ricardo.leite/firewall
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added /etc/network/firewall/config.d scripts and firewall.cfg

Browse Source
This commit is contained in:
Ricardo Leite
2021-07-20 07:55:40 +00:00
parent 566e855313
commit a6f4de3359
3 changed files with 36 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
firewall.cfg
+7
View File
@@ -0,0 +1,7 @@
#General firewall configurations
# WAN interface
WAN="eth0"
# SSH PORT
SSHPORT=44200
install.sh
+15 -3
View File
@@ -3,6 +3,9 @@
# http://www.davinti.com.br # http://www.davinti.com.br
# #
trusted=/etc/network/firewall/trustedips.conf
trusted6=/etc/network/firewall/trustedips6.conf
if [ "$USER" != "root" ] ; then if [ "$USER" != "root" ] ; then
printf "Are you root? \nsudo ./install.sh\n" printf "Are you root? \nsudo ./install.sh\n"
exit 1 exit 1
@@ -20,8 +23,10 @@ if [ ! -d /etc/network/firewall ] ; then
mkdir -p /etc/network/firewall mkdir -p /etc/network/firewall
fi fi
trusted=/etc/network/firewall/trustedips.conf if [ ! -d /etc/network/firewall/config.d ] ; then
trusted6=/etc/network/firewall/trustedips6.conf mkdir -p /etc/network/firewall/config.d
fi
if [ ! -f $trusted ]; then if [ ! -f $trusted ]; then
# Include all local ipv4 ips (but commented), and open localhost ipv4. # Include all local ipv4 ips (but commented), and open localhost ipv4.
@@ -47,8 +52,15 @@ if [ ! -f /etc/network/firewall/init.sh -o "$1" == "-f" ] ; then
cp -v init.sh /etc/network/firewall/ cp -v init.sh /etc/network/firewall/
fi fi
if [ ! -f /etc/network/firewall/firewall.cfg -o "$1" == "-f" ] ; then
cp -v firewall.cfg /etc/network/firewall/
fi
echo "" echo ""
echo !!! Please revise trusted IPs in: echo !!! Please revise configuration files:
echo $trusted echo $trusted
echo $trusted6 echo $trusted6
echo /etc/network/firewall/firewall.cfg
echo /etc/network/firewall/rules.sh
file /etc/network/firewall/config.d -type f
echo "" echo ""
rules.sh
+14 -8
View File
@@ -3,8 +3,7 @@
trusted=/etc/network/firewall/trustedips.conf trusted=/etc/network/firewall/trustedips.conf
trusted6=/etc/network/firewall/trustedips6.conf trusted6=/etc/network/firewall/trustedips6.conf
# WAN interface . /etc/network/firewall/firewall.cfg
WAN="eth0"
#--------------------------------------------------------------------------- #---------------------------------------------------------------------------
input="INPUT-CUSTOM" input="INPUT-CUSTOM"
@@ -34,11 +33,8 @@ ip6tables -A $input -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comm
iptables -A $input -p icmp -m icmp --icmp-type echo-request -j ACCEPT -m comment --comment "Accept pings" iptables -A $input -p icmp -m icmp --icmp-type echo-request -j ACCEPT -m comment --comment "Accept pings"
#ip6tables -A $input -p icmp -m icmp --icmp-type echo-request -j ACCEPT -m comment --comment "Accept pings" #ip6tables -A $input -p icmp -m icmp --icmp-type echo-request -j ACCEPT -m comment --comment "Accept pings"
#iptables -A $input -p tcp --dport 22 -j ACCEPT -m comment --comment "Accept SSH" iptables -A $input -p tcp --dport $SSHPORT -j ACCEPT -m comment --comment "Accept SSH ($SSHPORT/TCP)"
#ip6tables -A $input -p tcp --dport 22 -j ACCEPT -m comment --comment "Accept SSH" ip6tables -A $input -p tcp --dport $SSHPORT -j ACCEPT -m comment --comment "Accept SSH ($SSHPORT/TCP)"
iptables -A $input -p tcp --dport 44200 -j ACCEPT -m comment --comment "Accept SSH"
ip6tables -A $input -p tcp --dport 44200 -j ACCEPT -m comment --comment "Accept SSH"
# START custom rules ------------------------------------------------------------- # START custom rules -------------------------------------------------------------
@@ -48,7 +44,7 @@ echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
iptables -N PING-DEATH iptables -N PING-DEATH
iptables -A $input -p icmp --icmp-type echo-request -j PING-DEATH iptables -A $input -p icmp --icmp-type echo-request -j PING-DEATH
iptables -A PING-DEATH -m limit --limit 1/s --limit-burst 4 -j RETURN iptables -A PING-DEATH -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A PING-DEATH -j DROP -m comment --comment "Accept SSH" iptables -A PING-DEATH -j DROP -m comment --comment "PING DEATH BLOCKED"
#ipv6 #ipv6
#echo "0" > /proc/sys/net/ipv6/icmp_echo_ignore_all # BUG- In ipv6 the path is another. #echo "0" > /proc/sys/net/ipv6/icmp_echo_ignore_all # BUG- In ipv6 the path is another.
@@ -79,12 +75,19 @@ if [ "X$WAN" != "X" ]; then
#ipv4 #ipv4
iptables -N SSH-BRUT-FORCE iptables -N SSH-BRUT-FORCE
if [ $SSHPORT != "22" ] ; then
iptables -A $input -i $WAN -p tcp --dport $SSHPORT -j SSH-BRUT-FORCE
fi
iptables -A $input -i $WAN -p tcp --dport 22 -j SSH-BRUT-FORCE iptables -A $input -i $WAN -p tcp --dport 22 -j SSH-BRUT-FORCE
iptables -A SSH-BRUT-FORCE -m limit --limit 1/s --limit-burst 4 -j RETURN iptables -A SSH-BRUT-FORCE -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A SSH-BRUT-FORCE -j DROP iptables -A SSH-BRUT-FORCE -j DROP
#ipv6 #ipv6
ip6tables -N SSH-BRUT-FORCE6 ip6tables -N SSH-BRUT-FORCE6
if [ $SSHPORT != "22" ] ; then
ip6tables -A $input -i $WAN -p tcp --dport $SSHPORT -j SSH-BRUT-FORCE
fi
ip6tables -A $input -i $WAN -p tcp --dport 22 -j SSH-BRUT-FORCE6 ip6tables -A $input -i $WAN -p tcp --dport 22 -j SSH-BRUT-FORCE6
ip6tables -A SSH-BRUT-FORCE6 -m limit --limit 1/s --limit-burst 4 -j RETURN ip6tables -A SSH-BRUT-FORCE6 -m limit --limit 1/s --limit-burst 4 -j RETURN
ip6tables -A SSH-BRUT-FORCE6 -j DROP ip6tables -A SSH-BRUT-FORCE6 -j DROP
@@ -97,6 +100,9 @@ fi
# END custom rules --------------------------------------------------------------- # END custom rules ---------------------------------------------------------------
# EXEC scripts in /etc/network/firewall/config.d - BE CAREFULL
find /etc/network/firewall/config.d -type f -exec bash {} \;
iptables -A $input -j RETURN iptables -A $input -j RETURN
iptables -A DOCKER-USER -j RETURN iptables -A DOCKER-USER -j RETURN
ip6tables -A $input -j RETURN ip6tables -A $input -j RETURN