bensoer/apachetrafficserverfirewall.sh

## apachetrafficserverfirewall.sh
#! /bin/bash

# README ---
# Below is a script for configuring a server hosting as an Apache Traffic Server in Reverse Proxy mode. Note this has only
# been setup as a basic template and may be missing other features desired for your configuration

# PRE-REQUISITS
# - It is recommended that your Apache Traffic Server be already configured. This will make any adjustments needed obvious in
# the script

# SETUP
# Simply change the variabled within the 'User Configuration' section so as to match your network and traffic server configuration.
# Then in terminal type: sudo ./apachetrafficserverfirewall.sh. Output will display as various steps are executed. The script will
# terminate once the firewall settings have complete

#DISCLAIMER
# This script is a demo / experiment and not recommended for industry / professional use. The following may contain unknown
# bugs or errors unknown to me ( comment them and I will update! ). USE AT YOU OWN DISCRETION

# END OF README ---


# -- USER CONFIGURATION --

echo "Defining User Variables"
IPTABLES="/sbin/iptables"
# -- names of the nics for the loopback, incoming requests to proxy, and outgoing requests to proxy to
ILOOPBACK="lo"
IINTERNET="eth0"
INETWORK="eth0"

# -- ip address of the apache traffic server
IPADDR="192.168.0.1"


# -- ip to the dhcp server. This needs to be the same as configured in openvpn otherwise clients may not be able to ip resolve
DHCP_SERVER="192.168.0.1"

HTTP_PORTS="80,443"

echo "User Variables Defined"

# -- END OF USER CONFIGURATION --


# -- FIREWALL RULES - DO NOT TOUCH --
SSH_PORTS="1020:65535"

BROADCAST_SRC="0.0.0.0"
BROADCAST_DEST="255.255.255.255"

PRIV_PORTS="0:1023"
UNPRIV_PORTS="1024:65535"

# -- END OF FIREWALL RULES --

# - Drop Everything
echo "Clearing Existing Firewall"
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
echo "Clearing Complete"

# - Set Defaults
echo "Setting Default"
$IPTABLES --policy INPUT DROP
$IPTABLES --policy OUTPUT DROP
$IPTABLES --policy FORWARD DROP
echo "Defaults Have Been Set"


# -- Allow Loopback as a precaution
echo "Applying Loopback Policy"
$IPTABLES -A INPUT -i $ILOOPBACK -j ACCEPT
$IPTABLES -A OUTPUT -o $ILOOPBACK -j ACCEPT
echo "Loopback Policy Applied"

# -- Enable DNS

echo "Enabling DNS Functionality"
$IPTABLES -A OUTPUT -o $IINTERNET -p udp -s $IPADDR --sport $UNPRIV_PORTS --dport 53 -j ACCEPT
$IPTABLES -A INPUT -i $IINTERNET -p udp -d $IPADDR --sport 53 --dport $UNPRIV_PORTS -j ACCEPT
# -- In case there is error and must use TCP
$IPTABLES -A OUTPUT -o $IINTERNET -p tcp -s $IPADDR --sport $UNPRIV_PORTS --dport 53 -j ACCEPT
$IPTABLES -A INPUT -i $IINTERNET -p tcp -d $IPADDR --sport 53 --dport $UNPRIV_PORTS -j ACCEPT
echo "Enabled DNS Functionality"

# -- Enable DHCP

echo "Enabling DHCP Functionality"
# -- Initialization or rebinding
$IPTABLES -A OUTPUT -o $IINTERNET -p udp -s $BROADCAST_SRC -d $BROADCAST_DEST --sport 68 --dport 67 -j ACCEPT
# -- Incoming DHCP offer from other DHCP servers
$IPTABLES -A INPUT -i $IINTERNET -p udp -s $BROADCAST_SRC -d $BROADCAST_DEST --sport 67 --dport 68 -j ACCEPT
# -- Rules for lost lease or reboot for client
$IPTABLES -A OUTPUT -o $IINTERNET -p udp -s $BROADCAST_SRC -d $DHCP_SERVER --sport 68 --dport 67 -j ACCEPT
$IPTABLES -A INPUT -i $IINTERNET -p udp -s $DHCP_SERVER -d $BROADCAST_DEST --sport 67 --dport 68 -j ACCEPT

