PMK/setup-firehol.sh

## setup-firehol.sh
sudo apt-get -qq -y install iptables ipset iprange fail2ban firehol &>/dev/null

sudo tee -a /etc/fail2ban/jail.local >/dev/null <<__EOF
[DEFAULT]
banaction = iptables-ipset-proto6-allports
__EOF

sudo tee -a /etc/firehol/firehol-defaults.conf >/dev/null <<__EOF
IPTABLES_CMD="/sbin/iptables -w"
__EOF

sudo tee /etc/firehol/firehol.conf >/dev/null <<__EOF
version 6
  # # https://github.com/firehol/blocklist-ipsets/blob/master/README.md#adding-the-ipsets-in-your-fireholconf
	# # our wan interface
	# wan="dsl0"

	# # our whitelist
	# ipset4 create whitelist hash:net
	# ipset4 add whitelist A.B.C.D/E # A.B.C.D/E is whitelisted

	# # subnets - netsets
	# for x in fullbogons dshield spamhaus_drop spamhaus_edrop
	# do
	# 	ipset4 create  ${x} hash:net
	# 	ipset4 addfile ${x} ipsets/${x}.netset
	# 	blacklist4 full inface "${wan}" log "BLACKLIST ${x^^}" ipset:${x} \
	# 		except src ipset:whitelist
	# done

	# # individual IPs - ipsets
	# for x in feodo palevo sslbl zeus openbl blocklist_de
	# do
	# 	ipset4 create  ${x} hash:ip
	# 	ipset4 addfile ${x} ipsets/${x}.ipset
	# 	blacklist4 full inface "${wan}" log "BLACKLIST ${x^^}" ipset:${x} \
	# 		except src ipset:whitelist
	# done

interface4 "enp0s3" internet
  policy drop
  protection strong

  server ssh accept

  server http accept
  server https accept

  server imap accept
  server imaps accept
  server smtp accept
  server smtps accept
  server submission accept

  server ICMP drop
  server ping accept

  client all accept

interface6 "enp0s3" internet
  policy drop
  protection strong

  server http accept
  server https accept

  server ICMP drop
  server ping drop

  client all accept

# all docker rules here below
# router docker inface outface

postprocess -warn /usr/bin/fail2ban-client reload || return 1
__EOF

# sudo firehol explain
sudo firehol try
# manual type "commit"
	sudo apt-get -qq -y install iptables ipset iprange fail2ban firehol &>/dev/null

	sudo tee -a /etc/fail2ban/jail.local >/dev/null <<__EOF
	[DEFAULT]
	banaction = iptables-ipset-proto6-allports
	__EOF

	sudo tee -a /etc/firehol/firehol-defaults.conf >/dev/null <<__EOF
	IPTABLES_CMD="/sbin/iptables -w"
	__EOF

	sudo tee /etc/firehol/firehol.conf >/dev/null <<__EOF
	version 6
	# # https://github.com/firehol/blocklist-ipsets/blob/master/README.md#adding-the-ipsets-in-your-fireholconf
	# # our wan interface
	# wan="dsl0"

	# # our whitelist
	# ipset4 create whitelist hash:net
	# ipset4 add whitelist A.B.C.D/E # A.B.C.D/E is whitelisted

	# # subnets - netsets
	# for x in fullbogons dshield spamhaus_drop spamhaus_edrop
	# do
	# ipset4 create ${x} hash:net
	# ipset4 addfile ${x} ipsets/${x}.netset
	# blacklist4 full inface "${wan}" log "BLACKLIST ${x^^}" ipset:${x} \
	# except src ipset:whitelist
	# done

	# # individual IPs - ipsets
	# for x in feodo palevo sslbl zeus openbl blocklist_de
	# do
	# ipset4 create ${x} hash:ip
	# ipset4 addfile ${x} ipsets/${x}.ipset
	# blacklist4 full inface "${wan}" log "BLACKLIST ${x^^}" ipset:${x} \
	# except src ipset:whitelist
	# done

	interface4 "enp0s3" internet
	policy drop
	protection strong

	server ssh accept

	server http accept
	server https accept

	server imap accept
	server imaps accept
	server smtp accept
	server smtps accept
	server submission accept

	server ICMP drop
	server ping accept

	client all accept

	interface6 "enp0s3" internet
	policy drop
	protection strong

	server http accept
	server https accept

	server ICMP drop
	server ping drop

	client all accept

	# all docker rules here below
	# router docker inface outface

	postprocess -warn /usr/bin/fail2ban-client reload \|\| return 1
	__EOF

	# sudo firehol explain
	sudo firehol try
	# manual type "commit"