firewall/templates/firewall.j2

167 lines
6.2 KiB
Plaintext
Raw Permalink Normal View History

2024-12-17 17:59:52 +01:00
#!/bin/sh
#
# firewall script
# <ludovic.cartier@brainsys.io>
#
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
IPT4=/sbin/iptables
IPT6=/sbin/ip6tables
NAME=firewall
DESC="packet filter"
PUBIF="{{ ansible_default_ipv4.interface }}"
#PRIVATEIF=eth1
case "$1" in
start)
echo -n "Initializing $DESC. \n"
### IPv4 ###
echo " \033[33mIPv4 : \033[0m"
# DROP all incomming traffic
$IPT4 -P INPUT DROP
$IPT4 -P OUTPUT DROP
$IPT4 -P FORWARD DROP
echo " * Deny all input and output IPv4 connections : \033[32m[OK] \033[0m"
# Unlimited access to loopback
$IPT4 -A INPUT -j ACCEPT -i lo
$IPT4 -A OUTPUT -j ACCEPT -o lo
echo " * Accept all loopback connections : \033[32m[OK] \033[0m"
# Allow full outgoing connection but no incomming stuff
$IPT4 -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
$IPT4 -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -m comment --comment "Authorize all established output access"
echo " * Don't break IPv4 established connections : \033[32m[OK] \033[0m"
# Allow incoming ICMP ping pong stuff
$IPT4 -A INPUT -j ACCEPT -p icmp --icmp-type echo-request
$IPT4 -A OUTPUT -j ACCEPT -p icmp --icmp-type echo-reply
echo " * Accept request & reply ICMP requests : \033[32m[OK] \033[0m"
## Protection rules
# SMURF attack protection
$IPT4 -A INPUT -p icmp -j DROP
$IPT4 -A INPUT -p icmp -m limit --limit 2/second -j ACCEPT
# Drop excessive RST packets to avoid smurf attacks
$IPT4 -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
echo " * IPv4 protection rules : \033[32m[OK] \033[0m"
# Admin chain
$IPT4 -N ADMIN
$IPT4 -A ADMIN -s 51.158.69.165/32 -j ACCEPT -m comment --comment "monit.brainsys.io"
$IPT4 -A ADMIN -s 82.66.138.56/32 -j ACCEPT -m comment --comment "wireguard.brainsys.io"
echo " * Creating admin chain : \033[32m[OK] \033[0m"
# Custom rules
$IPT4 -A INPUT -j ADMIN -p udp --dport 51820 --syn -m comment --comment "admin - IPv4 wireguard"
#$IPT4 -A INPUT -j ADMIN -p tcp --dport 22 --syn -m comment --comment "admin - IPv4 ssh"
$IPT4 -A INPUT -j ADMIN -p tcp --dport 873 --syn -m comment --comment "admin - IPv4 rsync"
$IPT4 -A INPUT -j ADMIN -p tcp --dport 5666 --syn -m comment --comment "admin - IPv4 nrpe"
$IPT4 -A INPUT -j ADMIN -p tcp --dport 4949 --syn -m comment --comment "admin - IPv4 munin-node"
$IPT4 -A INPUT -j ACCEPT -p tcp --dport 22 -m comment --comment "IPv4 ssh"
$IPT4 -A INPUT -j ACCEPT -p tcp --dport 80 -m comment --comment "IPv4 http"
$IPT4 -A INPUT -j ACCEPT -p tcp --dport 443 -m comment --comment "IPv4 https"
echo " * Custom IPv4 rules : \033[32m[OK] \033[0m"
# REJECT everything else
$IPT4 -A INPUT -j REJECT --reject-with tcp-reset -p tcp
$IPT4 -A INPUT -j REJECT -p udp
echo " * Reject everything else : \033[32m[OK] \033[0m"
### IPv6 ###
echo " \033[33mIPv6 : \033[0m"
# DROP all incomming traffic
$IPT6 -P INPUT DROP
$IPT6 -P OUTPUT DROP
$IPT6 -P FORWARD DROP
echo " * Deny all input and output IPv6 connections : \033[32m[OK] \033[0m"
# Unlimited access to loopback
$IPT6 -A INPUT -j ACCEPT -i lo
$IPT6 -A OUTPUT -j ACCEPT -o lo
echo " * Accept all loopback connections : \033[32m[OK] \033[0m"
# Allow full outgoing connection but no incomming stuff
$IPT6 -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
$IPT6 -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -m comment --comment "Authorize all established output access"
echo " * Don't break IPv6 established connections : \033[32m[OK] \033[0m"
# Allow incoming ICMP ping pong stuff
#$IPT6 -A INPUT -j ACCEPT -p icmpv6 --icmpv6-type echo-request
#$IPT6 -A OUTPUT -j ACCEPT -p icmpv6 --icmpv6-type echo-reply
$IPT6 -A INPUT -j ACCEPT -p icmpv6
$IPT6 -A OUTPUT -j ACCEPT -p icmpv6
echo " * Accept request & reply ICMP requests : \033[32m[OK] \033[0m"
## Protection rules
# SMURF attack protection
$IPT6 -A INPUT -p icmpv6 -j DROP
$IPT6 -A INPUT -p icmpv6 -m limit --limit 2/second -j ACCEPT
# Drop excessive RST packets to avoid smurf attacks
$IPT6 -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
echo " * IPv6 protection rules : \033[32m[OK] \033[0m"
# Custom rules
$IPT6 -A INPUT -j ACCEPT -p tcp --dport 80 --syn -m comment --comment "IPv6 http"
$IPT6 -A INPUT -j ACCEPT -p tcp --dport 443 --syn -m comment --comment "IPv6 https"
#$IPT6 -A INPUT -j ACCEPT -p tcp --dport 22 -m comment --comment "IPv6 ssh"
#$IPT6 -A INPUT -j ACCEPT -p tcp --dport 25 -m comment --comment "IPv6 smtp"
echo " * Custom IPv6 rules : \033[32m[OK] \033[0m"
# REJECT everything else
$IPT6 -A INPUT -j REJECT --reject-with tcp-reset -p tcp
$IPT6 -A INPUT -j REJECT -p udp
echo " * Reject everything else : \033[32m[OK] \033[0m"
# Log everything else
#$IPT6 -A INPUT -i $PUBIF -j LOG --log-prefix "Firewall IPv6 : "
;;
stop)
echo -n "Resetting $DESC. \n"
### IPv4 ###
$IPT4 -F
$IPT4 -X
$IPT4 -P FORWARD ACCEPT
$IPT4 -P INPUT ACCEPT
$IPT4 -P OUTPUT ACCEPT
$IPT4 -t nat -F
$IPT4 -t nat -X
$IPT4 -t mangle -F
$IPT4 -t mangle -X
echo " * Cleaning IPv4 chains and rules : \033[32m[OK] \033[0m"
### IPv6 ###
$IPT6 -F
$IPT6 -X
$IPT6 -P FORWARD ACCEPT
$IPT6 -P INPUT ACCEPT
$IPT6 -P OUTPUT ACCEPT
$IPT6 -t mangle -F
$IPT6 -t mangle -X
echo " * Cleaning IPv6 chains and rules : \033[32m[OK] \033[0m"
echo
;;
restart|force-reload)
$0 stop
$0 start
;;
status)
echo "\033[33mIPv4 chains and rules : \033[0m"
$IPT4 -L -n -v
echo
echo "\033[33mIPv6 chains and rules : \033[0m"
$IPT6 -L -n -v
;;
*)
echo "Usage: firewall {start|stop|restart|force-reload|status}" >&2
exit 1
;;
esac
exit 0