ricardo.leite
/
firewall


								#!/bin/bash


								trusted=/etc/network/firewall/trustedips.conf

								trusted6=/etc/network/firewall/trustedips6.conf


								. /etc/network/firewall/firewall.cfg


								#---------------------------------------------------------------------------

								input="INPUT-CUSTOM"


								# Clear chains

								iptables -F $input

								iptables -F DOCKER-USER

								ip6tables -F $input


								# Clear custom chains

								#---------------------

								iptables -F PING-DEATH

								#ip6tables -F DEATH-PING6

								iptables -F syn-flood

								#ip6tables -F syn-flood6

								iptables -F SSH-BRUT-FORCE

								ip6tables -F SSH-BRUT-FORCE6

								#---------------------


								# Open ipv4 trusted IPs

								for i in $(egrep -v "^#|^$" $trusted ); do

								   iptables -A $input -s $i -j ACCEPT -m comment --comment "Trusted ipv4 ($i)"

								   iptables -A $input -d $i -j ACCEPT -m comment --comment "Trusted ipv4 ($i)"

								done


								# Open ipv6 trusted IPs

								for i in $(egrep -v "^#|^$" $trusted6 ); do

								   ip6tables -A $input -s $i -j ACCEPT -m comment --comment "Trusted ipv6 ($i)"

								   ip6tables -A $input -d $i -j ACCEPT -m comment --comment "Trusted ipv6 ($i)"

								done


								iptables -A $input -i lo -j ACCEPT -m comment --comment "Accept loopback traffic"

								ip6tables -A $input -i lo -j ACCEPT -m comment --comment "Accept loopback traffic"


								iptables -A $input -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Accept established, related"

								ip6tables -A $input -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Accept established, related traffic"


								iptables -A $input -p icmp -m icmp --icmp-type echo-request -j ACCEPT -m comment --comment "Accept pings"

								#ip6tables -A $input -p icmp -m icmp --icmp-type echo-request -j ACCEPT -m comment --comment "Accept pings"


								iptables -A $input -p tcp --dport $SSHPORT -j ACCEPT -m comment --comment "Accept SSH ($SSHPORT/TCP)"

								ip6tables -A $input -p tcp --dport $SSHPORT -j ACCEPT -m comment --comment "Accept SSH ($SSHPORT/TCP)"


								# START custom rules -------------------------------------------------------------


								#Block ping of death

								#ipv4

								echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all

								iptables -N PING-DEATH

								iptables -A $input -p icmp --icmp-type echo-request -j PING-DEATH

								iptables -A PING-DEATH -m limit --limit 1/s --limit-burst 4 -j RETURN

								iptables -A PING-DEATH -j DROP -m comment --comment "PING DEATH BLOCKED"


								#ipv6

								#echo "0" > /proc/sys/net/ipv6/icmp_echo_ignore_all # BUG- In ipv6 the path is another.

								#echo "0" > /proc/sys/net/ipv6/icmp/echo_ignore_all

								#ip6tables -N DEATH-PING6

								#ip6tables -A $input -p icmp --icmp-type echo-request -j PING-DEATH6

								#ip6tables -A DEATH-PING6 -m limit --limit 1/s --limit-burst 4 -j RETURN

								#ip6tables -A DEATH-PING6 -j DROP


								# Block SYN-FLOOD atack (the $WAN variable is required)

								if [ "X$WAN" != "X" ]; then

								  #ipv4

								  echo "0" > /proc/sys/net/ipv4/tcp_syncookies

								  iptables -N syn-flood

								  iptables -A $input -i $WAN -p tcp --syn -j syn-flood

								  iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN

								  iptables -A syn-flood -j DROP

								#  #ipv6

								#  echo "0" > /proc/sys/net/ipv6/tcp_syncookies

								#  ip6tables -N syn-flood6

								#  ip6tables -A $input -i $WAN -p tcp --syn -j syn-flood6

								#  ip6tables -A syn-flood6 -m limit --limit 1/s --limit-burst 4 -j RETURN

								#  ip6tables -A syn-flood6 -j DROP

								fi


								#Block ssh brute force (the $WAN variable is required)

								if [ "X$WAN" != "X" ]; then


								  #ipv4

								  iptables -N SSH-BRUT-FORCE

								  if [ $SSHPORT != "22"  ] ; then

								     iptables -A $input -i $WAN -p tcp --dport $SSHPORT -j SSH-BRUT-FORCE

								  fi

								  iptables -A $input -i $WAN -p tcp --dport 22 -j SSH-BRUT-FORCE


								  iptables -A SSH-BRUT-FORCE -m limit --limit 1/s --limit-burst 4 -j RETURN

								  iptables -A SSH-BRUT-FORCE -j DROP


								  #ipv6

								  ip6tables -N SSH-BRUT-FORCE6

								  if [ $SSHPORT != "22"  ] ; then

								     ip6tables -A $input -i $WAN -p tcp --dport $SSHPORT -j SSH-BRUT-FORCE

								  fi

								  ip6tables -A $input -i $WAN -p tcp --dport 22 -j SSH-BRUT-FORCE6

								  ip6tables -A SSH-BRUT-FORCE6 -m limit --limit 1/s --limit-burst 4 -j RETURN

								  ip6tables -A SSH-BRUT-FORCE6 -j DROP


								fi


								#Bloqueio de scanners ocultos (Shealt Scan)

								#iptables -A FORWARD -p tcp --tcp-flags SYN,ACK, FIN, -m limit --limit 1/s -j ACCEPT

								#ip6tables -A FORWARD -p tcp --tcp-flags SYN,ACK, FIN, -m limit --limit 1/s -j ACCEPT


								# END custom rules ---------------------------------------------------------------


								# EXEC scripts in /etc/network/firewall/config.d - BE CAREFULL

								find /etc/network/firewall/config.d -type f -exec bash {} \;


								iptables -A $input -j RETURN

								iptables -A DOCKER-USER -j RETURN

								ip6tables -A $input -j RETURN

								#EOF