#!/bin/bash trusted=/etc/network/firewall/trustedips.conf trusted6=/etc/network/firewall/trustedips6.conf . /etc/network/firewall/firewall.cfg #--------------------------------------------------------------------------- input="INPUT-CUSTOM" iptables -F $input iptables -F DOCKER-USER ip6tables -F $input # Open ipv4 trusted IPs for i in $(egrep -v "^#|^$" $trusted ); do iptables -A $input -s $i -j ACCEPT -m comment --comment "Trusted ipv4 ($i)" iptables -A $input -d $i -j ACCEPT -m comment --comment "Trusted ipv4 ($i)" done # Open ipv6 trusted IPs for i in $(egrep -v "^#|^$" $trusted6 ); do ip6tables -A $input -s $i -j ACCEPT -m comment --comment "Trusted ipv6 ($i)" ip6tables -A $input -d $i -j ACCEPT -m comment --comment "Trusted ipv6 ($i)" done iptables -A $input -i lo -j ACCEPT -m comment --comment "Accept loopback traffic" ip6tables -A $input -i lo -j ACCEPT -m comment --comment "Accept loopback traffic" iptables -A $input -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Accept established, related" ip6tables -A $input -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Accept established, related traffic" iptables -A $input -p icmp -m icmp --icmp-type echo-request -j ACCEPT -m comment --comment "Accept pings" #ip6tables -A $input -p icmp -m icmp --icmp-type echo-request -j ACCEPT -m comment --comment "Accept pings" iptables -A $input -p tcp --dport $SSHPORT -j ACCEPT -m comment --comment "Accept SSH ($SSHPORT/TCP)" ip6tables -A $input -p tcp --dport $SSHPORT -j ACCEPT -m comment --comment "Accept SSH ($SSHPORT/TCP)" # START custom rules ------------------------------------------------------------- #Block ping of death #ipv4 echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all iptables -N PING-DEATH iptables -A $input -p icmp --icmp-type echo-request -j PING-DEATH iptables -A PING-DEATH -m limit --limit 1/s --limit-burst 4 -j RETURN iptables -A PING-DEATH -j DROP -m comment --comment "PING DEATH BLOCKED" #ipv6 #echo "0" > /proc/sys/net/ipv6/icmp_echo_ignore_all # BUG- In ipv6 the path is another. #echo "0" > /proc/sys/net/ipv6/icmp/echo_ignore_all #ip6tables -N DEATH-PING6 #ip6tables -A $input -p icmp --icmp-type echo-request -j PING-DEATH6 #ip6tables -A DEATH-PING6 -m limit --limit 1/s --limit-burst 4 -j RETURN #ip6tables -A DEATH-PING6 -j DROP # Block SYN-FLOOD atack (the $WAN variable is required) if [ "X$WAN" != "X" ]; then #ipv4 echo "0" > /proc/sys/net/ipv4/tcp_syncookies iptables -N syn-flood iptables -A $input -i $WAN -p tcp --syn -j syn-flood iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN iptables -A syn-flood -j DROP # #ipv6 # echo "0" > /proc/sys/net/ipv6/tcp_syncookies # ip6tables -N syn-flood6 # ip6tables -A $input -i $WAN -p tcp --syn -j syn-flood6 # ip6tables -A syn-flood6 -m limit --limit 1/s --limit-burst 4 -j RETURN # ip6tables -A syn-flood6 -j DROP if #Block ssh brute force (the $WAN variable is required) if [ "X$WAN" != "X" ]; then #ipv4 iptables -N SSH-BRUT-FORCE if [ $SSHPORT != "22" ] ; then iptables -A $input -i $WAN -p tcp --dport $SSHPORT -j SSH-BRUT-FORCE fi iptables -A $input -i $WAN -p tcp --dport 22 -j SSH-BRUT-FORCE iptables -A SSH-BRUT-FORCE -m limit --limit 1/s --limit-burst 4 -j RETURN iptables -A SSH-BRUT-FORCE -j DROP #ipv6 ip6tables -N SSH-BRUT-FORCE6 if [ $SSHPORT != "22" ] ; then ip6tables -A $input -i $WAN -p tcp --dport $SSHPORT -j SSH-BRUT-FORCE fi ip6tables -A $input -i $WAN -p tcp --dport 22 -j SSH-BRUT-FORCE6 ip6tables -A SSH-BRUT-FORCE6 -m limit --limit 1/s --limit-burst 4 -j RETURN ip6tables -A SSH-BRUT-FORCE6 -j DROP fi #Bloqueio de scanners ocultos (Shealt Scan) #iptables -A FORWARD -p tcp --tcp-flags SYN,ACK, FIN, -m limit --limit 1/s -j ACCEPT #ip6tables -A FORWARD -p tcp --tcp-flags SYN,ACK, FIN, -m limit --limit 1/s -j ACCEPT # END custom rules --------------------------------------------------------------- # EXEC scripts in /etc/network/firewall/config.d - BE CAREFULL find /etc/network/firewall/config.d -type f -exec bash {} \; iptables -A $input -j RETURN iptables -A DOCKER-USER -j RETURN ip6tables -A $input -j RETURN #EOF