diff --git a/firewall.cfg b/firewall.cfg new file mode 100644 index 0000000..c14c865 --- /dev/null +++ b/firewall.cfg @@ -0,0 +1,7 @@ +#General firewall configurations + + +# WAN interface +WAN="eth0" +# SSH PORT +SSHPORT=44200 diff --git a/install.sh b/install.sh index 7977e82..f3d34bd 100755 --- a/install.sh +++ b/install.sh @@ -3,6 +3,9 @@ # http://www.davinti.com.br # +trusted=/etc/network/firewall/trustedips.conf +trusted6=/etc/network/firewall/trustedips6.conf + if [ "$USER" != "root" ] ; then printf "Are you root? \nsudo ./install.sh\n" exit 1 @@ -20,8 +23,10 @@ if [ ! -d /etc/network/firewall ] ; then mkdir -p /etc/network/firewall fi -trusted=/etc/network/firewall/trustedips.conf -trusted6=/etc/network/firewall/trustedips6.conf +if [ ! -d /etc/network/firewall/config.d ] ; then + mkdir -p /etc/network/firewall/config.d +fi + if [ ! -f $trusted ]; then # Include all local ipv4 ips (but commented), and open localhost ipv4. @@ -47,8 +52,15 @@ if [ ! -f /etc/network/firewall/init.sh -o "$1" == "-f" ] ; then cp -v init.sh /etc/network/firewall/ fi +if [ ! -f /etc/network/firewall/firewall.cfg -o "$1" == "-f" ] ; then + cp -v firewall.cfg /etc/network/firewall/ +fi + echo "" -echo !!! Please revise trusted IPs in: +echo !!! Please revise configuration files: echo $trusted echo $trusted6 +echo /etc/network/firewall/firewall.cfg +echo /etc/network/firewall/rules.sh +file /etc/network/firewall/config.d -type f echo "" diff --git a/rules.sh b/rules.sh index af9a448..c26b550 100755 --- a/rules.sh +++ b/rules.sh @@ -3,8 +3,7 @@ trusted=/etc/network/firewall/trustedips.conf trusted6=/etc/network/firewall/trustedips6.conf -# WAN interface -WAN="eth0" +. /etc/network/firewall/firewall.cfg #--------------------------------------------------------------------------- input="INPUT-CUSTOM" @@ -34,11 +33,8 @@ ip6tables -A $input -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comm iptables -A $input -p icmp -m icmp --icmp-type echo-request -j ACCEPT -m comment --comment "Accept pings" #ip6tables -A $input -p icmp -m icmp --icmp-type echo-request -j ACCEPT -m comment --comment "Accept pings" -#iptables -A $input -p tcp --dport 22 -j ACCEPT -m comment --comment "Accept SSH" -#ip6tables -A $input -p tcp --dport 22 -j ACCEPT -m comment --comment "Accept SSH" - -iptables -A $input -p tcp --dport 44200 -j ACCEPT -m comment --comment "Accept SSH" -ip6tables -A $input -p tcp --dport 44200 -j ACCEPT -m comment --comment "Accept SSH" +iptables -A $input -p tcp --dport $SSHPORT -j ACCEPT -m comment --comment "Accept SSH ($SSHPORT/TCP)" +ip6tables -A $input -p tcp --dport $SSHPORT -j ACCEPT -m comment --comment "Accept SSH ($SSHPORT/TCP)" # START custom rules ------------------------------------------------------------- @@ -48,7 +44,7 @@ echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all iptables -N PING-DEATH iptables -A $input -p icmp --icmp-type echo-request -j PING-DEATH iptables -A PING-DEATH -m limit --limit 1/s --limit-burst 4 -j RETURN -iptables -A PING-DEATH -j DROP -m comment --comment "Accept SSH" +iptables -A PING-DEATH -j DROP -m comment --comment "PING DEATH BLOCKED" #ipv6 #echo "0" > /proc/sys/net/ipv6/icmp_echo_ignore_all # BUG- In ipv6 the path is another. @@ -79,12 +75,19 @@ if [ "X$WAN" != "X" ]; then #ipv4 iptables -N SSH-BRUT-FORCE + if [ $SSHPORT != "22" ] ; then + iptables -A $input -i $WAN -p tcp --dport $SSHPORT -j SSH-BRUT-FORCE + fi iptables -A $input -i $WAN -p tcp --dport 22 -j SSH-BRUT-FORCE + iptables -A SSH-BRUT-FORCE -m limit --limit 1/s --limit-burst 4 -j RETURN iptables -A SSH-BRUT-FORCE -j DROP #ipv6 ip6tables -N SSH-BRUT-FORCE6 + if [ $SSHPORT != "22" ] ; then + ip6tables -A $input -i $WAN -p tcp --dport $SSHPORT -j SSH-BRUT-FORCE + fi ip6tables -A $input -i $WAN -p tcp --dport 22 -j SSH-BRUT-FORCE6 ip6tables -A SSH-BRUT-FORCE6 -m limit --limit 1/s --limit-burst 4 -j RETURN ip6tables -A SSH-BRUT-FORCE6 -j DROP @@ -97,6 +100,9 @@ fi # END custom rules --------------------------------------------------------------- +# EXEC scripts in /etc/network/firewall/config.d - BE CAREFULL +find /etc/network/firewall/config.d -type f -exec bash {} \; + iptables -A $input -j RETURN iptables -A DOCKER-USER -j RETURN ip6tables -A $input -j RETURN