Lock down ufw firewall

secure_ufw.sh

#!/bin/bash
set -uo pipefail

# ufw_allow_out PROTOCOL [INTERFACE]
#
# Allows outbound traffic using ufw to the given PROTOCOL on INTERFACE (optional, any by default).
#
#   PROTOCOL  - the network protocol to allow out, supported: dns, ftp, ftps, ntp, nts, ssh, web
#   INTERFACE - the interface to allow traffic out on, default: any
#
# Examples
#   ufw_allow_out web           Allow web traffic out on any interface
#   ufw_allow_out dns eno1      Allow dns traffic out on the eno1 interface
ufw_allow_out() {
  # Get the traffic type we want to allow out, or none if unspecified
  local -r traffic_type="${1:-none}"
  # Get the interface to allow traffic out on, or set to any if unspecified
  local -r interface="${2:-any}"

  print_msg() {
    echo -e "Allowing ${traffic_type} traffic out on ${interface} interface"
  }

  # Handle errors
  # Source: https://stackoverflow.com/a/185900
  handle_error() {
    local -r parent_lineno="$1"
    local -r message="$2"
    local -r code="${3:-1}"
    if [[ -n "$message" ]] ; then
      echo -e "error --- line: ${parent_lineno} --- exit code: ${code} --- message: ${message}"
    else
      echo -e "error --- line: ${parent_lineno} --- exit code: ${code} --- message: no message given"
    fi
    exit "${code}"
  }

  trap 'handle_error ${LINENO}' ERR

  case $traffic_type in
    # Allow dns
    dns)
      print_msg
      ufw allow out on "${interface}" to any port 53 comment "ALLOW (-->) dns"
      ;;
    # Allow unencrypted ftp
    ftp)
      print_msg
      ufw allow out on "${interface}" to any port 21 proto tcp comment "ALLOW (-->) ftp"
      ufw allow out on "${interface}" to any port 20 proto tcp comment "ALLOW (-->) ftp-data"
      ;;
    # Allow encrypted ftp
    ftps)
      print_msg
      ufw allow out on "${interface}" to any port 990 proto tcp comment "ALLOW (-->) ftps"
      ufw allow out on "${interface}" to any port 989 proto tcp comment "ALLOW (-->) ftps-data"
      ;;
    # Allow network time protocol (NTP)
    ntp)
      print_msg
      ufw allow out on "${interface}" to any port 123 proto udp comment "ALLOW (-->) ntp"
      ;;
    # Allow secure NTP
    nts)
      print_msg
      ufw allow out on "${interface}" to any port 4460 proto tcp comment "ALLOW (-->) nts"
      ;;
    # Allow ssh
    ssh)
      print_msg
      ufw allow out on "${interface}" to any port 22 proto tcp comment "ALLOW (-->) ssh"
      ;;
    # Allow web traffic
    web)
      print_msg
      ufw allow out on "${interface}" to any port 80 comment "ALLOW (-->) http"
      ufw allow out on "${interface}" to any port 443 comment "ALLOW (-->) https"
      ;;
    # Nothing given as input, throw an error
    none)
      handle_error "${LINENO}" "You must specify traffic type to allow out e.g. \"${FUNCNAME[0]} web\""
      ;;
    # Invalid input given, throw an error
    *)
      handle_error "${LINENO}" "Invalid protocol given to ${FUNCNAME[0]}."
      ;;
  esac
}


# Enable ufw and set to log blocked connections
ufw_enable() {
  ufw enable
  ufw logging low
}

# Deny incoming and outgoing traffic by default
ufw_deny_by_default() {
  ufw default deny incoming
  ufw default deny outgoing
}


ufw_enable
ufw_deny_by_default

ufw_allow_out

ufw_allow_out dns enp1s0
ufw_allow_out ftp enp1s0
#ufw_allow_out ftps enp1s0
ufw_allow_out ntp enp1s0
#ufw_allow_out nts enp1s0
ufw_allow_out ssh enp1s0
ufw_allow_out web enp1s0