Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
#!/bin/bash
#do not use stop with Docker!
#simple firewall. allows all technicall stuff, plus defaults open ssh and outgoing http&https
#support for opening port or allowing specific ip total access.
#configure /etc/simplefw/simplefw.cfg like
#ALLOW 8080
#HOST 192.0.2.23
#HOST6 2001:DB8:4860:3242
case "$1" in
start)
if [ ! -f /etc/simplefw/simplefw.cfg ]; then
echo "/etc/simplefw/simplefw.cfg found!"
exit 1
fi
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 127.0.0.0/8 -j ACCEPT
iptables -A OUTPUT -s 127.0.0.0/8 -j ACCEPT
iptables -A INPUT -d 127.0.0.0/8 -j ACCEPT
iptables -A OUTPUT -d 127.0.0.0/8 -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
iptables -A OUTPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
iptables -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -p udp -m udp --sport 53 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp -m udp --sport 123 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
ip6tables -A OUTPUT -o lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -s ::1 -j ACCEPT
ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
ip6tables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p udp -m udp --sport 53 -j ACCEPT
ip6tables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
ip6tables -A INPUT -p udp -m udp --sport 123 -j ACCEPT
ip6tables -A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 1 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 2 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 3 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 4 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 133 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 134 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 135 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 136 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 137 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 141 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 142 -j ACCEPT
ip6tables -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 130 -j ACCEPT
ip6tables -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 131 -j ACCEPT
ip6tables -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 132 -j ACCEPT
ip6tables -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 143 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 148 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 149 -j ACCEPT
ip6tables -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 151 -j ACCEPT
ip6tables -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 152 -j ACCEPT
ip6tables -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 153 -j ACCEPT
ip6tables -A INPUT -p tcp -m tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -p tcp -m tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
while read i
do
if [[ $i == ALLOWU* ]]
then
port=${i/ALLOWU /}
echo enabling $port
iptables -A INPUT -p udp -m udp --sport $port -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m udp --dport $port -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -m udp --sport $port -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport $port -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p udp -m udp --sport $port -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p udp -m udp --dport $port -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -p udp -m udp --sport $port -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -p udp -m udp --dport $port -m state --state NEW,ESTABLISHED -j ACCEPT
fi
if [[ $i == "ALLOW "* ]]
then
port=${i/ALLOW /}
echo enabling $port
iptables -A INPUT -p tcp -m tcp --sport $port -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport $port -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport $port -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport $port -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p tcp -m tcp --sport $port -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p tcp -m tcp --dport $port -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -p tcp -m tcp --sport $port -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -p tcp -m tcp --dport $port -m state --state NEW,ESTABLISHED -j ACCEPT
fi
if [[ $i == "HOST "* ]]
then
host=${i/HOST /}
echo enabling $host
iptables -A INPUT -s $host -j ACCEPT
iptables -A OUTPUT -d $host -j ACCEPT
ip6tables -A INPUT -s ::FFFF:$host -j ACCEPT
ip6tables -A OUTPUT -d ::FFFF:$host -j ACCEPT
fi
if [[ $i == HOST6* ]]
then
host=${i/HOST6 /}
ip6tables -A INPUT -s $host -j ACCEPT
ip6tables -A OUTPUT -d $host -j ACCEPT
fi
done </etc/simplefw/simplefw.cfg
;;
stop)
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t raw -F
iptables -t raw -X
ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -F
ip6tables -X
ip6tables -t nat -F
ip6tables -t nat -X
ip6tables -t mangle -F
ip6tables -t mangle -X
ip6tables -t raw -F
ip6tables -t raw -X
;;
status)
iptables -L
ip6tables -L
;;
*)
echo "Usage: $0 {start|stop|status}\nIf you have docker installed, do not use stop and do not put this in the init.d stop section"
exit 1
;;
esac
exit 0
## Permission is hereby granted, free of charge, to any person obtaining
## a copy of this software and associated documentation files (the
## "Software"), to deal in the Software without restriction, including
## without limitation the rights to use, copy, modify, merge, publish,
## distribute, sublicense, and/or sell copies of the Software, and to
## permit persons to whom the Software is furnished to do so, subject to
## the following conditions:
##
## The above copyright notice and this permission notice shall be
## included in all copies or substantial portions of the Software.
##
## THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
## EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
## MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
## NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
## LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
## OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
## WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment