Last active
October 20, 2021 05:25
-
-
Save cbp44/b2ae59abcde7579d1e25b8d12fdf682e to your computer and use it in GitHub Desktop.
Lock down ufw firewall
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -uo pipefail | |
# ufw_allow_out PROTOCOL [INTERFACE] | |
# | |
# Allows outbound traffic using ufw to the given PROTOCOL on INTERFACE (optional, any by default). | |
# | |
# PROTOCOL - the network protocol to allow out, supported: dns, ftp, ftps, ntp, nts, ssh, web | |
# INTERFACE - the interface to allow traffic out on, default: any | |
# | |
# Examples | |
# ufw_allow_out web Allow web traffic out on any interface | |
# ufw_allow_out dns eno1 Allow dns traffic out on the eno1 interface | |
ufw_allow_out() { | |
# Get the traffic type we want to allow out, or none if unspecified | |
local -r traffic_type="${1:-none}" | |
# Get the interface to allow traffic out on, or set to any if unspecified | |
local -r interface="${2:-any}" | |
print_msg() { | |
echo -e "Allowing ${traffic_type} traffic out on ${interface} interface" | |
} | |
# Handle errors | |
# Source: https://stackoverflow.com/a/185900 | |
handle_error() { | |
local -r parent_lineno="$1" | |
local -r message="$2" | |
local -r code="${3:-1}" | |
if [[ -n "$message" ]] ; then | |
echo -e "error --- line: ${parent_lineno} --- exit code: ${code} --- message: ${message}" | |
else | |
echo -e "error --- line: ${parent_lineno} --- exit code: ${code} --- message: no message given" | |
fi | |
exit "${code}" | |
} | |
trap 'handle_error ${LINENO}' ERR | |
case $traffic_type in | |
# Allow dns | |
dns) | |
print_msg | |
ufw allow out on "${interface}" to any port 53 comment "ALLOW (-->) dns" | |
;; | |
# Allow unencrypted ftp | |
ftp) | |
print_msg | |
ufw allow out on "${interface}" to any port 21 proto tcp comment "ALLOW (-->) ftp" | |
ufw allow out on "${interface}" to any port 20 proto tcp comment "ALLOW (-->) ftp-data" | |
;; | |
# Allow encrypted ftp | |
ftps) | |
print_msg | |
ufw allow out on "${interface}" to any port 990 proto tcp comment "ALLOW (-->) ftps" | |
ufw allow out on "${interface}" to any port 989 proto tcp comment "ALLOW (-->) ftps-data" | |
;; | |
# Allow network time protocol (NTP) | |
ntp) | |
print_msg | |
ufw allow out on "${interface}" to any port 123 proto udp comment "ALLOW (-->) ntp" | |
;; | |
# Allow secure NTP | |
nts) | |
print_msg | |
ufw allow out on "${interface}" to any port 4460 proto tcp comment "ALLOW (-->) nts" | |
;; | |
# Allow ssh | |
ssh) | |
print_msg | |
ufw allow out on "${interface}" to any port 22 proto tcp comment "ALLOW (-->) ssh" | |
;; | |
# Allow web traffic | |
web) | |
print_msg | |
ufw allow out on "${interface}" to any port 80 comment "ALLOW (-->) http" | |
ufw allow out on "${interface}" to any port 443 comment "ALLOW (-->) https" | |
;; | |
# Nothing given as input, throw an error | |
none) | |
handle_error "${LINENO}" "You must specify traffic type to allow out e.g. \"${FUNCNAME[0]} web\"" | |
;; | |
# Invalid input given, throw an error | |
*) | |
handle_error "${LINENO}" "Invalid protocol given to ${FUNCNAME[0]}." | |
;; | |
esac | |
} | |
# Enable ufw and set to log blocked connections | |
ufw_enable() { | |
ufw enable | |
ufw logging low | |
} | |
# Deny incoming and outgoing traffic by default | |
ufw_deny_by_default() { | |
ufw default deny incoming | |
ufw default deny outgoing | |
} | |
ufw_enable | |
ufw_deny_by_default | |
ufw_allow_out | |
ufw_allow_out dns enp1s0 | |
ufw_allow_out ftp enp1s0 | |
#ufw_allow_out ftps enp1s0 | |
ufw_allow_out ntp enp1s0 | |
#ufw_allow_out nts enp1s0 | |
ufw_allow_out ssh enp1s0 | |
ufw_allow_out web enp1s0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment