#!/bin/sh # # firewall script # # PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin IPT4=/sbin/iptables IPT6=/sbin/ip6tables NAME=firewall DESC="packet filter" PUBIF="{{ ansible_default_ipv4.interface }}" #PRIVATEIF=eth1 case "$1" in start) echo -n "Initializing $DESC. \n" ### IPv4 ### echo " \033[33mIPv4 : \033[0m" # DROP all incomming traffic $IPT4 -P INPUT DROP $IPT4 -P OUTPUT DROP $IPT4 -P FORWARD DROP echo " * Deny all input and output IPv4 connections : \033[32m[OK] \033[0m" # Unlimited access to loopback $IPT4 -A INPUT -j ACCEPT -i lo $IPT4 -A OUTPUT -j ACCEPT -o lo echo " * Accept all loopback connections : \033[32m[OK] \033[0m" # Allow full outgoing connection but no incomming stuff $IPT4 -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED $IPT4 -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -m comment --comment "Authorize all established output access" echo " * Don't break IPv4 established connections : \033[32m[OK] \033[0m" # Allow incoming ICMP ping pong stuff $IPT4 -A INPUT -j ACCEPT -p icmp --icmp-type echo-request $IPT4 -A OUTPUT -j ACCEPT -p icmp --icmp-type echo-reply echo " * Accept request & reply ICMP requests : \033[32m[OK] \033[0m" ## Protection rules # SMURF attack protection $IPT4 -A INPUT -p icmp -j DROP $IPT4 -A INPUT -p icmp -m limit --limit 2/second -j ACCEPT # Drop excessive RST packets to avoid smurf attacks $IPT4 -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT echo " * IPv4 protection rules : \033[32m[OK] \033[0m" # Admin chain $IPT4 -N ADMIN $IPT4 -A ADMIN -s 51.158.69.165/32 -j ACCEPT -m comment --comment "monit.brainsys.io" $IPT4 -A ADMIN -s 82.66.138.56/32 -j ACCEPT -m comment --comment "wireguard.brainsys.io" echo " * Creating admin chain : \033[32m[OK] \033[0m" # Custom rules $IPT4 -A INPUT -j ADMIN -p udp --dport 51820 --syn -m comment --comment "admin - IPv4 wireguard" #$IPT4 -A INPUT -j ADMIN -p tcp --dport 22 --syn -m comment --comment "admin - IPv4 ssh" $IPT4 -A INPUT -j ADMIN -p tcp --dport 873 --syn -m comment --comment "admin - IPv4 rsync" $IPT4 -A INPUT -j ADMIN -p tcp --dport 5666 --syn -m comment --comment "admin - IPv4 nrpe" $IPT4 -A INPUT -j ADMIN -p tcp --dport 4949 --syn -m comment --comment "admin - IPv4 munin-node" $IPT4 -A INPUT -j ACCEPT -p tcp --dport 22 -m comment --comment "IPv4 ssh" $IPT4 -A INPUT -j ACCEPT -p tcp --dport 80 -m comment --comment "IPv4 http" $IPT4 -A INPUT -j ACCEPT -p tcp --dport 443 -m comment --comment "IPv4 https" echo " * Custom IPv4 rules : \033[32m[OK] \033[0m" # REJECT everything else $IPT4 -A INPUT -j REJECT --reject-with tcp-reset -p tcp $IPT4 -A INPUT -j REJECT -p udp echo " * Reject everything else : \033[32m[OK] \033[0m" ### IPv6 ### echo " \033[33mIPv6 : \033[0m" # DROP all incomming traffic $IPT6 -P INPUT DROP $IPT6 -P OUTPUT DROP $IPT6 -P FORWARD DROP echo " * Deny all input and output IPv6 connections : \033[32m[OK] \033[0m" # Unlimited access to loopback $IPT6 -A INPUT -j ACCEPT -i lo $IPT6 -A OUTPUT -j ACCEPT -o lo echo " * Accept all loopback connections : \033[32m[OK] \033[0m" # Allow full outgoing connection but no incomming stuff $IPT6 -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED $IPT6 -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -m comment --comment "Authorize all established output access" echo " * Don't break IPv6 established connections : \033[32m[OK] \033[0m" # Allow incoming ICMP ping pong stuff #$IPT6 -A INPUT -j ACCEPT -p icmpv6 --icmpv6-type echo-request #$IPT6 -A OUTPUT -j ACCEPT -p icmpv6 --icmpv6-type echo-reply $IPT6 -A INPUT -j ACCEPT -p icmpv6 $IPT6 -A OUTPUT -j ACCEPT -p icmpv6 echo " * Accept request & reply ICMP requests : \033[32m[OK] \033[0m" ## Protection rules # SMURF attack protection $IPT6 -A INPUT -p icmpv6 -j DROP $IPT6 -A INPUT -p icmpv6 -m limit --limit 2/second -j ACCEPT # Drop excessive RST packets to avoid smurf attacks $IPT6 -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT echo " * IPv6 protection rules : \033[32m[OK] \033[0m" # Custom rules $IPT6 -A INPUT -j ACCEPT -p tcp --dport 80 --syn -m comment --comment "IPv6 http" $IPT6 -A INPUT -j ACCEPT -p tcp --dport 443 --syn -m comment --comment "IPv6 https" #$IPT6 -A INPUT -j ACCEPT -p tcp --dport 22 -m comment --comment "IPv6 ssh" #$IPT6 -A INPUT -j ACCEPT -p tcp --dport 25 -m comment --comment "IPv6 smtp" echo " * Custom IPv6 rules : \033[32m[OK] \033[0m" # REJECT everything else $IPT6 -A INPUT -j REJECT --reject-with tcp-reset -p tcp $IPT6 -A INPUT -j REJECT -p udp echo " * Reject everything else : \033[32m[OK] \033[0m" # Log everything else #$IPT6 -A INPUT -i $PUBIF -j LOG --log-prefix "Firewall IPv6 : " ;; stop) echo -n "Resetting $DESC. \n" ### IPv4 ### $IPT4 -F $IPT4 -X $IPT4 -P FORWARD ACCEPT $IPT4 -P INPUT ACCEPT $IPT4 -P OUTPUT ACCEPT $IPT4 -t nat -F $IPT4 -t nat -X $IPT4 -t mangle -F $IPT4 -t mangle -X echo " * Cleaning IPv4 chains and rules : \033[32m[OK] \033[0m" ### IPv6 ### $IPT6 -F $IPT6 -X $IPT6 -P FORWARD ACCEPT $IPT6 -P INPUT ACCEPT $IPT6 -P OUTPUT ACCEPT $IPT6 -t mangle -F $IPT6 -t mangle -X echo " * Cleaning IPv6 chains and rules : \033[32m[OK] \033[0m" echo ;; restart|force-reload) $0 stop $0 start ;; status) echo "\033[33mIPv4 chains and rules : \033[0m" $IPT4 -L -n -v echo echo "\033[33mIPv6 chains and rules : \033[0m" $IPT6 -L -n -v ;; *) echo "Usage: firewall {start|stop|restart|force-reload|status}" >&2 exit 1 ;; esac exit 0