ricardo.leite
/
firewall
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
Browse Source

22/tcp port chanceg to 44200/tcp

main
Ricardo Leite 4 years ago
parent
70912a7ff7
commit
566e855313
3 changed files with 72 additions and 24 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +0
    -0
      init.sh
  2. +10
    -3
      install.sh
  3. +62
    -21
      rules.sh

+ 0
- 0
init.sh View File


+ 10
- 3
install.sh View File

@ -1,11 +1,13 @@
#!/bin/bash
# Author: Ricardo Leite Gaonçalves - 2021/7
# http://www.davinti.com.br
#
if [ "$USER" != "root" ] ; then
printf "Are you root? \nsudo ./install.sh\n"
exit 1
fi
#if [ "X$(which dialog)" == "X" ]; then
# apt -y install dialog
#fi
@ -37,11 +39,16 @@ cp -v firewall-init.service /etc/systemd/system/
systemctl enable firewall.service
systemctl enable firewall-init.service
if [ ! -f /etc/network/firewall/rules.sh ] ; then
if [ ! -f /etc/network/firewall/rules.sh -o "$1" == "-f" ] ; then
cp -v rules.sh /etc/network/firewall/
fi
if [ ! -f /etc/network/firewall/init.sh ] ; then
if [ ! -f /etc/network/firewall/init.sh -o "$1" == "-f" ] ; then
cp -v init.sh /etc/network/firewall/
fi
echo ""
echo !!! Please revise trusted IPs in:
echo $trusted
echo $trusted6
echo ""

+ 62
- 21
rules.sh View File

@ -1,63 +1,104 @@
#!/bin/bash
trusted=/etc/network/firewall/trustedips.conf
trusted6=/etc/network/firewall/trustedips6.conf
# WAN interface
WAN="eth0"
#---------------------------------------------------------------------------
input="INPUT-CUSTOM"
iptables -F $input
iptables -F DOCKER-USER
ip6tables -F $input
# Open ipv4 trusted IPs
for i in $(egrep -v "^#|^$" $trusted ); do
iptables -A $input -s $i -j ACCEPT -m comment --comment "Trusted ipv4 ($i)"
iptables -A $input -d $i -j ACCEPT -m comment --comment "Trusted ipv4 ($i)"
done
#gootips (Trusted IPs)
for i in $(cat ); do
# Open ipv6 trusted IPs
for i in $(egrep -v "^#|^$" $trusted6 ); do
ip6tables -A $input -s $i -j ACCEPT -m comment --comment "Trusted ipv6 ($i)"
ip6tables -A $input -d $i -j ACCEPT -m comment --comment "Trusted ipv6 ($i)"
done
iptables -A $input -i lo -j ACCEPT -m comment --comment "Accept loopback traffic"
ip6tables -A $input -i lo -j ACCEPT -m comment --comment "Accept loopback traffic"
iptables -A $input -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Accept established, related"
ip6tables -A $input -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Accept established, related traffic"
iptables -A $input -p icmp -m icmp --icmp-type echo-request -j ACCEPT -m comment --comment "Accept pings"
#ip6tables -A $input -p icmp -m icmp --icmp-type echo-request -j ACCEPT -m comment --comment "Accept pings"
iptables -A $input -p tcp --dport 22 -j ACCEPT -m comment --comment "Accept SSH"
#iptables -A $input -p tcp --dport 22 -j ACCEPT -m comment --comment "Accept SSH"
#ip6tables -A $input -p tcp --dport 22 -j ACCEPT -m comment --comment "Accept SSH"
ip6tables -A $input -i lo -j ACCEPT -m comment --comment "Accept loopback traffic"
iptables -A $input -p tcp --dport 44200 -j ACCEPT -m comment --comment "Accept SSH"
ip6tables -A $input -p tcp --dport 44200 -j ACCEPT -m comment --comment "Accept SSH"
ip6tables -A $input -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Accept established, related traffic"
# START custom rules -------------------------------------------------------------
# start custom rules
#Bloqueio ping da morte
#Block ping of death
#ipv4
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
iptables -N PING-MORTE
iptables -A $input -p icmp --icmp-type echo-request -j PING-MORTE
iptables -A PING-MORTE -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A PING-MORTE -j DROP
#bloquear ataque do tipo SYN-FLOOD (Precisa-se definir uma $WAN)
iptables -N PING-DEATH
iptables -A $input -p icmp --icmp-type echo-request -j PING-DEATH
iptables -A PING-DEATH -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A PING-DEATH -j DROP -m comment --comment "Accept SSH"
#ipv6
#echo "0" > /proc/sys/net/ipv6/icmp_echo_ignore_all # BUG- In ipv6 the path is another.
#echo "0" > /proc/sys/net/ipv6/icmp/echo_ignore_all
#ip6tables -N DEATH-PING6
#ip6tables -A $input -p icmp --icmp-type echo-request -j PING-DEATH6
#ip6tables -A DEATH-PING6 -m limit --limit 1/s --limit-burst 4 -j RETURN
#ip6tables -A DEATH-PING6 -j DROP
# Block SYN-FLOOD atack (the $WAN variable is required)
if [ "X$WAN" != "X" ]; then
#ipv4
echo "0" > /proc/sys/net/ipv4/tcp_syncookies
iptables -N syn-flood
iptables -A $input -i $WAN -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
# #ipv6
# echo "0" > /proc/sys/net/ipv6/tcp_syncookies
# ip6tables -N syn-flood6
# ip6tables -A $input -i $WAN -p tcp --syn -j syn-flood6
# ip6tables -A syn-flood6 -m limit --limit 1/s --limit-burst 4 -j RETURN
# ip6tables -A syn-flood6 -j DROP
if
#Bloqueio de ataque ssh de força bruta(Precisa-se definir uma $WAN)
#Block ssh brute force (the $WAN variable is required)
if [ "X$WAN" != "X" ]; then
#ipv4
iptables -N SSH-BRUT-FORCE
iptables -A $input -i $WAN -p tcp --dport 22 -j SSH-BRUT-FORCE
iptables -A SSH-BRUT-FORCE -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A SSH-BRUT-FORCE -j DROP
#ipv6
ip6tables -N SSH-BRUT-FORCE6
ip6tables -A $input -i $WAN -p tcp --dport 22 -j SSH-BRUT-FORCE6
ip6tables -A SSH-BRUT-FORCE6 -m limit --limit 1/s --limit-burst 4 -j RETURN
ip6tables -A SSH-BRUT-FORCE6 -j DROP
fi
#Bloqueio de scanners ocultos (Shealt Scan)
#$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK, FIN, -m limit --limit 1/s -j ACCEPT
#iptables -A FORWARD -p tcp --tcp-flags SYN,ACK, FIN, -m limit --limit 1/s -j ACCEPT
#ip6tables -A FORWARD -p tcp --tcp-flags SYN,ACK, FIN, -m limit --limit 1/s -j ACCEPT
# end custom rules
# END custom rules ---------------------------------------------------------------
iptables -A $input -j RETURN
iptables -A DOCKER-USER -j RETURN
ip6tables -A $input -j RETURN
#EOF

Write Preview
Loading…
Cancel
Save