a maxxsystem atuomagically

Failed to load latest commit information.
.maxxsuite	readme update and tweaks	Dec 4, 2017
THEMAXX	display fixes	Dec 5, 2017
.gitignore	clean up and bug fixes	Nov 4, 2017
LICENSE	clean up and bug fixes	Nov 4, 2017
MAXX	better structure and system for configurations	Nov 27, 2017
maxxinit.sh	readme update and tweaks	Dec 4, 2017
readme.md	readme fix	Dec 4, 2017

dreamfast/maxxsuite

Join GitHub today

Clone with HTTPS

readme.md