Firewall script and fail2ban for docker environment.

firewall.service

@@ -0,0 +1,14 @@
+
+# copy to /etc/systemd/system/
+[Unit]
+Description=Firewall Rules
+Requires=firewall-init.service
+After=firewall-init.service docker.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/etc/network/firewall/rules.sh
+
+[Install]
+WantedBy=multi-user.target

init.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+input="INPUT-CUSTOM"
+
+iptables -P INPUT DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT ACCEPT
+iptables -N $input
+iptables -A INPUT -j $input
+
+ip6tables -P INPUT DROP
+ip6tables -P FORWARD DROP
+ip6tables -P OUTPUT ACCEPT
+ip6tables -N $input
+ip6tables -A INPUT -j $input
+

install.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+if [ "$USER" != "root"  ] ; then
+   printf "Are you root? \nsudo ./install.sh\n"
+   exit 1
+fi
+
+#if [ "X$(which dialog)" == "X" ]; then
+#   apt -y install dialog
+#fi
+
+if [ "X$(which fail2ban-client)" == "X" ]; then
+  apt -y install fail2ban
+fi
+
+if [ ! -d /etc/network/firewall ] ; then
+   mkdir -p /etc/network/firewall
+fi
+
+cp -v firewall.service /etc/systemd/system/
+cp -v firewall-init.service /etc/systemd/system/
+
+systemctl enable firewall.service
+systemctl enable firewall-init.service
+
+if [ ! -f /etc/network/firewall/rules.sh ] ; then
+   cp -v rules.sh /etc/network/firewall/
+fi
+
+if [ ! -f /etc/network/firewall/init.sh  ] ; then
+   cp -v init.sh /etc/network/firewall/
+fi
+

rules.sh

@@ -0,0 +1,63 @@
+#!/bin/bash
+
+input="INPUT-CUSTOM"
+
+iptables -F $input
+iptables -F DOCKER-USER
+ip6tables -F $input
+
+
+#gootips (Trusted IPs)
+
+for i in $(cat ); do
+
+done
+
+iptables -A $input -i lo -j ACCEPT -m comment --comment "Accept loopback traffic"
+
+iptables -A $input -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Accept established, related"
+
+iptables -A $input -p icmp -m icmp --icmp-type echo-request -j ACCEPT -m comment --comment "Accept pings"
+
+iptables -A $input -p tcp --dport 22 -j ACCEPT -m comment --comment "Accept SSH"
+
+ip6tables -A $input -i lo -j ACCEPT -m comment --comment "Accept loopback traffic"
+
+ip6tables -A $input -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Accept established, related traffic"
+
+
+
+# start custom rules
+
+#Bloqueio ping da morte
+echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
+iptables -N PING-MORTE
+iptables -A $input -p icmp --icmp-type echo-request -j PING-MORTE
+iptables -A PING-MORTE -m limit --limit 1/s --limit-burst 4 -j RETURN
+iptables -A PING-MORTE -j DROP
+
+#bloquear ataque do tipo SYN-FLOOD (Precisa-se definir uma $WAN)
+if [ "X$WAN" != "X" ]; then
+  echo "0" > /proc/sys/net/ipv4/tcp_syncookies
+  iptables -N syn-flood
+  iptables -A $input -i $WAN -p tcp --syn -j syn-flood
+  iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
+  iptables -A syn-flood -j DROP
+if
+
+#Bloqueio de ataque ssh de força bruta(Precisa-se definir uma $WAN)
+if [ "X$WAN" != "X" ]; then
+  iptables -N SSH-BRUT-FORCE
+  iptables -A $input -i $WAN -p tcp --dport 22 -j SSH-BRUT-FORCE
+  iptables -A SSH-BRUT-FORCE -m limit --limit 1/s --limit-burst 4 -j RETURN
+  iptables -A SSH-BRUT-FORCE -j DROP
+fi
+
+#Bloqueio de scanners ocultos (Shealt Scan)
+#$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK, FIN, -m limit --limit 1/s -j ACCEPT
+
+# end custom rules
+
+iptables -A $input -j RETURN
+iptables -A DOCKER-USER -j RETURN
+ip6tables -A $input -j RETURN