Created
July 2, 2012 07:40
-
-
Save simonexmachina/3031709 to your computer and use it in GitHub Desktop.
Install Shorewall
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
sshPort="40000" | |
shellUser=`whoami` | |
export homeDir="/home/$shellUser" | |
export baseDir="$homeDir/server-setup" | |
addToRepo() { | |
file=$1 | |
chown=$2 | |
relative=`echo $file | sed -e 's|^/||'` | |
repoFile="$baseDir/config/$relative" | |
# If the file doesn't exist in the repo | |
if [ ! -f $repoFile -a ! -d $repoFile ]; then | |
# move it in there | |
mkdir -p `dirname $repoFile` | |
sudo mv $file $repoFile | |
else | |
# else remove the file so that we can... | |
sudo rm -rf $file | |
fi | |
# Replace it with the file in the repo | |
sudo ln -s $repoFile $file | |
# Make sure git can read the file | |
sudo chmod -R ga+r $file | |
if [ "$chown" ]; then | |
sudo chown -R $shellUser:$shellGroup $repoFile | |
fi | |
} | |
sudoSed() { | |
expression=$1 | |
file=$2 | |
sed -e $expression $file | sudo tee $file > /dev/null | |
} | |
sudoAppend() { | |
string=$1 | |
file=$2 | |
echo -e "$string" | sudo tee -a $file > /dev/null | |
} | |
## | |
# Install Shorewall. | |
# Based on http://myliteraturetechlife.com/installing-configuring-shorewall-firewall-in-ubuntudebian/ | |
## | |
echo "#### Installing Shorewall firewall" | |
sudo apt-get install shorewall -y \ | |
&& sudoSed 's/startup=0/startup=1/' /etc/default/shorewall \ | |
&& addToRepo /etc/default/shorewall \ | |
&& sudo cp /usr/share/doc/shorewall/default-config/* /etc/shorewall/ \ | |
&& sudoAppend "net ipv4 | |
loc ipv4" /etc/shorewall/zones \ | |
&& addToRepo /etc/shorewall/zones \ | |
&& sudoAppend "net eth0 detect routefilter,norfc1918,logmartians,nosmurfs,tcpflags,blacklist | |
loc eth1 detect tcpflags" /etc/shorewall/interfaces \ | |
&& addToRepo /etc/shorewall/interfaces \ | |
&& sudoAppend "fw net ACCEPT | |
fw loc ACCEPT | |
net all DROP info | |
# The FOLLOWING POLICY MUST BE LAST | |
all all REJECT info" /etc/shorewall/policy \ | |
&& addToRepo /etc/shorewall/policy \ | |
&& sudoAppend "ACCEPT net fw icmp 8 | |
ACCEPT fw net icmp | |
ACCEPT net fw tcp www,https,smtp,pop3,pop3s,imap2,imaps,submission | |
ACCEPT net fw tcp $sshPort # SSH | |
ACCEPT net fw udp https | |
# ACCEPT net:10.1.1.1 fw tcp ssh" /etc/shorewall/rules \ | |
&& addToRepo /etc/shorewall/rules \ | |
&& sudo service shorewall start \ | |
&& echo "#### Done" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment