LorenzoBoccaccia/simplefw.sh

## simplefw.sh
#!/bin/bash

#do not use stop with Docker!

#simple firewall. allows all technicall stuff, plus defaults open ssh and outgoing http&https
#support for opening port or allowing specific ip total access.
#configure /etc/simplefw/simplefw.cfg like
#ALLOW 8080
#HOST 192.0.2.23
#HOST6 2001:DB8:4860:3242


case "$1" in
    start)
		if [ ! -f  /etc/simplefw/simplefw.cfg ]; then
			echo "/etc/simplefw/simplefw.cfg found!"
			exit 1
		fi
		iptables -F

		iptables -P INPUT DROP
		iptables -P OUTPUT DROP
		iptables -P FORWARD DROP

		iptables -A OUTPUT -o lo -j ACCEPT
		iptables -A INPUT -i lo -j ACCEPT

		iptables -A INPUT -s 127.0.0.0/8 -j ACCEPT
		iptables -A OUTPUT -s 127.0.0.0/8 -j ACCEPT
                iptables -A INPUT -d 127.0.0.0/8 -j ACCEPT
                iptables -A OUTPUT -d 127.0.0.0/8 -j ACCEPT


		iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
		iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT


		iptables -A INPUT -p tcp -m tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
		iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
		iptables -A OUTPUT -p tcp -m tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
		iptables -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT


		iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
		iptables -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
		iptables -A OUTPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
		iptables -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT


		iptables -A INPUT -p udp -m udp --sport 53 -j ACCEPT
		iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
		iptables -A INPUT -p udp -m udp --sport 123 -j ACCEPT
		iptables -A OUTPUT -p udp -m udp --dport 123 -j ACCEPT

		ip6tables -P INPUT DROP
		ip6tables -P OUTPUT DROP
		ip6tables -P FORWARD DROP

		ip6tables -A OUTPUT -o lo -j ACCEPT
		ip6tables -A INPUT -i lo -j ACCEPT

		ip6tables -A INPUT -s ::1 -j ACCEPT

		ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
		ip6tables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT


		ip6tables -A INPUT -p udp -m udp --sport 53 -j ACCEPT
		ip6tables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
		ip6tables -A INPUT -p udp -m udp --sport 123 -j ACCEPT
		ip6tables -A OUTPUT -p udp -m udp --dport 123 -j ACCEPT


		ip6tables -A INPUT              -p ipv6-icmp --icmpv6-type 1   -j ACCEPT
		ip6tables -A INPUT              -p ipv6-icmp --icmpv6-type 2   -j ACCEPT
		ip6tables -A INPUT              -p ipv6-icmp --icmpv6-type 3   -j ACCEPT
		ip6tables -A INPUT              -p ipv6-icmp --icmpv6-type 4   -j ACCEPT
		ip6tables -A INPUT              -p ipv6-icmp --icmpv6-type 133 -j ACCEPT
		ip6tables -A INPUT              -p ipv6-icmp --icmpv6-type 134 -j ACCEPT
		ip6tables -A INPUT              -p ipv6-icmp --icmpv6-type 135 -j ACCEPT
		ip6tables -A INPUT              -p ipv6-icmp --icmpv6-type 136 -j ACCEPT
		ip6tables -A INPUT              -p ipv6-icmp --icmpv6-type 137 -j ACCEPT
		ip6tables -A INPUT              -p ipv6-icmp --icmpv6-type 141 -j ACCEPT
		ip6tables -A INPUT              -p ipv6-icmp --icmpv6-type 142 -j ACCEPT
		ip6tables -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 130 -j ACCEPT
		ip6tables -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 131 -j ACCEPT
		ip6tables -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 132 -j ACCEPT
		ip6tables -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 143 -j ACCEPT
		ip6tables -A INPUT              -p ipv6-icmp --icmpv6-type 148 -j ACCEPT
		ip6tables -A INPUT              -p ipv6-icmp --icmpv6-type 149 -j ACCEPT
		ip6tables -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 151 -j ACCEPT
		ip6tables -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 152 -j ACCEPT
		ip6tables -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 153 -j ACCEPT

		ip6tables  -A INPUT -p tcp -m tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
		ip6tables  -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
		ip6tables  -A OUTPUT -p tcp -m tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
		ip6tables  -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT


		while read i
			do
			if [[ $i == ALLOWU* ]]
			then
				port=${i/ALLOWU /}
 				echo enabling $port
				iptables -A INPUT -p udp -m udp --sport $port -m state --state NEW,ESTABLISHED -j ACCEPT
				iptables -A INPUT -p udp -m udp --dport $port -m state --state NEW,ESTABLISHED -j ACCEPT
				iptables -A OUTPUT -p udp -m udp --sport $port -m state --state NEW,ESTABLISHED -j ACCEPT
				iptables -A OUTPUT -p udp -m udp --dport $port -m state --state NEW,ESTABLISHED -j ACCEPT

				ip6tables  -A INPUT -p udp -m udp --sport $port -m state --state NEW,ESTABLISHED -j ACCEPT
				ip6tables  -A INPUT -p udp -m udp --dport $port -m state --state NEW,ESTABLISHED -j ACCEPT
				ip6tables  -A OUTPUT -p udp -m udp --sport $port -m state --state NEW,ESTABLISHED -j ACCEPT
				ip6tables  -A OUTPUT -p udp -m udp --dport $port -m state --state NEW,ESTABLISHED -j ACCEPT

			fi
			if [[ $i == "ALLOW "* ]]
			then
				port=${i/ALLOW /}
                                echo enabling $port

				iptables -A INPUT -p tcp -m tcp --sport $port -m state --state NEW,ESTABLISHED -j ACCEPT
				iptables -A INPUT -p tcp -m tcp --dport $port -m state --state NEW,ESTABLISHED -j ACCEPT
				iptables -A OUTPUT -p tcp -m tcp --sport $port -m state --state NEW,ESTABLISHED -j ACCEPT
				iptables -A OUTPUT -p tcp -m tcp --dport $port -m state --state NEW,ESTABLISHED -j ACCEPT

				ip6tables  -A INPUT -p tcp -m tcp --sport $port -m state --state NEW,ESTABLISHED -j ACCEPT
				ip6tables  -A INPUT -p tcp -m tcp --dport $port -m state --state NEW,ESTABLISHED -j ACCEPT
				ip6tables  -A OUTPUT -p tcp -m tcp --sport $port -m state --state NEW,ESTABLISHED -j ACCEPT
				ip6tables  -A OUTPUT -p tcp -m tcp --dport $port -m state --state NEW,ESTABLISHED -j ACCEPT

			fi
			if [[ $i == "HOST "* ]]
			then
				host=${i/HOST /}
				echo enabling $host
				iptables -A INPUT -s $host -j ACCEPT
				iptables -A OUTPUT -d $host  -j ACCEPT
				ip6tables -A INPUT -s ::FFFF:$host  -j ACCEPT
				ip6tables -A OUTPUT -d ::FFFF:$host  -j ACCEPT

			fi

			if [[ $i == HOST6* ]]
			then
			   host=${i/HOST6 /}

				ip6tables -A INPUT -s $host  -j ACCEPT
				ip6tables -A OUTPUT -d $host  -j ACCEPT
			fi


		done </etc/simplefw/simplefw.cfg

    ;;
    stop)
		iptables -P INPUT ACCEPT
		iptables -P FORWARD ACCEPT
		iptables -P OUTPUT ACCEPT
		iptables -F
		iptables -X
		iptables -t nat -F
		iptables -t nat -X
		iptables -t mangle -F
		iptables -t mangle -X
		iptables -t raw -F
		iptables -t raw -X

		ip6tables -P INPUT ACCEPT
		ip6tables -P FORWARD ACCEPT
		ip6tables -P OUTPUT ACCEPT
		ip6tables -F
		ip6tables -X
		ip6tables -t nat -F
		ip6tables -t nat -X
		ip6tables -t mangle -F
		ip6tables -t mangle -X
		ip6tables -t raw -F
		ip6tables -t raw -X
    ;;
	status)
		iptables -L
		ip6tables -L
	;;
    *)
    echo "Usage: $0 {start|stop|status}\nIf you have docker installed, do not use stop and do not put this in the init.d stop section"
    exit 1
    ;;
esac

exit 0


## Permission is hereby granted, free of charge, to any person obtaining
## a copy of this software and associated documentation files (the
## "Software"), to deal in the Software without restriction, including
## without limitation the rights to use, copy, modify, merge, publish,
## distribute, sublicense, and/or sell copies of the Software, and to
## permit persons to whom the Software is furnished to do so, subject to
## the following conditions:
##
## The above copyright notice and this permission notice shall be
## included in all copies or substantial portions of the Software.
##
## THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
## EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
## MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
## NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
## LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
## OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
## WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
	#!/bin/bash

	#do not use stop with Docker!

	#simple firewall. allows all technicall stuff, plus defaults open ssh and outgoing http&https
	#support for opening port or allowing specific ip total access.
	#configure /etc/simplefw/simplefw.cfg like
	#ALLOW 8080
	#HOST 192.0.2.23
	#HOST6 2001:DB8:4860:3242


	case "$1" in
	start)
	if [ ! -f /etc/simplefw/simplefw.cfg ]; then
	echo "/etc/simplefw/simplefw.cfg found!"
	exit 1
	fi
	iptables -F

	iptables -P INPUT DROP
	iptables -P OUTPUT DROP
	iptables -P FORWARD DROP

	iptables -A OUTPUT -o lo -j ACCEPT
	iptables -A INPUT -i lo -j ACCEPT

	iptables -A INPUT -s 127.0.0.0/8 -j ACCEPT
	iptables -A OUTPUT -s 127.0.0.0/8 -j ACCEPT
	iptables -A INPUT -d 127.0.0.0/8 -j ACCEPT
	iptables -A OUTPUT -d 127.0.0.0/8 -j ACCEPT



	iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
	iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT


	iptables -A INPUT -p tcp -m tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -A OUTPUT -p tcp -m tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT



	iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
	iptables -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
	iptables -A OUTPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
	iptables -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT


	iptables -A INPUT -p udp -m udp --sport 53 -j ACCEPT
	iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
	iptables -A INPUT -p udp -m udp --sport 123 -j ACCEPT
	iptables -A OUTPUT -p udp -m udp --dport 123 -j ACCEPT

	ip6tables -P INPUT DROP
	ip6tables -P OUTPUT DROP
	ip6tables -P FORWARD DROP

	ip6tables -A OUTPUT -o lo -j ACCEPT
	ip6tables -A INPUT -i lo -j ACCEPT

	ip6tables -A INPUT -s ::1 -j ACCEPT

	ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
	ip6tables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT


	ip6tables -A INPUT -p udp -m udp --sport 53 -j ACCEPT
	ip6tables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
	ip6tables -A INPUT -p udp -m udp --sport 123 -j ACCEPT
	ip6tables -A OUTPUT -p udp -m udp --dport 123 -j ACCEPT


	ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 1 -j ACCEPT
	ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 2 -j ACCEPT
	ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 3 -j ACCEPT
	ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 4 -j ACCEPT
	ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 133 -j ACCEPT
	ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 134 -j ACCEPT
	ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 135 -j ACCEPT
	ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 136 -j ACCEPT
	ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 137 -j ACCEPT
	ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 141 -j ACCEPT
	ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 142 -j ACCEPT
	ip6tables -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 130 -j ACCEPT
	ip6tables -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 131 -j ACCEPT
	ip6tables -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 132 -j ACCEPT
	ip6tables -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 143 -j ACCEPT
	ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 148 -j ACCEPT
	ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 149 -j ACCEPT
	ip6tables -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 151 -j ACCEPT
	ip6tables -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 152 -j ACCEPT
	ip6tables -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 153 -j ACCEPT

	ip6tables -A INPUT -p tcp -m tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
	ip6tables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
	ip6tables -A OUTPUT -p tcp -m tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
	ip6tables -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT


	while read i
	do
	if [[ $i == ALLOWU* ]]
	then
	port=${i/ALLOWU /}
	echo enabling $port
	iptables -A INPUT -p udp -m udp --sport $port -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -A INPUT -p udp -m udp --dport $port -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -A OUTPUT -p udp -m udp --sport $port -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -A OUTPUT -p udp -m udp --dport $port -m state --state NEW,ESTABLISHED -j ACCEPT

	ip6tables -A INPUT -p udp -m udp --sport $port -m state --state NEW,ESTABLISHED -j ACCEPT
	ip6tables -A INPUT -p udp -m udp --dport $port -m state --state NEW,ESTABLISHED -j ACCEPT
	ip6tables -A OUTPUT -p udp -m udp --sport $port -m state --state NEW,ESTABLISHED -j ACCEPT
	ip6tables -A OUTPUT -p udp -m udp --dport $port -m state --state NEW,ESTABLISHED -j ACCEPT

	fi
	if [[ $i == "ALLOW "* ]]
	then
	port=${i/ALLOW /}
	echo enabling $port

	iptables -A INPUT -p tcp -m tcp --sport $port -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -A INPUT -p tcp -m tcp --dport $port -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -A OUTPUT -p tcp -m tcp --sport $port -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -A OUTPUT -p tcp -m tcp --dport $port -m state --state NEW,ESTABLISHED -j ACCEPT

	ip6tables -A INPUT -p tcp -m tcp --sport $port -m state --state NEW,ESTABLISHED -j ACCEPT
	ip6tables -A INPUT -p tcp -m tcp --dport $port -m state --state NEW,ESTABLISHED -j ACCEPT
	ip6tables -A OUTPUT -p tcp -m tcp --sport $port -m state --state NEW,ESTABLISHED -j ACCEPT
	ip6tables -A OUTPUT -p tcp -m tcp --dport $port -m state --state NEW,ESTABLISHED -j ACCEPT

	fi
	if [[ $i == "HOST "* ]]
	then
	host=${i/HOST /}
	echo enabling $host
	iptables -A INPUT -s $host -j ACCEPT
	iptables -A OUTPUT -d $host -j ACCEPT
	ip6tables -A INPUT -s ::FFFF:$host -j ACCEPT
	ip6tables -A OUTPUT -d ::FFFF:$host -j ACCEPT

	fi

	if [[ $i == HOST6* ]]
	then
	host=${i/HOST6 /}

	ip6tables -A INPUT -s $host -j ACCEPT
	ip6tables -A OUTPUT -d $host -j ACCEPT
	fi


	done </etc/simplefw/simplefw.cfg

	;;
	stop)
	iptables -P INPUT ACCEPT
	iptables -P FORWARD ACCEPT
	iptables -P OUTPUT ACCEPT
	iptables -F
	iptables -X
	iptables -t nat -F
	iptables -t nat -X
	iptables -t mangle -F
	iptables -t mangle -X
	iptables -t raw -F
	iptables -t raw -X

	ip6tables -P INPUT ACCEPT
	ip6tables -P FORWARD ACCEPT
	ip6tables -P OUTPUT ACCEPT
	ip6tables -F
	ip6tables -X
	ip6tables -t nat -F
	ip6tables -t nat -X
	ip6tables -t mangle -F
	ip6tables -t mangle -X
	ip6tables -t raw -F
	ip6tables -t raw -X
	;;
	status)
	iptables -L
	ip6tables -L
	;;
	*)
	echo "Usage: $0 {start\|stop\|status}\nIf you have docker installed, do not use stop and do not put this in the init.d stop section"
	exit 1
	;;
	esac

	exit 0




	## Permission is hereby granted, free of charge, to any person obtaining
	## a copy of this software and associated documentation files (the
	## "Software"), to deal in the Software without restriction, including
	## without limitation the rights to use, copy, modify, merge, publish,
	## distribute, sublicense, and/or sell copies of the Software, and to
	## permit persons to whom the Software is furnished to do so, subject to
	## the following conditions:
	##
	## The above copyright notice and this permission notice shall be
	## included in all copies or substantial portions of the Software.
	##
	## THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
	## EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
	## MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
	## NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
	## LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
	## OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
	## WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.