nexus166/fwbase.sh

## fwbase.sh
#!/usr/bin/env bash

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
V4=$(which iptables)
V6=$(which ip6tables)

[[ $(id -u) -eq 0 ]] || exit 1

_install() {
        if [[ ! -e /usr/local/sbin/fwbase.sh ]]; then cat ${0} | tee /usr/local/sbin/fwbase.sh; fi
        if [[ ! -e /lib/systemd/system/fwbase.service ]]; then
                cat ${0} | tee /usr/local/sbin/fwbase.sh
                printf '[Unit]\nDescription=BASE FIREWALL RULES ON BOOT\n' | tee /lib/systemd/system/fwbase.service
                if [[ ! -z "$(command -v dockerd)" ]]; then
                        printf 'Wants=network-pre.target\nAfter=docker.service\n' | tee -a /lib/systemd/system/fwbase.service
                else
                        printf 'Before=network-pre.target\nWants=network-pre.target\nAfter=sysinit.target\n' | tee -a /lib/systemd/system/fwbase.service
                fi
                printf '[Service]\nType=oneshot\nExecStart=/usr/local/sbin/fwbase.sh\n[Install]\nWantedBy=basic.target\n' | tee -a /lib/systemd/system/fwbase.service
        fi
        systemctl enable fwbase
}
_reset_all() { ${1} -F; ${1} -Z; ${1} -t nat -F; ${1} -t nat -Z; }
_del_blacklist() { ipset del set blacklist-tmp; ipset del set blacklist; ipset destroy; }
_restore_blacklist() { [[ -f ${1:-"/etc/ipset-blacklist/ip-blacklist.restore"} ]] && ipset restore < ${1:-"/etc/ipset-blacklist/ip-blacklist.restore"}; }

set -x;
#command -v ipset && (_restore_blacklist || (_reset_all iptables; _del_blacklist; _restore_blacklist))
set +x;

#NIC1=$(ip link | sed -e '/state DOWN / { N; d; }' | sed -e '/veth[0-9].*:/ { N; d; }' | sed -e '/vmbr[$
NIC1='eth0'
NIC2='wlan0'

set +x
echo -e '\n\nSETTING IPV4 RULES\n'
for params in \
        "-F" "-Z" \
        "-t nat -F" "-t nat -Z" \
        "-P INPUT DROP" "-P FORWARD DROP" "-P OUTPUT ACCEPT" \
 \
        "-A INPUT -i lo -j ACCEPT" \
        "-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" \
        "-A INPUT -m conntrack --ctstate INVALID -j DROP" \
        "-A INPUT -s 127.0.0.0/8 ! -i lo -j DROP" \
        "-A INPUT -m addrtype --dst-type BROADCAST -j DROP" \
        "-A INPUT -m addrtype --dst-type MULTICAST -j DROP" \
        "-A INPUT -m addrtype --dst-type ANYCAST -j DROP" \
        "-A INPUT -d 224.0.0.0/4 -j DROP" \
 \
        "-N ICMPFLOOD" \
        "-A ICMPFLOOD -m recent --set --name ICMP --rsource" \
        "-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix 'iptables[ICMP-flood]: '" \
        "-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP" \
        "-A ICMPFLOOD -j ACCEPT" \
        "-A INPUT -p icmp --icmp-type 0 -m conntrack --ctstate NEW -j ACCEPT" \
        "-A INPUT -p icmp --icmp-type 3 -m conntrack --ctstate NEW -j ACCEPT" \
        "-A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ICMPFLOOD" \
        "-A INPUT -p icmp --icmp-type 11 -m conntrack --ctstate NEW -j ACCEPT";
do
        echo -en "\n\tAPPLY\t|\t$V4 $params\n" && sh -c "$V4 $params" 2>/dev/null
done
echo -e '\n\nCURRENT IPv4 RULES'
iptables -S
echo
iptables -S -t nat

