ricardo.leite
/
firewall
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
Browse Source

added /etc/network/firewall/config.d scripts and firewall.cfg

main
Ricardo Leite 4 years ago
parent
566e855313
commit
a6f4de3359
3 changed files with 36 additions and 11 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +7
    -0
      firewall.cfg
  2. +15
    -3
      install.sh
  3. +14
    -8
      rules.sh

+ 7
- 0
firewall.cfg View File

@ -0,0 +1,7 @@
#General firewall configurations
# WAN interface
WAN="eth0"
# SSH PORT
SSHPORT=44200

+ 15
- 3
install.sh View File

@ -3,6 +3,9 @@
# http://www.davinti.com.br # http://www.davinti.com.br
# #
trusted=/etc/network/firewall/trustedips.conf
trusted6=/etc/network/firewall/trustedips6.conf
if [ "$USER" != "root" ] ; then if [ "$USER" != "root" ] ; then
printf "Are you root? \nsudo ./install.sh\n" printf "Are you root? \nsudo ./install.sh\n"
exit 1 exit 1
@ -20,8 +23,10 @@ if [ ! -d /etc/network/firewall ] ; then
mkdir -p /etc/network/firewall mkdir -p /etc/network/firewall
fi fi
trusted=/etc/network/firewall/trustedips.conf
trusted6=/etc/network/firewall/trustedips6.conf
if [ ! -d /etc/network/firewall/config.d ] ; then
mkdir -p /etc/network/firewall/config.d
fi
if [ ! -f $trusted ]; then if [ ! -f $trusted ]; then
# Include all local ipv4 ips (but commented), and open localhost ipv4. # Include all local ipv4 ips (but commented), and open localhost ipv4.
@ -47,8 +52,15 @@ if [ ! -f /etc/network/firewall/init.sh -o "$1" == "-f" ] ; then
cp -v init.sh /etc/network/firewall/ cp -v init.sh /etc/network/firewall/
fi fi
if [ ! -f /etc/network/firewall/firewall.cfg -o "$1" == "-f" ] ; then
cp -v firewall.cfg /etc/network/firewall/
fi
echo "" echo ""
echo !!! Please revise trusted IPs in:
echo !!! Please revise configuration files:
echo $trusted echo $trusted
echo $trusted6 echo $trusted6
echo /etc/network/firewall/firewall.cfg
echo /etc/network/firewall/rules.sh
file /etc/network/firewall/config.d -type f
echo "" echo ""

+ 14
- 8
rules.sh View File

@ -3,8 +3,7 @@
trusted=/etc/network/firewall/trustedips.conf trusted=/etc/network/firewall/trustedips.conf
trusted6=/etc/network/firewall/trustedips6.conf trusted6=/etc/network/firewall/trustedips6.conf
# WAN interface
WAN="eth0"
. /etc/network/firewall/firewall.cfg
#--------------------------------------------------------------------------- #---------------------------------------------------------------------------
input="INPUT-CUSTOM" input="INPUT-CUSTOM"
@ -34,11 +33,8 @@ ip6tables -A $input -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comm
iptables -A $input -p icmp -m icmp --icmp-type echo-request -j ACCEPT -m comment --comment "Accept pings" iptables -A $input -p icmp -m icmp --icmp-type echo-request -j ACCEPT -m comment --comment "Accept pings"
#ip6tables -A $input -p icmp -m icmp --icmp-type echo-request -j ACCEPT -m comment --comment "Accept pings" #ip6tables -A $input -p icmp -m icmp --icmp-type echo-request -j ACCEPT -m comment --comment "Accept pings"
#iptables -A $input -p tcp --dport 22 -j ACCEPT -m comment --comment "Accept SSH"
#ip6tables -A $input -p tcp --dport 22 -j ACCEPT -m comment --comment "Accept SSH"
iptables -A $input -p tcp --dport 44200 -j ACCEPT -m comment --comment "Accept SSH"
ip6tables -A $input -p tcp --dport 44200 -j ACCEPT -m comment --comment "Accept SSH"
iptables -A $input -p tcp --dport $SSHPORT -j ACCEPT -m comment --comment "Accept SSH ($SSHPORT/TCP)"
ip6tables -A $input -p tcp --dport $SSHPORT -j ACCEPT -m comment --comment "Accept SSH ($SSHPORT/TCP)"
# START custom rules ------------------------------------------------------------- # START custom rules -------------------------------------------------------------
@ -48,7 +44,7 @@ echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
iptables -N PING-DEATH iptables -N PING-DEATH
iptables -A $input -p icmp --icmp-type echo-request -j PING-DEATH iptables -A $input -p icmp --icmp-type echo-request -j PING-DEATH
iptables -A PING-DEATH -m limit --limit 1/s --limit-burst 4 -j RETURN iptables -A PING-DEATH -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A PING-DEATH -j DROP -m comment --comment "Accept SSH"
iptables -A PING-DEATH -j DROP -m comment --comment "PING DEATH BLOCKED"
#ipv6 #ipv6
#echo "0" > /proc/sys/net/ipv6/icmp_echo_ignore_all # BUG- In ipv6 the path is another. #echo "0" > /proc/sys/net/ipv6/icmp_echo_ignore_all # BUG- In ipv6 the path is another.
@ -79,12 +75,19 @@ if [ "X$WAN" != "X" ]; then
#ipv4 #ipv4
iptables -N SSH-BRUT-FORCE iptables -N SSH-BRUT-FORCE
if [ $SSHPORT != "22" ] ; then
iptables -A $input -i $WAN -p tcp --dport $SSHPORT -j SSH-BRUT-FORCE
fi
iptables -A $input -i $WAN -p tcp --dport 22 -j SSH-BRUT-FORCE iptables -A $input -i $WAN -p tcp --dport 22 -j SSH-BRUT-FORCE
iptables -A SSH-BRUT-FORCE -m limit --limit 1/s --limit-burst 4 -j RETURN iptables -A SSH-BRUT-FORCE -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A SSH-BRUT-FORCE -j DROP iptables -A SSH-BRUT-FORCE -j DROP
#ipv6 #ipv6
ip6tables -N SSH-BRUT-FORCE6 ip6tables -N SSH-BRUT-FORCE6
if [ $SSHPORT != "22" ] ; then
ip6tables -A $input -i $WAN -p tcp --dport $SSHPORT -j SSH-BRUT-FORCE
fi
ip6tables -A $input -i $WAN -p tcp --dport 22 -j SSH-BRUT-FORCE6 ip6tables -A $input -i $WAN -p tcp --dport 22 -j SSH-BRUT-FORCE6
ip6tables -A SSH-BRUT-FORCE6 -m limit --limit 1/s --limit-burst 4 -j RETURN ip6tables -A SSH-BRUT-FORCE6 -m limit --limit 1/s --limit-burst 4 -j RETURN
ip6tables -A SSH-BRUT-FORCE6 -j DROP ip6tables -A SSH-BRUT-FORCE6 -j DROP
@ -97,6 +100,9 @@ fi
# END custom rules --------------------------------------------------------------- # END custom rules ---------------------------------------------------------------
# EXEC scripts in /etc/network/firewall/config.d - BE CAREFULL
find /etc/network/firewall/config.d -type f -exec bash {} \;
iptables -A $input -j RETURN iptables -A $input -j RETURN
iptables -A DOCKER-USER -j RETURN iptables -A DOCKER-USER -j RETURN
ip6tables -A $input -j RETURN ip6tables -A $input -j RETURN


Write Preview
Loading…
Cancel
Save