# -- Variances in DHCP Response
$IPTABLES -A INPUT -i $IINTERNET -p udp -s $DHCP_SERVER --sport 67 --dport 68 -j ACCEPT
# -- -- Lease Renewal
$IPTABLES -A OUTPUT -o $IINTERNET -p udp -s $IPADDR -d $DHCP_SERVER --sport 68 --dport 67 -j ACCEPT
$IPTABLES -A INPUT -i $IINTERNET -p udp -s $DHCP_SERVER -d $IPADDR --sport 67 --dport 68 -j ACCEPT
echo "Enabled DHCP Functionality"

echo "Enabling HTTP/HTTPS Incoming Connections"
$IPTABLES -A INPUT -i $IINTERNET -p tcp -d $IPADDR -m multiport --destination-ports $HTTP_PORTS -m multiport --source-ports $UNPRIV_PORTS -j ACCEPT
$IPTABLES -A OUTPUT -o $IINTERNET -p tcp -s $IPADDR -m multiport --source-ports $HTTP_PORTS -m multiport --destination-ports $UNPRIV_PORTS -j ACCEPT
echo "Enabled HTTP/HTTPS Incoming Connections"

echo "Enabling HTTP/HTTPS Outgoing Connections"
$IPTABLES -A OUTPUT -o $IINTERNET -p tcp -s $IPADDR -m multiport --source-ports $UNPRIV_PORTS -m multiport --destination-ports $PRIV_PORTS -j ACCEPT
$IPTABLES -A INPUT -i $IINTERNET -p tcp -d $IPADDR -m multiport --destination-ports $UNPRIV_PORTS -m multiport --source-ports $PRIV_PORTS -j ACCEPT
echo "Enabled HTTP/HTTPS Outgoing Connections"
	#! /bin/bash

	# README ---
	# Below is a script for configuring a server hosting as an Apache Traffic Server in Reverse Proxy mode. Note this has only
	# been setup as a basic template and may be missing other features desired for your configuration

	# PRE-REQUISITS
	# - It is recommended that your Apache Traffic Server be already configured. This will make any adjustments needed obvious in
	# the script

	# SETUP
	# Simply change the variabled within the 'User Configuration' section so as to match your network and traffic server configuration.
	# Then in terminal type: sudo ./apachetrafficserverfirewall.sh. Output will display as various steps are executed. The script will
	# terminate once the firewall settings have complete

	#DISCLAIMER
	# This script is a demo / experiment and not recommended for industry / professional use. The following may contain unknown
	# bugs or errors unknown to me ( comment them and I will update! ). USE AT YOU OWN DISCRETION

	# END OF README ---


	# -- USER CONFIGURATION --

	echo "Defining User Variables"
	IPTABLES="/sbin/iptables"
	# -- names of the nics for the loopback, incoming requests to proxy, and outgoing requests to proxy to
	ILOOPBACK="lo"
	IINTERNET="eth0"
	INETWORK="eth0"

	# -- ip address of the apache traffic server
	IPADDR="192.168.0.1"


	# -- ip to the dhcp server. This needs to be the same as configured in openvpn otherwise clients may not be able to ip resolve
	DHCP_SERVER="192.168.0.1"

	HTTP_PORTS="80,443"

	echo "User Variables Defined"

	# -- END OF USER CONFIGURATION --


	# -- FIREWALL RULES - DO NOT TOUCH --
	SSH_PORTS="1020:65535"

	BROADCAST_SRC="0.0.0.0"
	BROADCAST_DEST="255.255.255.255"

	PRIV_PORTS="0:1023"
	UNPRIV_PORTS="1024:65535"

	# -- END OF FIREWALL RULES --

	# - Drop Everything
	echo "Clearing Existing Firewall"
	$IPTABLES -F
	$IPTABLES -t nat -F
	$IPTABLES -t mangle -F

	$IPTABLES -X
	$IPTABLES -t nat -X
	$IPTABLES -t mangle -X
	echo "Clearing Complete"