echo -e '\n\nSETTING IPV6 RULES\n'
for params in \
        "-F" "-Z" \
        "-t nat -F" "-t nat -Z" \
        "-P INPUT DROP" "-P FORWARD DROP" "-P OUTPUT ACCEPT" \
 \
        "-A INPUT -i lo -j ACCEPT" \
        "-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" \
        "-A INPUT -m conntrack --ctstate INVALID -j DROP" \
        "-A INPUT -s ::1/128 ! -i lo -j DROP" \
 \
        "-N ICMPFLOOD" \
        "-A ICMPFLOOD -m recent --set --name ICMP --rsource" \
        "-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix 'ip6tables[ICMP-flood]: '" \
        "-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP" \
        "-A ICMPFLOOD -j ACCEPT" \
        "-A INPUT -p ipv6-icmp --icmpv6-type 1 -j ACCEPT" \
        "-A INPUT -p ipv6-icmp --icmpv6-type 2 -j ACCEPT" \
        "-A INPUT -p ipv6-icmp --icmpv6-type 3 -j ACCEPT" \
        "-A INPUT -p ipv6-icmp --icmpv6-type 4 -j ACCEPT" \
        "-A INPUT -p ipv6-icmp --icmpv6-type 133 -j ACCEPT" \
        "-A INPUT -p ipv6-icmp --icmpv6-type 134 -j ACCEPT" \
        "-A INPUT -p ipv6-icmp --icmpv6-type 135 -j ACCEPT" \
        "-A INPUT -p ipv6-icmp --icmpv6-type 136 -j ACCEPT" \
        "-A INPUT -p ipv6-icmp --icmpv6-type 137 -j ACCEPT" \
        "-A INPUT -p ipv6-icmp --icmpv6-type 141 -j ACCEPT" \
        "-A INPUT -p ipv6-icmp --icmpv6-type 142 -j ACCEPT" \
        "-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 130 -j ACCEPT" \
        "-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 131 -j ACCEPT" \
        "-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 132 -j ACCEPT" \
        "-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 143 -j ACCEPT" \
        "-A INPUT -p ipv6-icmp --icmpv6-type 148 -j ACCEPT" \
        "-A INPUT -p ipv6-icmp --icmpv6-type 149 -j ACCEPT" \
        "-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 151 -j ACCEPT" \
        "-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 152 -j ACCEPT" \
        "-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 153 -j ACCEPT" \
        "-A INPUT -p ipv6-icmp --icmpv6-type 128 -j ICMPFLOOD" \
        "-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix 'ip6tables[DOS]: '" \
        "-A INPUT -d fe80::/64 -p udp -m conntrack --ctstate NEW -m udp --dport 546 -j ACCEPT";
do
        echo -en "\n\tAPPLY\t|\t$V6 $params\n" && sh -c "$V6 $params"
done
echo -e '\n\nCURRENT IPv6 RULES'
ip6tables -S
echo
ip6tables -S -t nat

#command -v dockerd && systemctl restart docker

systemctl status fwbase
[[ $? -gt 3 ]] && _install
	#!/usr/bin/env bash

	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
	V4=$(which iptables)
	V6=$(which ip6tables)

	[[ $(id -u) -eq 0 ]] \|\| exit 1

	_install() {
	if [[ ! -e /usr/local/sbin/fwbase.sh ]]; then cat ${0} \| tee /usr/local/sbin/fwbase.sh; fi
	if [[ ! -e /lib/systemd/system/fwbase.service ]]; then
	cat ${0} \| tee /usr/local/sbin/fwbase.sh
	printf '[Unit]\nDescription=BASE FIREWALL RULES ON BOOT\n' \| tee /lib/systemd/system/fwbase.service
	if [[ ! -z "$(command -v dockerd)" ]]; then
	printf 'Wants=network-pre.target\nAfter=docker.service\n' \| tee -a /lib/systemd/system/fwbase.service
	else
	printf 'Before=network-pre.target\nWants=network-pre.target\nAfter=sysinit.target\n' \| tee -a /lib/systemd/system/fwbase.service
	fi
	printf '[Service]\nType=oneshot\nExecStart=/usr/local/sbin/fwbase.sh\n[Install]\nWantedBy=basic.target\n' \| tee -a /lib/systemd/system/fwbase.service
	fi
	systemctl enable fwbase
	}
	_reset_all() { ${1} -F; ${1} -Z; ${1} -t nat -F; ${1} -t nat -Z; }
	_del_blacklist() { ipset del set blacklist-tmp; ipset del set blacklist; ipset destroy; }
	_restore_blacklist() { [[ -f ${1:-"/etc/ipset-blacklist/ip-blacklist.restore"} ]] && ipset restore < ${1:-"/etc/ipset-blacklist/ip-blacklist.restore"}; }

	set -x;
	#command -v ipset && (_restore_blacklist \|\| (_reset_all iptables; _del_blacklist; _restore_blacklist))
	set +x;

	#NIC1=$(ip link \| sed -e '/state DOWN / { N; d; }' \| sed -e '/veth[0-9].*:/ { N; d; }' \| sed -e '/vmbr[$
	NIC1='eth0'
	NIC2='wlan0'

	set +x
	echo -e '\n\nSETTING IPV4 RULES\n'
	for params in \
	"-F" "-Z" \
	"-t nat -F" "-t nat -Z" \
	"-P INPUT DROP" "-P FORWARD DROP" "-P OUTPUT ACCEPT" \
	\
	"-A INPUT -i lo -j ACCEPT" \
	"-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" \
	"-A INPUT -m conntrack --ctstate INVALID -j DROP" \
	"-A INPUT -s 127.0.0.0/8 ! -i lo -j DROP" \
	"-A INPUT -m addrtype --dst-type BROADCAST -j DROP" \
	"-A INPUT -m addrtype --dst-type MULTICAST -j DROP" \
	"-A INPUT -m addrtype --dst-type ANYCAST -j DROP" \
	"-A INPUT -d 224.0.0.0/4 -j DROP" \
	\
	"-N ICMPFLOOD" \
	"-A ICMPFLOOD -m recent --set --name ICMP --rsource" \
	"-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix 'iptables[ICMP-flood]: '" \
	"-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP" \
	"-A ICMPFLOOD -j ACCEPT" \
	"-A INPUT -p icmp --icmp-type 0 -m conntrack --ctstate NEW -j ACCEPT" \
	"-A INPUT -p icmp --icmp-type 3 -m conntrack --ctstate NEW -j ACCEPT" \
	"-A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ICMPFLOOD" \
	"-A INPUT -p icmp --icmp-type 11 -m conntrack --ctstate NEW -j ACCEPT";
	do
	echo -en "\n\tAPPLY\t\|\t$V4 $params\n" && sh -c "$V4 $params" 2>/dev/null
	done
	echo -e '\n\nCURRENT IPv4 RULES'
	iptables -S
	echo
	iptables -S -t nat

	echo -e '\n\nSETTING IPV6 RULES\n'
	for params in \
	"-F" "-Z" \
	"-t nat -F" "-t nat -Z" \
	"-P INPUT DROP" "-P FORWARD DROP" "-P OUTPUT ACCEPT" \
	\
	"-A INPUT -i lo -j ACCEPT" \
	"-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" \
	"-A INPUT -m conntrack --ctstate INVALID -j DROP" \
	"-A INPUT -s ::1/128 ! -i lo -j DROP" \
	\
	"-N ICMPFLOOD" \
	"-A ICMPFLOOD -m recent --set --name ICMP --rsource" \
	"-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix 'ip6tables[ICMP-flood]: '" \
	"-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP" \
	"-A ICMPFLOOD -j ACCEPT" \
	"-A INPUT -p ipv6-icmp --icmpv6-type 1 -j ACCEPT" \
	"-A INPUT -p ipv6-icmp --icmpv6-type 2 -j ACCEPT" \
	"-A INPUT -p ipv6-icmp --icmpv6-type 3 -j ACCEPT" \
	"-A INPUT -p ipv6-icmp --icmpv6-type 4 -j ACCEPT" \
	"-A INPUT -p ipv6-icmp --icmpv6-type 133 -j ACCEPT" \
	"-A INPUT -p ipv6-icmp --icmpv6-type 134 -j ACCEPT" \
	"-A INPUT -p ipv6-icmp --icmpv6-type 135 -j ACCEPT" \
	"-A INPUT -p ipv6-icmp --icmpv6-type 136 -j ACCEPT" \
	"-A INPUT -p ipv6-icmp --icmpv6-type 137 -j ACCEPT" \
	"-A INPUT -p ipv6-icmp --icmpv6-type 141 -j ACCEPT" \
	"-A INPUT -p ipv6-icmp --icmpv6-type 142 -j ACCEPT" \
	"-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 130 -j ACCEPT" \
	"-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 131 -j ACCEPT" \
	"-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 132 -j ACCEPT" \
	"-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 143 -j ACCEPT" \
	"-A INPUT -p ipv6-icmp --icmpv6-type 148 -j ACCEPT" \
	"-A INPUT -p ipv6-icmp --icmpv6-type 149 -j ACCEPT" \
	"-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 151 -j ACCEPT" \
	"-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 152 -j ACCEPT" \
	"-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 153 -j ACCEPT" \
	"-A INPUT -p ipv6-icmp --icmpv6-type 128 -j ICMPFLOOD" \
	"-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix 'ip6tables[DOS]: '" \
	"-A INPUT -d fe80::/64 -p udp -m conntrack --ctstate NEW -m udp --dport 546 -j ACCEPT";
	do
	echo -en "\n\tAPPLY\t\|\t$V6 $params\n" && sh -c "$V6 $params"
	done
	echo -e '\n\nCURRENT IPv6 RULES'
	ip6tables -S
	echo
	ip6tables -S -t nat

	#command -v dockerd && systemctl restart docker

	systemctl status fwbase
	[[ $? -gt 3 ]] && _install