Last active
October 14, 2018 13:32
-
-
Save PMK/af7cc3276e40e5dc5024bf13fe80cb52 to your computer and use it in GitHub Desktop.
Setup Firehol firewall
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sudo apt-get -qq -y install iptables ipset iprange fail2ban firehol &>/dev/null | |
sudo tee -a /etc/fail2ban/jail.local >/dev/null <<__EOF | |
[DEFAULT] | |
banaction = iptables-ipset-proto6-allports | |
__EOF | |
sudo tee -a /etc/firehol/firehol-defaults.conf >/dev/null <<__EOF | |
IPTABLES_CMD="/sbin/iptables -w" | |
__EOF | |
sudo tee /etc/firehol/firehol.conf >/dev/null <<__EOF | |
version 6 | |
# # https://github.com/firehol/blocklist-ipsets/blob/master/README.md#adding-the-ipsets-in-your-fireholconf | |
# # our wan interface | |
# wan="dsl0" | |
# # our whitelist | |
# ipset4 create whitelist hash:net | |
# ipset4 add whitelist A.B.C.D/E # A.B.C.D/E is whitelisted | |
# # subnets - netsets | |
# for x in fullbogons dshield spamhaus_drop spamhaus_edrop | |
# do | |
# ipset4 create ${x} hash:net | |
# ipset4 addfile ${x} ipsets/${x}.netset | |
# blacklist4 full inface "${wan}" log "BLACKLIST ${x^^}" ipset:${x} \ | |
# except src ipset:whitelist | |
# done | |
# # individual IPs - ipsets | |
# for x in feodo palevo sslbl zeus openbl blocklist_de | |
# do | |
# ipset4 create ${x} hash:ip | |
# ipset4 addfile ${x} ipsets/${x}.ipset | |
# blacklist4 full inface "${wan}" log "BLACKLIST ${x^^}" ipset:${x} \ | |
# except src ipset:whitelist | |
# done | |
interface4 "enp0s3" internet | |
policy drop | |
protection strong | |
server ssh accept | |
server http accept | |
server https accept | |
server imap accept | |
server imaps accept | |
server smtp accept | |
server smtps accept | |
server submission accept | |
server ICMP drop | |
server ping accept | |
client all accept | |
interface6 "enp0s3" internet | |
policy drop | |
protection strong | |
server http accept | |
server https accept | |
server ICMP drop | |
server ping drop | |
client all accept | |
# all docker rules here below | |
# router docker inface outface | |
postprocess -warn /usr/bin/fail2ban-client reload || return 1 | |
__EOF | |
# sudo firehol explain | |
sudo firehol try | |
# manual type "commit" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment