simonexmachina/shorewall.sh

## shorewall.sh
#!/bin/bash

sshPort="40000"

shellUser=`whoami`
export homeDir="/home/$shellUser"
export baseDir="$homeDir/server-setup"

addToRepo() {
  file=$1
  chown=$2

  relative=`echo $file | sed -e 's|^/||'`
  repoFile="$baseDir/config/$relative"

  # If the file doesn't exist in the repo
  if [ ! -f $repoFile -a ! -d $repoFile ]; then
    # move it in there
    mkdir -p `dirname $repoFile`
    sudo mv $file $repoFile
  else
    # else remove the file so that we can...
    sudo rm -rf $file
  fi
  # Replace it with the file in the repo
  sudo ln -s $repoFile $file
  # Make sure git can read the file
  sudo chmod -R ga+r $file
  if [ "$chown" ]; then
    sudo chown -R $shellUser:$shellGroup $repoFile
  fi
}

sudoSed() {
  expression=$1
  file=$2
  sed -e $expression $file | sudo tee $file > /dev/null
}

sudoAppend() {
  string=$1
  file=$2
  echo -e "$string" | sudo tee -a $file > /dev/null
}

##
# Install Shorewall.
# Based on http://myliteraturetechlife.com/installing-configuring-shorewall-firewall-in-ubuntudebian/
##

echo "#### Installing Shorewall firewall"
sudo apt-get install shorewall -y \
	&& sudoSed 's/startup=0/startup=1/' /etc/default/shorewall \
	&& addToRepo /etc/default/shorewall \
	&& sudo cp /usr/share/doc/shorewall/default-config/* /etc/shorewall/ \
	&& sudoAppend "net ipv4
loc ipv4" /etc/shorewall/zones \
	&& addToRepo /etc/shorewall/zones \
	&& sudoAppend "net eth0 detect routefilter,norfc1918,logmartians,nosmurfs,tcpflags,blacklist
loc eth1 detect tcpflags" /etc/shorewall/interfaces \
	&& addToRepo /etc/shorewall/interfaces \
	&& sudoAppend "fw net ACCEPT
fw loc ACCEPT
net all DROP info
# The FOLLOWING POLICY MUST BE LAST
all all REJECT info" /etc/shorewall/policy \
	&& addToRepo /etc/shorewall/policy \
	&& sudoAppend "ACCEPT net fw icmp 8
ACCEPT fw net icmp
ACCEPT net fw tcp www,https,smtp,pop3,pop3s,imap2,imaps,submission
ACCEPT net fw tcp $sshPort # SSH
ACCEPT net fw udp https
# ACCEPT net:10.1.1.1 fw tcp ssh" /etc/shorewall/rules \
	&& addToRepo /etc/shorewall/rules \
	&& sudo service shorewall start \
	&& echo "#### Done"
	#!/bin/bash

	sshPort="40000"

	shellUser=`whoami`
	export homeDir="/home/$shellUser"
	export baseDir="$homeDir/server-setup"

	addToRepo() {
	file=$1
	chown=$2

	relative=`echo $file \| sed -e 's\|^/\|\|'`
	repoFile="$baseDir/config/$relative"

	# If the file doesn't exist in the repo
	if [ ! -f $repoFile -a ! -d $repoFile ]; then
	# move it in there
	mkdir -p `dirname $repoFile`
	sudo mv $file $repoFile
	else
	# else remove the file so that we can...
	sudo rm -rf $file
	fi
	# Replace it with the file in the repo
	sudo ln -s $repoFile $file
	# Make sure git can read the file
	sudo chmod -R ga+r $file
	if [ "$chown" ]; then
	sudo chown -R $shellUser:$shellGroup $repoFile
	fi
	}

	sudoSed() {
	expression=$1
	file=$2
	sed -e $expression $file \| sudo tee $file > /dev/null
	}

	sudoAppend() {
	string=$1
	file=$2
	echo -e "$string" \| sudo tee -a $file > /dev/null
	}

	##
	# Install Shorewall.
	# Based on http://myliteraturetechlife.com/installing-configuring-shorewall-firewall-in-ubuntudebian/
	##

	echo "#### Installing Shorewall firewall"
	sudo apt-get install shorewall -y \
	&& sudoSed 's/startup=0/startup=1/' /etc/default/shorewall \
	&& addToRepo /etc/default/shorewall \
	&& sudo cp /usr/share/doc/shorewall/default-config/* /etc/shorewall/ \
	&& sudoAppend "net ipv4
	loc ipv4" /etc/shorewall/zones \
	&& addToRepo /etc/shorewall/zones \
	&& sudoAppend "net eth0 detect routefilter,norfc1918,logmartians,nosmurfs,tcpflags,blacklist
	loc eth1 detect tcpflags" /etc/shorewall/interfaces \
	&& addToRepo /etc/shorewall/interfaces \
	&& sudoAppend "fw net ACCEPT
	fw loc ACCEPT
	net all DROP info
	# The FOLLOWING POLICY MUST BE LAST
	all all REJECT info" /etc/shorewall/policy \
	&& addToRepo /etc/shorewall/policy \
	&& sudoAppend "ACCEPT net fw icmp 8
	ACCEPT fw net icmp
	ACCEPT net fw tcp www,https,smtp,pop3,pop3s,imap2,imaps,submission
	ACCEPT net fw tcp $sshPort # SSH
	ACCEPT net fw udp https
	# ACCEPT net:10.1.1.1 fw tcp ssh" /etc/shorewall/rules \
	&& addToRepo /etc/shorewall/rules \
	&& sudo service shorewall start \
	&& echo "#### Done"