	# - Set Defaults
	echo "Setting Default"
	$IPTABLES --policy INPUT DROP
	$IPTABLES --policy OUTPUT DROP
	$IPTABLES --policy FORWARD DROP
	echo "Defaults Have Been Set"


	# -- Allow Loopback as a precaution
	echo "Applying Loopback Policy"
	$IPTABLES -A INPUT -i $ILOOPBACK -j ACCEPT
	$IPTABLES -A OUTPUT -o $ILOOPBACK -j ACCEPT
	echo "Loopback Policy Applied"

	# -- Enable DNS

	echo "Enabling DNS Functionality"
	$IPTABLES -A OUTPUT -o $IINTERNET -p udp -s $IPADDR --sport $UNPRIV_PORTS --dport 53 -j ACCEPT
	$IPTABLES -A INPUT -i $IINTERNET -p udp -d $IPADDR --sport 53 --dport $UNPRIV_PORTS -j ACCEPT
	# -- In case there is error and must use TCP
	$IPTABLES -A OUTPUT -o $IINTERNET -p tcp -s $IPADDR --sport $UNPRIV_PORTS --dport 53 -j ACCEPT
	$IPTABLES -A INPUT -i $IINTERNET -p tcp -d $IPADDR --sport 53 --dport $UNPRIV_PORTS -j ACCEPT
	echo "Enabled DNS Functionality"

	# -- Enable DHCP

	echo "Enabling DHCP Functionality"
	# -- Initialization or rebinding
	$IPTABLES -A OUTPUT -o $IINTERNET -p udp -s $BROADCAST_SRC -d $BROADCAST_DEST --sport 68 --dport 67 -j ACCEPT
	# -- Incoming DHCP offer from other DHCP servers
	$IPTABLES -A INPUT -i $IINTERNET -p udp -s $BROADCAST_SRC -d $BROADCAST_DEST --sport 67 --dport 68 -j ACCEPT
	# -- Rules for lost lease or reboot for client
	$IPTABLES -A OUTPUT -o $IINTERNET -p udp -s $BROADCAST_SRC -d $DHCP_SERVER --sport 68 --dport 67 -j ACCEPT
	$IPTABLES -A INPUT -i $IINTERNET -p udp -s $DHCP_SERVER -d $BROADCAST_DEST --sport 67 --dport 68 -j ACCEPT

	# -- Variances in DHCP Response
	$IPTABLES -A INPUT -i $IINTERNET -p udp -s $DHCP_SERVER --sport 67 --dport 68 -j ACCEPT
	# -- -- Lease Renewal
	$IPTABLES -A OUTPUT -o $IINTERNET -p udp -s $IPADDR -d $DHCP_SERVER --sport 68 --dport 67 -j ACCEPT
	$IPTABLES -A INPUT -i $IINTERNET -p udp -s $DHCP_SERVER -d $IPADDR --sport 67 --dport 68 -j ACCEPT
	echo "Enabled DHCP Functionality"

	echo "Enabling HTTP/HTTPS Incoming Connections"
	$IPTABLES -A INPUT -i $IINTERNET -p tcp -d $IPADDR -m multiport --destination-ports $HTTP_PORTS -m multiport --source-ports $UNPRIV_PORTS -j ACCEPT
	$IPTABLES -A OUTPUT -o $IINTERNET -p tcp -s $IPADDR -m multiport --source-ports $HTTP_PORTS -m multiport --destination-ports $UNPRIV_PORTS -j ACCEPT
	echo "Enabled HTTP/HTTPS Incoming Connections"

	echo "Enabling HTTP/HTTPS Outgoing Connections"
	$IPTABLES -A OUTPUT -o $IINTERNET -p tcp -s $IPADDR -m multiport --source-ports $UNPRIV_PORTS -m multiport --destination-ports $PRIV_PORTS -j ACCEPT
	$IPTABLES -A INPUT -i $IINTERNET -p tcp -d $IPADDR -m multiport --destination-ports $UNPRIV_PORTS -m multiport --source-ports $PRIV_PORTS -j ACCEPT
	echo "Enabled HTTP/HTTPS Outgoing Connections"