22/tcp port chanceg to 44200/tcp

install.sh

@@ -1,11 +1,13 @@
 #!/bin/bash
+# Author: Ricardo Leite Gaonçalves - 2021/7
+# http://www.davinti.com.br
+#
 
 if [ "$USER" != "root"  ] ; then
    printf "Are you root? \nsudo ./install.sh\n"
    exit 1
 fi
 
-
 #if [ "X$(which dialog)" == "X" ]; then
 #   apt -y install dialog
 #fi
@@ -37,11 +39,16 @@ cp -v firewall-init.service /etc/systemd/system/
 systemctl enable firewall.service
 systemctl enable firewall-init.service
 
-if [ ! -f /etc/network/firewall/rules.sh ] ; then
+if [ ! -f /etc/network/firewall/rules.sh -o "$1" == "-f" ] ; then
    cp -v rules.sh /etc/network/firewall/
 fi
 
-if [ ! -f /etc/network/firewall/init.sh  ] ; then
+if [ ! -f /etc/network/firewall/init.sh -o "$1" == "-f" ] ; then
    cp -v init.sh /etc/network/firewall/
 fi
 
+echo ""
+echo !!! Please revise trusted IPs in: 
+echo $trusted
+echo $trusted6
+echo ""

rules.sh

@@ -1,63 +1,104 @@
 #!/bin/bash
 
+trusted=/etc/network/firewall/trustedips.conf
+trusted6=/etc/network/firewall/trustedips6.conf
+
+# WAN interface
+WAN="eth0"
+
+#---------------------------------------------------------------------------
 input="INPUT-CUSTOM"
 
 iptables -F $input
 iptables -F DOCKER-USER
 ip6tables -F $input
 
+# Open ipv4 trusted IPs
+for i in $(egrep -v "^#|^$" $trusted ); do
+   iptables -A $input -s $i -j ACCEPT -m comment --comment "Trusted ipv4 ($i)"
+   iptables -A $input -d $i -j ACCEPT -m comment --comment "Trusted ipv4 ($i)"
+done
 
-#gootips (Trusted IPs)
-
-for i in $(cat ); do
-
+# Open ipv6 trusted IPs
+for i in $(egrep -v "^#|^$" $trusted6 ); do
+   ip6tables -A $input -s $i -j ACCEPT -m comment --comment "Trusted ipv6 ($i)"
+   ip6tables -A $input -d $i -j ACCEPT -m comment --comment "Trusted ipv6 ($i)"
 done
 
 iptables -A $input -i lo -j ACCEPT -m comment --comment "Accept loopback traffic"
+ip6tables -A $input -i lo -j ACCEPT -m comment --comment "Accept loopback traffic"
 
 iptables -A $input -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Accept established, related"
+ip6tables -A $input -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Accept established, related traffic"
 
 iptables -A $input -p icmp -m icmp --icmp-type echo-request -j ACCEPT -m comment --comment "Accept pings"
+#ip6tables -A $input -p icmp -m icmp --icmp-type echo-request -j ACCEPT -m comment --comment "Accept pings" 
 
-iptables -A $input -p tcp --dport 22 -j ACCEPT -m comment --comment "Accept SSH"
+#iptables -A $input -p tcp --dport 22 -j ACCEPT -m comment --comment "Accept SSH"
+#ip6tables -A $input -p tcp --dport 22 -j ACCEPT -m comment --comment "Accept SSH"
 
-ip6tables -A $input -i lo -j ACCEPT -m comment --comment "Accept loopback traffic"
+iptables -A $input -p tcp --dport 44200 -j ACCEPT -m comment --comment "Accept SSH"
+ip6tables -A $input -p tcp --dport 44200 -j ACCEPT -m comment --comment "Accept SSH"
 
-ip6tables -A $input -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Accept established, related traffic"
+# START custom rules -------------------------------------------------------------
 
-
-
-# start custom rules
-
-#Bloqueio ping da morte
+#Block ping of death
+#ipv4
 echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
-iptables -N PING-MORTE
-iptables -A $input -p icmp --icmp-type echo-request -j PING-MORTE
-iptables -A PING-MORTE -m limit --limit 1/s --limit-burst 4 -j RETURN
-iptables -A PING-MORTE -j DROP
-
-#bloquear ataque do tipo SYN-FLOOD (Precisa-se definir uma $WAN)
+iptables -N PING-DEATH
+iptables -A $input -p icmp --icmp-type echo-request -j PING-DEATH
+iptables -A PING-DEATH -m limit --limit 1/s --limit-burst 4 -j RETURN
+iptables -A PING-DEATH -j DROP -m comment --comment "Accept SSH"
+
+#ipv6
+#echo "0" > /proc/sys/net/ipv6/icmp_echo_ignore_all # BUG- In ipv6 the path is another.
+#echo "0" > /proc/sys/net/ipv6/icmp/echo_ignore_all
+#ip6tables -N DEATH-PING6
+#ip6tables -A $input -p icmp --icmp-type echo-request -j PING-DEATH6
+#ip6tables -A DEATH-PING6 -m limit --limit 1/s --limit-burst 4 -j RETURN
+#ip6tables -A DEATH-PING6 -j DROP
+
+# Block SYN-FLOOD atack (the $WAN variable is required)
 if [ "X$WAN" != "X" ]; then
+  #ipv4
   echo "0" > /proc/sys/net/ipv4/tcp_syncookies
   iptables -N syn-flood
   iptables -A $input -i $WAN -p tcp --syn -j syn-flood
   iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
   iptables -A syn-flood -j DROP
+#  #ipv6
+#  echo "0" > /proc/sys/net/ipv6/tcp_syncookies
+#  ip6tables -N syn-flood6
+#  ip6tables -A $input -i $WAN -p tcp --syn -j syn-flood6
+#  ip6tables -A syn-flood6 -m limit --limit 1/s --limit-burst 4 -j RETURN
+#  ip6tables -A syn-flood6 -j DROP
 if
 
-#Bloqueio de ataque ssh de força bruta(Precisa-se definir uma $WAN)
+#Block ssh brute force (the $WAN variable is required)
 if [ "X$WAN" != "X" ]; then
+
+  #ipv4
   iptables -N SSH-BRUT-FORCE
   iptables -A $input -i $WAN -p tcp --dport 22 -j SSH-BRUT-FORCE
   iptables -A SSH-BRUT-FORCE -m limit --limit 1/s --limit-burst 4 -j RETURN
   iptables -A SSH-BRUT-FORCE -j DROP
+
+  #ipv6
+  ip6tables -N SSH-BRUT-FORCE6
+  ip6tables -A $input -i $WAN -p tcp --dport 22 -j SSH-BRUT-FORCE6
+  ip6tables -A SSH-BRUT-FORCE6 -m limit --limit 1/s --limit-burst 4 -j RETURN
+  ip6tables -A SSH-BRUT-FORCE6 -j DROP
+
 fi
 
 #Bloqueio de scanners ocultos (Shealt Scan)
-#$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK, FIN, -m limit --limit 1/s -j ACCEPT
+#iptables -A FORWARD -p tcp --tcp-flags SYN,ACK, FIN, -m limit --limit 1/s -j ACCEPT
+#ip6tables -A FORWARD -p tcp --tcp-flags SYN,ACK, FIN, -m limit --limit 1/s -j ACCEPT
 
-# end custom rules
+# END custom rules ---------------------------------------------------------------
 
 iptables -A $input -j RETURN
 iptables -A DOCKER-USER -j RETURN
 ip6tables -A $input -j RETURN
+#EOF
+