From 566e855313afcfb5f5bd8e7b09beba5287437347 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ricardo=20Leite=20Gon=C3=A7alves?= Date: Tue, 20 Jul 2021 07:29:30 +0000 Subject: [PATCH] 22/tcp port chanceg to 44200/tcp --- init.sh | 0 install.sh | 13 +++++++-- rules.sh | 83 ++++++++++++++++++++++++++++++++++++++++-------------- 3 files changed, 72 insertions(+), 24 deletions(-) mode change 100644 => 100755 init.sh mode change 100644 => 100755 rules.sh diff --git a/init.sh b/init.sh old mode 100644 new mode 100755 diff --git a/install.sh b/install.sh index 9ded030..7977e82 100755 --- a/install.sh +++ b/install.sh @@ -1,11 +1,13 @@ #!/bin/bash +# Author: Ricardo Leite Gaonçalves - 2021/7 +# http://www.davinti.com.br +# if [ "$USER" != "root" ] ; then printf "Are you root? \nsudo ./install.sh\n" exit 1 fi - #if [ "X$(which dialog)" == "X" ]; then # apt -y install dialog #fi @@ -37,11 +39,16 @@ cp -v firewall-init.service /etc/systemd/system/ systemctl enable firewall.service systemctl enable firewall-init.service -if [ ! -f /etc/network/firewall/rules.sh ] ; then +if [ ! -f /etc/network/firewall/rules.sh -o "$1" == "-f" ] ; then cp -v rules.sh /etc/network/firewall/ fi -if [ ! -f /etc/network/firewall/init.sh ] ; then +if [ ! -f /etc/network/firewall/init.sh -o "$1" == "-f" ] ; then cp -v init.sh /etc/network/firewall/ fi +echo "" +echo !!! Please revise trusted IPs in: +echo $trusted +echo $trusted6 +echo "" diff --git a/rules.sh b/rules.sh old mode 100644 new mode 100755 index cfc7631..af9a448 --- a/rules.sh +++ b/rules.sh @@ -1,63 +1,104 @@ #!/bin/bash +trusted=/etc/network/firewall/trustedips.conf +trusted6=/etc/network/firewall/trustedips6.conf + +# WAN interface +WAN="eth0" + +#--------------------------------------------------------------------------- input="INPUT-CUSTOM" iptables -F $input iptables -F DOCKER-USER ip6tables -F $input +# Open ipv4 trusted IPs +for i in $(egrep -v "^#|^$" $trusted ); do + iptables -A $input -s $i -j ACCEPT -m comment --comment "Trusted ipv4 ($i)" + iptables -A $input -d $i -j ACCEPT -m comment --comment "Trusted ipv4 ($i)" +done -#gootips (Trusted IPs) - -for i in $(cat ); do - +# Open ipv6 trusted IPs +for i in $(egrep -v "^#|^$" $trusted6 ); do + ip6tables -A $input -s $i -j ACCEPT -m comment --comment "Trusted ipv6 ($i)" + ip6tables -A $input -d $i -j ACCEPT -m comment --comment "Trusted ipv6 ($i)" done iptables -A $input -i lo -j ACCEPT -m comment --comment "Accept loopback traffic" +ip6tables -A $input -i lo -j ACCEPT -m comment --comment "Accept loopback traffic" iptables -A $input -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Accept established, related" +ip6tables -A $input -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Accept established, related traffic" iptables -A $input -p icmp -m icmp --icmp-type echo-request -j ACCEPT -m comment --comment "Accept pings" +#ip6tables -A $input -p icmp -m icmp --icmp-type echo-request -j ACCEPT -m comment --comment "Accept pings" -iptables -A $input -p tcp --dport 22 -j ACCEPT -m comment --comment "Accept SSH" +#iptables -A $input -p tcp --dport 22 -j ACCEPT -m comment --comment "Accept SSH" +#ip6tables -A $input -p tcp --dport 22 -j ACCEPT -m comment --comment "Accept SSH" -ip6tables -A $input -i lo -j ACCEPT -m comment --comment "Accept loopback traffic" +iptables -A $input -p tcp --dport 44200 -j ACCEPT -m comment --comment "Accept SSH" +ip6tables -A $input -p tcp --dport 44200 -j ACCEPT -m comment --comment "Accept SSH" -ip6tables -A $input -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Accept established, related traffic" +# START custom rules ------------------------------------------------------------- - - -# start custom rules - -#Bloqueio ping da morte +#Block ping of death +#ipv4 echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all -iptables -N PING-MORTE -iptables -A $input -p icmp --icmp-type echo-request -j PING-MORTE -iptables -A PING-MORTE -m limit --limit 1/s --limit-burst 4 -j RETURN -iptables -A PING-MORTE -j DROP - -#bloquear ataque do tipo SYN-FLOOD (Precisa-se definir uma $WAN) +iptables -N PING-DEATH +iptables -A $input -p icmp --icmp-type echo-request -j PING-DEATH +iptables -A PING-DEATH -m limit --limit 1/s --limit-burst 4 -j RETURN +iptables -A PING-DEATH -j DROP -m comment --comment "Accept SSH" + +#ipv6 +#echo "0" > /proc/sys/net/ipv6/icmp_echo_ignore_all # BUG- In ipv6 the path is another. +#echo "0" > /proc/sys/net/ipv6/icmp/echo_ignore_all +#ip6tables -N DEATH-PING6 +#ip6tables -A $input -p icmp --icmp-type echo-request -j PING-DEATH6 +#ip6tables -A DEATH-PING6 -m limit --limit 1/s --limit-burst 4 -j RETURN +#ip6tables -A DEATH-PING6 -j DROP + +# Block SYN-FLOOD atack (the $WAN variable is required) if [ "X$WAN" != "X" ]; then + #ipv4 echo "0" > /proc/sys/net/ipv4/tcp_syncookies iptables -N syn-flood iptables -A $input -i $WAN -p tcp --syn -j syn-flood iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN iptables -A syn-flood -j DROP +# #ipv6 +# echo "0" > /proc/sys/net/ipv6/tcp_syncookies +# ip6tables -N syn-flood6 +# ip6tables -A $input -i $WAN -p tcp --syn -j syn-flood6 +# ip6tables -A syn-flood6 -m limit --limit 1/s --limit-burst 4 -j RETURN +# ip6tables -A syn-flood6 -j DROP if -#Bloqueio de ataque ssh de força bruta(Precisa-se definir uma $WAN) +#Block ssh brute force (the $WAN variable is required) if [ "X$WAN" != "X" ]; then + + #ipv4 iptables -N SSH-BRUT-FORCE iptables -A $input -i $WAN -p tcp --dport 22 -j SSH-BRUT-FORCE iptables -A SSH-BRUT-FORCE -m limit --limit 1/s --limit-burst 4 -j RETURN iptables -A SSH-BRUT-FORCE -j DROP + + #ipv6 + ip6tables -N SSH-BRUT-FORCE6 + ip6tables -A $input -i $WAN -p tcp --dport 22 -j SSH-BRUT-FORCE6 + ip6tables -A SSH-BRUT-FORCE6 -m limit --limit 1/s --limit-burst 4 -j RETURN + ip6tables -A SSH-BRUT-FORCE6 -j DROP + fi #Bloqueio de scanners ocultos (Shealt Scan) -#$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK, FIN, -m limit --limit 1/s -j ACCEPT +#iptables -A FORWARD -p tcp --tcp-flags SYN,ACK, FIN, -m limit --limit 1/s -j ACCEPT +#ip6tables -A FORWARD -p tcp --tcp-flags SYN,ACK, FIN, -m limit --limit 1/s -j ACCEPT -# end custom rules +# END custom rules --------------------------------------------------------------- iptables -A $input -j RETURN iptables -A DOCKER-USER -j RETURN ip6tables -A $input -j RETURN +#EOF +