Firewall Setup Script

README.md

Firewall Setup Script

This script is designed to set up a basic firewall configuration on a Linux system using iptables. It is intended to enhance security by allowing only specific types of network traffic while blocking others. The script performs the following tasks:

1. Environment Setup:

   • The script is written in Bash (#!/usr/bin/env bash), which specifies the interpreter to use.
   • The script sets two important options:
     • set -o nounset: This option ensures that using unset variables will cause an error.
     • set -o pipefail: This option ensures that a pipeline returns a failure status if any command in the pipeline fails.

2. Package Installation:

   • The script installs the iptables package if not already installed (apt -y install iptables).

3. Flushing Existing Rules:

   • All existing iptables rules, chains, and counters are cleared.

4. Default Policy:

   • The default policy for the INPUT and FORWARD chains is set to DROP, meaning that incoming and forwarded traffic will be dropped by default.

5. Allow Loopback Interface:

   • The loopback interface (lo) is allowed for local communication.

6. Drop Invalid States:

   • Any packets with invalid connection states are dropped.

7. Allow Established and Related Connections:

   • Packets related to already established connections are accepted.

8. Allow Ping Replies:

   • ICMP echo requests (ping) are allowed.

9. Allow DHCP:

   • DHCP traffic is allowed for the specified internal network interface ($INT).

10. Allow SSH from Local Ethernet:

    • SSH traffic from the specified internal network ($INT_NET) is allowed.

11. Allow DNS:

    • DNS traffic (UDP and TCP) from the specified internal network is allowed.

12. Allow All Outgoing Traffic:

    • All outgoing traffic (TCP and UDP) is allowed.

13. Allow Traffic from Firewall to Local Networks:

    • Outgoing traffic from the firewall to local networks is allowed.

14. Enable Network Address Translation (NAT):

    • Network Address Translation is enabled for outgoing traffic.

15. Disable Destination Unreachable Messages:

    • The firewall is configured not to reply with Destination Unreachable messages for dropped packets.

16. Logging:

    • Dropped packets are logged with a prefix (DROPIN>, DROPOUT>, DROPFWD>).

17. Install iptables-persistent:

    • The script installs the iptables-persistent package to save the current rules and load them at boot time.

18. Persisting Rules:

    • The script sets permissions and makes the rules.v4 and rules.v6 files immutable (chattr +i) to prevent modifications.

Note:

• This script assumes that the internal and external network interfaces are the same ($INT and $EXT have the same value). This configuration might be suitable for a simple network setup, but in more complex setups, separate interfaces might be used for internal and external networks.

• Before running this script, ensure that you understand the rules it applies and how they may impact your network. Also, make sure to take necessary precautions to avoid locking yourself out of the system if you are running it remotely. It is recommended to test the rules carefully before applying them permanently.

• It's important to keep the script up-to-date and consider any new security measures or changes in the network environment.

iptablesetup.sh

#!/usr/bin/env bash

set -o nounset
set -o pipefail

PATH="/sbin"
INT=enp3s0
EXT=enp3s0
INT_NET=192.168.0.0/24

apt -y install iptables

echo "Flushing rules"
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -Z

iptables -P INPUT DROP
iptables -P FORWARD DROP
echo "Allow loopback"
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
echo "Drop invalid states"
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP
echo "Allow established and related connections"
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
echo "Allow ping replies"
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
echo "Allow DHCP"
iptables -I INPUT -i $INT -p udp -m udp --dport 67 -m conntrack --ctstate NEW -j ACCEPT
echo "Allow SSH from local Ethernet"
iptables -A INPUT -i $INT -s $INT_NET -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
echo "Allow DNS (UDP and TCP for large replies)"
iptables -A INPUT -i $INT -s $INT_NET -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i $INT -s $INT_NET -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
echo "Allow all outgoing"
iptables -A OUTPUT -o $EXT -p tcp -d 0.0.0.0/0 -j ACCEPT
iptables -A OUTPUT -o $EXT -p udp -d 0.0.0.0/0 -j ACCEPT
echo "Allow traffic from the firewall to local networks"
iptables -A OUTPUT -o $INT -d $INT_NET -j ACCEPT
echo "Enable network address translation"
iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE
iptables -A FORWARD -o $EXT -i $INT -s $INT_NET -m conntrack --ctstate NEW -j ACCEPT
echo "Do not reply with Destination Unreachable messages"
iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j DROP
echo "Log all dropped packets"
iptables -A INPUT -m limit --limit 3/sec -j LOG --log-level debug --log-prefix "DROPIN>"
iptables -A OUTPUT -m limit --limit 3/sec -j LOG --log-level debug --log-prefix "DROPOUT>"
iptables -A FORWARD -m limit --limit 3/sec -j LOG --log-level debug --log-prefix "DROPFWD>"

# Install iptables-persistent
apt -y install iptables-persistent
systemctl enable netfilter-persistent

chown root:root /etc/iptables/rules.v4
chmod 600 /etc/iptables/rules.v4
chattr +i /etc/iptables/rules.v4

chown root:root /etc/iptables/rules.v6
chmod 600 /etc/iptables/rules.v6
chattr +i /etc/iptables/rules.v6