This script is designed to set up a basic firewall configuration on a Linux system using iptables
. It is intended to enhance security by allowing only specific types of network traffic while blocking others. The script performs the following tasks:
-
Environment Setup:
- The script is written in Bash (
#!/usr/bin/env bash
), which specifies the interpreter to use. - The script sets two important options:
set -o nounset
: This option ensures that using unset variables will cause an error.set -o pipefail
: This option ensures that a pipeline returns a failure status if any command in the pipeline fails.
- The script is written in Bash (
-
Package Installation:
- The script installs the
iptables
package if not already installed (apt -y install iptables
).
- The script installs the
-
Flushing Existing Rules:
- All existing
iptables
rules, chains, and counters are cleared.
- All existing
-
Default Policy:
- The default policy for the INPUT and FORWARD chains is set to DROP, meaning that incoming and forwarded traffic will be dropped by default.
-
Allow Loopback Interface:
- The loopback interface (lo) is allowed for local communication.
-
Drop Invalid States:
- Any packets with invalid connection states are dropped.
-
Allow Established and Related Connections:
- Packets related to already established connections are accepted.
-
Allow Ping Replies:
- ICMP echo requests (ping) are allowed.
-
Allow DHCP:
- DHCP traffic is allowed for the specified internal network interface (
$INT
).
- DHCP traffic is allowed for the specified internal network interface (
-
Allow SSH from Local Ethernet:
- SSH traffic from the specified internal network (
$INT_NET
) is allowed.
- SSH traffic from the specified internal network (
-
Allow DNS:
- DNS traffic (UDP and TCP) from the specified internal network is allowed.
-
Allow All Outgoing Traffic:
- All outgoing traffic (TCP and UDP) is allowed.
-
Allow Traffic from Firewall to Local Networks:
- Outgoing traffic from the firewall to local networks is allowed.
-
Enable Network Address Translation (NAT):
- Network Address Translation is enabled for outgoing traffic.
-
Disable Destination Unreachable Messages:
- The firewall is configured not to reply with Destination Unreachable messages for dropped packets.
-
Logging:
- Dropped packets are logged with a prefix (
DROPIN>
,DROPOUT>
,DROPFWD>
).
- Dropped packets are logged with a prefix (
-
Install iptables-persistent:
- The script installs the
iptables-persistent
package to save the current rules and load them at boot time.
- The script installs the
-
Persisting Rules:
- The script sets permissions and makes the
rules.v4
andrules.v6
files immutable (chattr +i
) to prevent modifications.
- The script sets permissions and makes the
-
This script assumes that the internal and external network interfaces are the same (
$INT
and$EXT
have the same value). This configuration might be suitable for a simple network setup, but in more complex setups, separate interfaces might be used for internal and external networks. -
Before running this script, ensure that you understand the rules it applies and how they may impact your network. Also, make sure to take necessary precautions to avoid locking yourself out of the system if you are running it remotely. It is recommended to test the rules carefully before applying them permanently.
-
It's important to keep the script up-to-date and consider any new security measures or changes in the network environment.