Skip to content

Instantly share code, notes, and snippets.

@cbp44
Last active October 20, 2021 05:25
Show Gist options
  • Save cbp44/b2ae59abcde7579d1e25b8d12fdf682e to your computer and use it in GitHub Desktop.
Save cbp44/b2ae59abcde7579d1e25b8d12fdf682e to your computer and use it in GitHub Desktop.
Lock down ufw firewall
#!/bin/bash
set -uo pipefail
# ufw_allow_out PROTOCOL [INTERFACE]
#
# Allows outbound traffic using ufw to the given PROTOCOL on INTERFACE (optional, any by default).
#
# PROTOCOL - the network protocol to allow out, supported: dns, ftp, ftps, ntp, nts, ssh, web
# INTERFACE - the interface to allow traffic out on, default: any
#
# Examples
# ufw_allow_out web Allow web traffic out on any interface
# ufw_allow_out dns eno1 Allow dns traffic out on the eno1 interface
ufw_allow_out() {
# Get the traffic type we want to allow out, or none if unspecified
local -r traffic_type="${1:-none}"
# Get the interface to allow traffic out on, or set to any if unspecified
local -r interface="${2:-any}"
print_msg() {
echo -e "Allowing ${traffic_type} traffic out on ${interface} interface"
}
# Handle errors
# Source: https://stackoverflow.com/a/185900
handle_error() {
local -r parent_lineno="$1"
local -r message="$2"
local -r code="${3:-1}"
if [[ -n "$message" ]] ; then
echo -e "error --- line: ${parent_lineno} --- exit code: ${code} --- message: ${message}"
else
echo -e "error --- line: ${parent_lineno} --- exit code: ${code} --- message: no message given"
fi
exit "${code}"
}
trap 'handle_error ${LINENO}' ERR
case $traffic_type in
# Allow dns
dns)
print_msg
ufw allow out on "${interface}" to any port 53 comment "ALLOW (-->) dns"
;;
# Allow unencrypted ftp
ftp)
print_msg
ufw allow out on "${interface}" to any port 21 proto tcp comment "ALLOW (-->) ftp"
ufw allow out on "${interface}" to any port 20 proto tcp comment "ALLOW (-->) ftp-data"
;;
# Allow encrypted ftp
ftps)
print_msg
ufw allow out on "${interface}" to any port 990 proto tcp comment "ALLOW (-->) ftps"
ufw allow out on "${interface}" to any port 989 proto tcp comment "ALLOW (-->) ftps-data"
;;
# Allow network time protocol (NTP)
ntp)
print_msg
ufw allow out on "${interface}" to any port 123 proto udp comment "ALLOW (-->) ntp"
;;
# Allow secure NTP
nts)
print_msg
ufw allow out on "${interface}" to any port 4460 proto tcp comment "ALLOW (-->) nts"
;;
# Allow ssh
ssh)
print_msg
ufw allow out on "${interface}" to any port 22 proto tcp comment "ALLOW (-->) ssh"
;;
# Allow web traffic
web)
print_msg
ufw allow out on "${interface}" to any port 80 comment "ALLOW (-->) http"
ufw allow out on "${interface}" to any port 443 comment "ALLOW (-->) https"
;;
# Nothing given as input, throw an error
none)
handle_error "${LINENO}" "You must specify traffic type to allow out e.g. \"${FUNCNAME[0]} web\""
;;
# Invalid input given, throw an error
*)
handle_error "${LINENO}" "Invalid protocol given to ${FUNCNAME[0]}."
;;
esac
}
# Enable ufw and set to log blocked connections
ufw_enable() {
ufw enable
ufw logging low
}
# Deny incoming and outgoing traffic by default
ufw_deny_by_default() {
ufw default deny incoming
ufw default deny outgoing
}
ufw_enable
ufw_deny_by_default
ufw_allow_out
ufw_allow_out dns enp1s0
ufw_allow_out ftp enp1s0
#ufw_allow_out ftps enp1s0
ufw_allow_out ntp enp1s0
#ufw_allow_out nts enp1s0
ufw_allow_out ssh enp1s0
ufw_allow_out web enp1s0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment