From b3d8d9ffd1eb8b8f4720ba5ec002a19e28f7a4c5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ricardo=20Leite=20Gon=C3=A7alves?= Date: Tue, 20 Jul 2021 04:12:20 +0000 Subject: [PATCH] Firewall script and fail2ban for docker environment. --- firewall.service | 14 +++++++++++ init.sh | 16 ++++++++++++ install.sh | 33 +++++++++++++++++++++++++ rules.sh | 63 ++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 126 insertions(+) create mode 100644 firewall.service create mode 100644 init.sh create mode 100755 install.sh create mode 100644 rules.sh diff --git a/firewall.service b/firewall.service new file mode 100644 index 0000000..de1f280 --- /dev/null +++ b/firewall.service @@ -0,0 +1,14 @@ + +# copy to /etc/systemd/system/ +[Unit] +Description=Firewall Rules +Requires=firewall-init.service +After=firewall-init.service docker.service + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/etc/network/firewall/rules.sh + +[Install] +WantedBy=multi-user.target diff --git a/init.sh b/init.sh new file mode 100644 index 0000000..8f1d239 --- /dev/null +++ b/init.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +input="INPUT-CUSTOM" + +iptables -P INPUT DROP +iptables -P FORWARD DROP +iptables -P OUTPUT ACCEPT +iptables -N $input +iptables -A INPUT -j $input + +ip6tables -P INPUT DROP +ip6tables -P FORWARD DROP +ip6tables -P OUTPUT ACCEPT +ip6tables -N $input +ip6tables -A INPUT -j $input + diff --git a/install.sh b/install.sh new file mode 100755 index 0000000..3fbc7fd --- /dev/null +++ b/install.sh @@ -0,0 +1,33 @@ +#!/bin/bash + +if [ "$USER" != "root" ] ; then + printf "Are you root? \nsudo ./install.sh\n" + exit 1 +fi + +#if [ "X$(which dialog)" == "X" ]; then +# apt -y install dialog +#fi + +if [ "X$(which fail2ban-client)" == "X" ]; then + apt -y install fail2ban +fi + +if [ ! -d /etc/network/firewall ] ; then + mkdir -p /etc/network/firewall +fi + +cp -v firewall.service /etc/systemd/system/ +cp -v firewall-init.service /etc/systemd/system/ + +systemctl enable firewall.service +systemctl enable firewall-init.service + +if [ ! -f /etc/network/firewall/rules.sh ] ; then + cp -v rules.sh /etc/network/firewall/ +fi + +if [ ! -f /etc/network/firewall/init.sh ] ; then + cp -v init.sh /etc/network/firewall/ +fi + diff --git a/rules.sh b/rules.sh new file mode 100644 index 0000000..cfc7631 --- /dev/null +++ b/rules.sh @@ -0,0 +1,63 @@ +#!/bin/bash + +input="INPUT-CUSTOM" + +iptables -F $input +iptables -F DOCKER-USER +ip6tables -F $input + + +#gootips (Trusted IPs) + +for i in $(cat ); do + +done + +iptables -A $input -i lo -j ACCEPT -m comment --comment "Accept loopback traffic" + +iptables -A $input -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Accept established, related" + +iptables -A $input -p icmp -m icmp --icmp-type echo-request -j ACCEPT -m comment --comment "Accept pings" + +iptables -A $input -p tcp --dport 22 -j ACCEPT -m comment --comment "Accept SSH" + +ip6tables -A $input -i lo -j ACCEPT -m comment --comment "Accept loopback traffic" + +ip6tables -A $input -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Accept established, related traffic" + + + +# start custom rules + +#Bloqueio ping da morte +echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all +iptables -N PING-MORTE +iptables -A $input -p icmp --icmp-type echo-request -j PING-MORTE +iptables -A PING-MORTE -m limit --limit 1/s --limit-burst 4 -j RETURN +iptables -A PING-MORTE -j DROP + +#bloquear ataque do tipo SYN-FLOOD (Precisa-se definir uma $WAN) +if [ "X$WAN" != "X" ]; then + echo "0" > /proc/sys/net/ipv4/tcp_syncookies + iptables -N syn-flood + iptables -A $input -i $WAN -p tcp --syn -j syn-flood + iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN + iptables -A syn-flood -j DROP +if + +#Bloqueio de ataque ssh de força bruta(Precisa-se definir uma $WAN) +if [ "X$WAN" != "X" ]; then + iptables -N SSH-BRUT-FORCE + iptables -A $input -i $WAN -p tcp --dport 22 -j SSH-BRUT-FORCE + iptables -A SSH-BRUT-FORCE -m limit --limit 1/s --limit-burst 4 -j RETURN + iptables -A SSH-BRUT-FORCE -j DROP +fi + +#Bloqueio de scanners ocultos (Shealt Scan) +#$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK, FIN, -m limit --limit 1/s -j ACCEPT + +# end custom rules + +iptables -A $input -j RETURN +iptables -A DOCKER-USER -j RETURN +ip6tables -A $input -j RETURN