ricardo.leite/firewall
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

22/tcp port chanceg to 44200/tcp

Browse Source
This commit is contained in:
Ricardo Leite
2021-07-20 07:29:30 +00:00
parent 70912a7ff7
commit 566e855313
3 changed files with 72 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files
init.sh
Regular → Executable
View File
install.sh
+10 -3
View File
@@ -1,11 +1,13 @@
#!/bin/bash #!/bin/bash
# Author: Ricardo Leite Gaonçalves - 2021/7
# http://www.davinti.com.br
#
if [ "$USER" != "root" ] ; then if [ "$USER" != "root" ] ; then
printf "Are you root? \nsudo ./install.sh\n" printf "Are you root? \nsudo ./install.sh\n"
exit 1 exit 1
fi fi
#if [ "X$(which dialog)" == "X" ]; then #if [ "X$(which dialog)" == "X" ]; then
# apt -y install dialog # apt -y install dialog
#fi #fi
@@ -37,11 +39,16 @@ cp -v firewall-init.service /etc/systemd/system/
systemctl enable firewall.service systemctl enable firewall.service
systemctl enable firewall-init.service systemctl enable firewall-init.service
if [ ! -f /etc/network/firewall/rules.sh ] ; then if [ ! -f /etc/network/firewall/rules.sh -o "$1" == "-f" ] ; then
cp -v rules.sh /etc/network/firewall/ cp -v rules.sh /etc/network/firewall/
fi fi
if [ ! -f /etc/network/firewall/init.sh ] ; then if [ ! -f /etc/network/firewall/init.sh -o "$1" == "-f" ] ; then
cp -v init.sh /etc/network/firewall/ cp -v init.sh /etc/network/firewall/
fi fi
echo ""
echo !!! Please revise trusted IPs in:
echo $trusted
echo $trusted6
echo ""
rules.sh
Regular → Executable
+62 -21
View File
@@ -1,63 +1,104 @@
#!/bin/bash #!/bin/bash
trusted=/etc/network/firewall/trustedips.conf
trusted6=/etc/network/firewall/trustedips6.conf
# WAN interface
WAN="eth0"
#---------------------------------------------------------------------------
input="INPUT-CUSTOM" input="INPUT-CUSTOM"
iptables -F $input iptables -F $input
iptables -F DOCKER-USER iptables -F DOCKER-USER
ip6tables -F $input ip6tables -F $input
# Open ipv4 trusted IPs
for i in $(egrep -v "^#|^$" $trusted ); do
iptables -A $input -s $i -j ACCEPT -m comment --comment "Trusted ipv4 ($i)"
iptables -A $input -d $i -j ACCEPT -m comment --comment "Trusted ipv4 ($i)"
done
#gootips (Trusted IPs) # Open ipv6 trusted IPs
for i in $(egrep -v "^#|^$" $trusted6 ); do
for i in $(cat ); do ip6tables -A $input -s $i -j ACCEPT -m comment --comment "Trusted ipv6 ($i)"
ip6tables -A $input -d $i -j ACCEPT -m comment --comment "Trusted ipv6 ($i)"
done done
iptables -A $input -i lo -j ACCEPT -m comment --comment "Accept loopback traffic" iptables -A $input -i lo -j ACCEPT -m comment --comment "Accept loopback traffic"
iptables -A $input -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Accept established, related"
iptables -A $input -p icmp -m icmp --icmp-type echo-request -j ACCEPT -m comment --comment "Accept pings"
iptables -A $input -p tcp --dport 22 -j ACCEPT -m comment --comment "Accept SSH"
ip6tables -A $input -i lo -j ACCEPT -m comment --comment "Accept loopback traffic" ip6tables -A $input -i lo -j ACCEPT -m comment --comment "Accept loopback traffic"
iptables -A $input -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Accept established, related"
ip6tables -A $input -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Accept established, related traffic" ip6tables -A $input -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Accept established, related traffic"
iptables -A $input -p icmp -m icmp --icmp-type echo-request -j ACCEPT -m comment --comment "Accept pings"
#ip6tables -A $input -p icmp -m icmp --icmp-type echo-request -j ACCEPT -m comment --comment "Accept pings"
#iptables -A $input -p tcp --dport 22 -j ACCEPT -m comment --comment "Accept SSH"
#ip6tables -A $input -p tcp --dport 22 -j ACCEPT -m comment --comment "Accept SSH"
# start custom rules iptables -A $input -p tcp --dport 44200 -j ACCEPT -m comment --comment "Accept SSH"
ip6tables -A $input -p tcp --dport 44200 -j ACCEPT -m comment --comment "Accept SSH"
#Bloqueio ping da morte # START custom rules -------------------------------------------------------------
#Block ping of death
#ipv4
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
iptables -N PING-MORTE iptables -N PING-DEATH
iptables -A $input -p icmp --icmp-type echo-request -j PING-MORTE iptables -A $input -p icmp --icmp-type echo-request -j PING-DEATH
iptables -A PING-MORTE -m limit --limit 1/s --limit-burst 4 -j RETURN iptables -A PING-DEATH -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A PING-MORTE -j DROP iptables -A PING-DEATH -j DROP -m comment --comment "Accept SSH"
#bloquear ataque do tipo SYN-FLOOD (Precisa-se definir uma $WAN) #ipv6
#echo "0" > /proc/sys/net/ipv6/icmp_echo_ignore_all # BUG- In ipv6 the path is another.
