Instantly share code, notes, and snippets.

@ajvpot /setup-firewall.sh Secret
Last active Jun 17, 2016

Embed
What would you like to do?
#!/bin/bash
IPTABLES=/usr/sbin/iptables
DEBUG_RULES_HOOK=/etc/default/debug-firewall-rules.txt
LOGGER() { logger -p local4.info -t "system: I firewall:setup:" $@; }
if [ ! -x $IPTABLES ]; then
echo "$IPTABLES... not found"
exit 1
fi
# Add default firewall settings here
default_firewall_setup () {
LOGGER "Setting up default firewall settings"
$IPTABLES --flush
# Default policy for all chains: DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
# Accept RELATED,ESTABLISHED connections on wlan0 (device initiated)
$IPTABLES -A INPUT -i wlan0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i wlan0 -p udp -m state --state ESTABLISHED -j ACCEPT
# TPH traffic on wlan0. TPH/phd listens on port 40317
$IPTABLES -A INPUT -i wlan0 -p tcp -m tcp --dport 40317 -j ACCEPT
$IPTABLES -A INPUT -i wlan0 -p udp --dport 40317 --sport 40317 -j ACCEPT
$IPTABLES -A INPUT -i wlan0 -p udp --dport 40317 --sport 49317 -j ACCEPT
$IPTABLES -A INPUT -i wlan0 -p udp --dport 40317 --sport 33434 -j ACCEPT
# UPnP:
# allow traffic on Dst Port 1900 which are UPnP advertisements and Bye Bye
# Allow traffic on Dst Port 50000; these pkts are SSDP search results
# SSDP search queries are sent with Src Port 50000
$IPTABLES -A INPUT -i wlan0 -p udp --dport 1900 -j ACCEPT
$IPTABLES -A INPUT -i wlan0 -p udp --dport 50000 -j ACCEPT
# ICMP. Allow only responses to local connections
$IPTABLES -A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT
# Add rules for internal debugging use
[ -f $DEBUG_RULES_HOOK ] && . $DEBUG_RULES_HOOK
# Allow all outgoing traffic on wlan0
$IPTABLES -A OUTPUT -o wlan0 -j ACCEPT
# Accept all on the loopback interface
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
}
# Firewall settings for P2P interface
# @param $1 P2P Interface name
# @param $2 OOBE Server IP address
p2p_firewall_start () {
if [ $# -lt 2 ]; then
LOGGER "Invalid argument on start p2p firewall"
exit 1
fi
P2PIF=$1
OOBEIP=$2
LOGGER "Setting up P2P firewall settings on $1"
# Setup ip tables to reject all non-essential traffic
# Redirect all DNS traffic to ourselves. This is necessary when the client device
# has a static DNS address configured
$IPTABLES -t nat -A PREROUTING -i "$P2PIF" -p udp --dport 53 -j DNAT --to ${OOBEIP}
# ACCEPT all DNS traffic
$IPTABLES -A INPUT -i "$P2PIF" -p udp --dport 53 -j ACCEPT
# ACCEPT all DHCP traffic
$IPTABLES -A INPUT -i "$P2PIF" -p udp --dport 67:68 --sport 67:68 -j ACCEPT
# ACCEPT all incoming OOBE webserver traffic
$IPTABLES -A INPUT -i "$P2PIF" -p tcp --dport 8080 -j ACCEPT
$IPTABLES -A INPUT -i "$P2PIF" -p tcp --dport 443 -j ACCEPT
# Allow all outgoing traffic
$IPTABLES -A OUTPUT -o "$P2PIF" -j ACCEPT
}
...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment