Home Explore Help
Sign In
lhubert
/
lfirewall
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 21b0712b6b
Branches Tags
lfirewall
/
scripts
/
firewall

firewall 7.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249 
  1. #!/bin/sh
    2. 

  2. ### BEGIN INIT INFO
    3. 

  3. # Provides:          firewall.sh
    4. 

  4. # Required-Start:    $syslog $network
    5. 

  5. # Required-Stop:     $syslog $network
    6. 

  6. # Default-Start:     2 3 4 5
    7. 

  7. # Default-Stop:      0 1 6
    8. 

  8. # Short-Description: Start firewall daemon at boot time
    9. 

  9. # Description:       Custom Firewall scrip.
    10. 

  10. ### END INIT INFO
    11. 

  11.  
    12. 

  12. #
    13. 

  13. # Simple Firewall configuration.
    14. 

  14. #
    15. 

  15. # Original author : Nicolargo
    16. 

  16. #
    17. 

  17. # chkconfig: 2345 9 91
    18. 

  18. # description: Activates/Deactivates the firewall at boot time
    19. 

  19. #
    20. 

  20. 

  21. PATH=/bin:/sbin:/usr/bin:/usr/sbin
    22. 

  22. 

  23. # Services that the system will offer to the network
    24. 

  24. TCP_SERVICES="22" # SSH only
    25. 

  25. UDP_SERVICES=""
    26. 

  26. # Services the system will use from the network
    27. 

  27. REMOTE_TCP_SERVICES="80 443" # web browsing
    28. 

  28. REMOTE_UDP_SERVICES="53" # DNS
    29. 

  29. 

  30. # Network that will be used for remote mgmt
    31. 

  31. # (if undefined, no rules will be setup)
    32. 

  32. # NETWORK_MGMT=192.168.0.0/24
    33. 

  33. 

  34. # Port used for the SSH service, define this is you have setup a
    35. 

  35. # management network but remove it from TCP_SERVICES
    36. 

  36. SSH_PORT="22"
    37. 

  37. 

  38. CONFIGURATION_FILE=/etc/firewall/firewall.conf
    39. 

  39. if [ -f $CONFIGURATION_FILE ] ; then
    40. 

  40. 	. $CONFIGURATION_FILE
    41. 

  41. fi
    42. 

  42. 

  43. IP_TABLES="/sbin/iptables"
    44. 

  44.  
    45. 

  45. if ! [ -x $IP_TABLES ]; then
    46. 

  46. 	exit 0
    47. 

  47. fi
    48. 

  48.  
    49. 

  49. ##########################
    50. 

  50. # Start the Firewall rules
    51. 

  51. ##########################
    52. 

  52.  
    53. 

  53. fw_start () {
    54. 

  54. 	#**************************************************************************#
    55. 

  55. 	# Input traffic:
    56. 

  56. 	#**************************************************************************#
    57. 

  57. 	
    58. 

  58. 	### Keep existing connections
    59. 

  59. 	$IP_TABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    60. 

  60. 	# Services
    61. 

  61. 	if [ -n "$TCP_SERVICES" ] ; then
    62. 

  62. 		for PORT in $TCP_SERVICES; do
    63. 

  63. 			$IP_TABLES -A INPUT -p tcp --dport ${PORT} -j ACCEPT
    64. 

  64. 		done
    65. 

  65. 	fi
    66. 

  66. 	if [ -n "$UDP_SERVICES" ] ; then
    67. 

  67. 		for PORT in $UDP_SERVICES; do
    68. 

  68. 			$IP_TABLES -A INPUT -p udp --dport ${PORT} -j ACCEPT
    69. 

  69. 		done
    70. 

  70. 	fi
    71. 

  71. 	# Remote management
    72. 

  72. 	if [ -n "$NETWORK_MGMT" ] ; then
    73. 

  73. 		$IP_TABLES -A INPUT -p tcp --src ${NETWORK_MGMT} --dport ${SSH_PORT} -j ACCEPT
    74. 

  74. 	else
    75. 

  75. 		$IP_TABLES -A INPUT -p tcp --dport ${SSH_PORT}  -j ACCEPT
    76. 

  76. 	fi
    77. 

  77. 	
    78. 

  78. 	#**************************************************************************#
    79. 

  79. 	# NGINX
    80. 

  80. 	#**************************************************************************#
    81. 

  81. 	$IP_TABLES -A INPUT -i lo -s localhost -d localhost -j ACCEPT
    82. 

  82. 	$IP_TABLES -A OUTPUT -o lo -s localhost -d localhost -j ACCEPT
    83. 

  83. 	$IP_TABLES -A INPUT  -p tcp --dport http -j ACCEPT
    84. 

  84.         $IP_TABLES -A INPUT  -p tcp --dport https -j ACCEPT
    85. 

  85. 	
    86. 

  86. 	
    87. 

  87. 	# Remote testing
    88. 

  88. 	### Allows PING 
    89. 

  89. 	$IP_TABLES -A INPUT -p icmp -j ACCEPT
    90. 

  90. 	### Allows LOOPBACK 
    91. 

  91. 	$IP_TABLES -A INPUT -i lo -j ACCEPT
    92. 

  92. 	
    93. 

  93. 	$IP_TABLES -P INPUT DROP
    94. 

  94. 	$IP_TABLES -A INPUT -j LOG
    95. 

  95. 	 
    96. 

  96. 	#**************************************************************************#
    97. 

  97. 	# Output:
    98. 

  98. 	#**************************************************************************#
    99. 

  99. 	### Allows LOOPBACK 
    100. 

  100. 	$IP_TABLES -A OUTPUT -j ACCEPT -o lo
    101. 

  101. 	
    102. 

  102. 	###  
    103. 

  103. 	$IP_TABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    104. 

  104. 	
    105. 

  105. 	# ICMP is permitted:
    106. 

  106. 	### Allows ping: 
    107. 

  107. 	$IP_TABLES -A OUTPUT -p icmp -j ACCEPT
    108. 

  108. 	
    109. 

  109. 	# So are security package updates:
    110. 

  110. 	# Note: You can hardcode the IP address here to prevent DNS spoofing
    111. 

  111. 	# and to setup the rules even if DNS does not work but then you
    112. 

  112. 	# will not "see" IP changes for this service:
    113. 

  113. 	$IP_TABLES -A OUTPUT -p tcp -d security.debian.org --dport 80 -j ACCEPT
    114. 

  114. 	$IP_TABLES -A OUTPUT -p tcp -d www.dokuwiki.org --dport 80 -j ACCEPT
    115. 

  115. 	
    116. 

  116. 	# As well as the services we have defined:
    117. 

  117. 	if [ -n "$REMOTE_TCP_SERVICES" ] ; then
    118. 

  118. 		for PORT in $REMOTE_TCP_SERVICES; do
    119. 

  119. 			$IP_TABLES -A OUTPUT -p tcp --dport ${PORT} -j ACCEPT
    120. 

  120. 		done
    121. 

  121. 	fi
    122. 

  122. 	if [ -n "$REMOTE_UDP_SERVICES" ] ; then
    123. 

  123. 		for PORT in $REMOTE_UDP_SERVICES; do
    124. 

  124. 			$IP_TABLES -A OUTPUT -p udp --dport ${PORT} -j ACCEPT
    125. 

  125. 		done
    126. 

  126. 	fi
    127. 

  127. 	# All other connections are registered in syslog
    128. 

  128. 	$IP_TABLES -A OUTPUT -j LOG
    129. 

  129. 	$IP_TABLES -A OUTPUT -j REJECT
    130. 

  130. 	$IP_TABLES -P OUTPUT DROP
    131. 

  131. 	
    132. 

  132. 	$IP_TABLES -A FORWARD -j LOG
    133. 

  133. 		
    134. 

  134. 

  135. 

  136. 

  137. 	#**************************************************************************#
    138. 

  138. 	# DOS attack protection
    139. 

  139. 	#**************************************************************************#
    140. 

  140. 	# Voir http://rockdio.org/ayudatech/how-to-stop-small-ddos-attacks-some-basic-security-advice/
    141. 

  141. 	# 
    142. 

  142. 	$IP_TABLES -I INPUT -p tcp --dport 80 -i venet0 -m state --state NEW -m recent --set
    143. 

  143. 	$IP_TABLES -I INPUT -p tcp --dport 80 -i venet0 -m state --state NEW -m recent --update --seconds 30 --hitcount 20 -j DROP
    144. 

  144. 	$IP_TABLES -I INPUT -p tcp --dport 443 -i venet0 -m state --state NEW -m recent --set
    145. 

  145. 	$IP_TABLES -I INPUT -p tcp --dport 443 -i venet0 -m state --state NEW -m recent --update --seconds 30 --hitcount 20 -j DROP
    146. 

  146. 

  147. 	#**************************************************************************#
    148. 

  148. 	# Other network protections
    149. 

  149. 	# (some will only work with some kernel versions)
    150. 

  150. 	#**************************************************************************#
    151. 

  151. 	echo 1 > /proc/sys/net/ipv4/tcp_syncookies
    152. 

  152. 	echo 0 > /proc/sys/net/ipv4/ip_forward
    153. 

  153. 	echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    154. 

  154. 	echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
    155. 

  155. 	echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
    156. 

  156. 	echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
    157. 

  157. 	echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
    158. 

  158. 	echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
    159. 

  159. 	 
    160. 

  160. 	iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT  
    161. 

  161. 	iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT  
    162. 

  162. }
    163. 

  163.  
    164. 

  164. ##########################
    165. 

  165. # Stop the Firewall rules
    166. 

  166. ##########################
    167. 

  167.  
    168. 

  168. fw_stop () {
    169. 

  169. 	$IP_TABLES -F
    170. 

  170. 	$IP_TABLES -t nat -F
    171. 

  171. 	$IP_TABLES -t mangle -F
    172. 

  172. 	$IP_TABLES -P INPUT DROP
    173. 

  173. 	$IP_TABLES -P FORWARD DROP
    174. 

  174. 	$IP_TABLES -P OUTPUT ACCEPT
    175. 

  175. }
    176. 

  176.  
    177. 

  177. ##########################
    178. 

  178. # Clear the Firewall rules
    179. 

  179. ##########################
    180. 

  180.  
    181. 

  181. fw_clear () {
    182. 

  182. 	$IP_TABLES -F
    183. 

  183. 	$IP_TABLES -t nat -F
    184. 

  184. 	$IP_TABLES -t mangle -F
    185. 

  185. 	$IP_TABLES -P INPUT ACCEPT
    186. 

  186. 	$IP_TABLES -P FORWARD ACCEPT
    187. 

  187. 	$IP_TABLES -P OUTPUT ACCEPT
    188. 

  188. }
    189. 

  189.  
    190. 

  190. ##########################
    191. 

  191. # Test the Firewall rules
    192. 

  192. ##########################
    193. 

  193.  
    194. 

  194. fw_save () {
    195. 

  195. 	$IP_TABLES-save > /etc/iptables.backup
    196. 

  196. }
    197. 

  197.  
    198. 

  198. fw_restore () {
    199. 

  199. 	if [ -e /etc/iptables.backup ]; then
    200. 

  200. 		$IP_TABLES-restore < /etc/iptables.backup
    201. 

  201. 	fi
    202. 

  202. }
    203. 

  203.  
    204. 

  204. fw_test () {
    205. 

  205. 	fw_save
    206. 

  206. 	sleep 30 && echo "Restore previous Firewall rules..." && fw_restore &
    207. 

  207. 	fw_stop
    208. 

  208. 	fw_start
    209. 

  209. }
    210. 

  210.  
    211. 

  211. case "$1" in
    212. 

  212. 	start|restart)
    213. 

  213. 		echo -n "Starting firewall.."
    214. 

  214. 		fw_stop
    215. 

  215. 		fw_start
    216. 

  216. 		echo "done."
    217. 

  217. 	;;
    218. 

  218. 	stop)
    219. 

  219. 		echo "###############################################################"
    220. 

  220. 		echo "I do not stop for now."
    221. 

  221. 		echo "Use 'clear' to remove all firewall blocking rules."
    222. 

  222. 		echo "Use 'dropall' to remove all firewall blocking rules."
    223. 

  223. 		echo "###############################################################"
    224. 

  224. 	;;
    225. 

  225. 	clear)
    226. 

  226. 		echo -n "Clearing firewall rules.."
    227. 

  227. 		fw_clear
    228. 

  228. 		echo "done."
    229. 

  229. 	;;
    230. 

  230. 	dropall)
    231. 

  231. 		echo -n "Droping all connections !!!"
    232. 

  232. 		fw_stop
    233. 

  233. 		echo "done."
    234. 

  234. 	;;
    235. 

  235. 	test)
    236. 

  236. 		echo -n "Test Firewall rules..."
    237. 

  237. 		fw_test
    238. 

  238. 		echo -n "Previous configuration will be restore in 30 seconds"
    239. 

  239. 	;;
    240. 

  240. 	*)
    241. 

  241. 		echo "Usage: $0 {start|dropall|stop|restart|clear|test}"
    242. 

  242. 		echo "###############################################################"
    243. 

  243. 		echo "# Be aware that 'stop' drop all incoming/outgoing traffic !!! #"
    244. 

  244. 		echo "###############################################################"
    245. 

  245. 		echo "Use clear option to allow all traffic."
    246. 

  246. 		exit 1
    247. 

  247. 	;;
    248. 

  248. esac
    249. 

  249. exit 0
    250.