#echo "0" > /proc/sys/net/ipv6/icmp/echo_ignore_all
#ip6tables -N DEATH-PING6
#ip6tables -A $input -p icmp --icmp-type echo-request -j PING-DEATH6
#ip6tables -A DEATH-PING6 -m limit --limit 1/s --limit-burst 4 -j RETURN
#ip6tables -A DEATH-PING6 -j DROP
# Block SYN-FLOOD atack (the $WAN variable is required)
if [ "X$WAN" != "X" ]; then if [ "X$WAN" != "X" ]; then
#ipv4
echo "0" > /proc/sys/net/ipv4/tcp_syncookies echo "0" > /proc/sys/net/ipv4/tcp_syncookies
iptables -N syn-flood iptables -N syn-flood
iptables -A $input -i $WAN -p tcp --syn -j syn-flood iptables -A $input -i $WAN -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP iptables -A syn-flood -j DROP
# #ipv6
# echo "0" > /proc/sys/net/ipv6/tcp_syncookies
# ip6tables -N syn-flood6
# ip6tables -A $input -i $WAN -p tcp --syn -j syn-flood6
# ip6tables -A syn-flood6 -m limit --limit 1/s --limit-burst 4 -j RETURN
# ip6tables -A syn-flood6 -j DROP
if if
#Bloqueio de ataque ssh de força bruta(Precisa-se definir uma $WAN) #Block ssh brute force (the $WAN variable is required)
if [ "X$WAN" != "X" ]; then if [ "X$WAN" != "X" ]; then
#ipv4
iptables -N SSH-BRUT-FORCE iptables -N SSH-BRUT-FORCE
iptables -A $input -i $WAN -p tcp --dport 22 -j SSH-BRUT-FORCE iptables -A $input -i $WAN -p tcp --dport 22 -j SSH-BRUT-FORCE
iptables -A SSH-BRUT-FORCE -m limit --limit 1/s --limit-burst 4 -j RETURN iptables -A SSH-BRUT-FORCE -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A SSH-BRUT-FORCE -j DROP iptables -A SSH-BRUT-FORCE -j DROP
#ipv6
ip6tables -N SSH-BRUT-FORCE6
ip6tables -A $input -i $WAN -p tcp --dport 22 -j SSH-BRUT-FORCE6
ip6tables -A SSH-BRUT-FORCE6 -m limit --limit 1/s --limit-burst 4 -j RETURN
ip6tables -A SSH-BRUT-FORCE6 -j DROP
fi fi
#Bloqueio de scanners ocultos (Shealt Scan) #Bloqueio de scanners ocultos (Shealt Scan)
#$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK, FIN, -m limit --limit 1/s -j ACCEPT #iptables -A FORWARD -p tcp --tcp-flags SYN,ACK, FIN, -m limit --limit 1/s -j ACCEPT
#ip6tables -A FORWARD -p tcp --tcp-flags SYN,ACK, FIN, -m limit --limit 1/s -j ACCEPT
# end custom rules # END custom rules ---------------------------------------------------------------
iptables -A $input -j RETURN iptables -A $input -j RETURN
iptables -A DOCKER-USER -j RETURN iptables -A DOCKER-USER -j RETURN
ip6tables -A $input -j RETURN ip6tables -A $input -j RETURN
#EOF