tzengerink/firewall.sh

## firewall.sh
#!/bin/bash -e
#
# IPTABLES FIREWALL
# -----------------
# Script for setting your iptables firewall. Configure the variables to your
# liking and start the firewall. Copy the file to `/usr/local/sbin` or the
# directory of your choice.
#
#    Usage: `./firewall.sh [restart|start|stop|status]`
#
# Copyright (c) 2013 T. Zengerink
# Licensed under MIT License.
# See: https://gist.github.com/raw/3151357/6806e68cb9cc0042b265f25be9bc25dd39f75267/LICENSE.md

## IP/SUBNET CONFIGURATION
#
BROADCAST=( 255.255.255.255 )

## WHITE-/BLACKLISTING
#
WHITELIST=( 192.168.1.0/24 )
BLACKLIST=()

## PORT CONFIGURATION
#
WHITELIST_OPEN_TCP=()
WHITELIST_OPEN_UDP=()
OPEN_TCP=()
OPEN_UDP=()

## IP TABLES CONFIGURATION
#
IPT="$(which iptables)"
RULES="/etc/iptables/iptables.rules"

## FLUSH FIREWALL SETTINGS
#
flush_firewall(){
	$IPT -F
	$IPT -X
}

## SAVE FIREWALL SETTINGS
# Your Linux distribution might handle these commands differently.
#
save_firewall(){
	iptables-save > $RULES
	systemctl reload iptables
}

## SHOW FIREWALL STATUS
#
status_firewall(){
	$IPT -vnL
}

## STOP FIREWALL
#
stop_firewall(){
	$IPT -P INPUT ACCEPT
	$IPT -P FORWARD ACCEPT
	$IPT -P OUTPUT ACCEPT
}

## START FIREWALL
#
start_firewall(){
	$IPT -N LOGDROP
	$IPT -N TCP
	$IPT -N UDP
	$IPT -P FORWARD DROP
	$IPT -P OUTPUT ACCEPT
	$IPT -P INPUT DROP

	# Logdrop
	$IPT -A LOGDROP -m limit --limit 5/m --limit-burst 10 -j LOG
	$IPT -A LOGDROP -j DROP

	# Initial setup
	$IPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	$IPT -A INPUT -i lo -j ACCEPT
	$IPT -A INPUT -m conntrack --ctstate INVALID -j LOGDROP
	$IPT -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT

	# Block all broadcast packets
	for SRC in "${BROADCAST[@]}"; do
		$IPT -A INPUT -s $SRC -j DROP
		$IPT -A INPUT -d $SRC -j DROP
	done

	# Log and drop all traffic from blacklisted sources
	for SRC in "${BLACKLIST[@]}"; do
		$IPT -A INPUT -s $SRC -j LOGDROP
		$IPT -A INPUT -d $SRC -j LOGDROP
	done

	# Send new TCP / UDP connections through their own chain
	$IPT -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
	$IPT -A INPUT -p udp -m conntrack --ctstate NEW -j UDP

	# Accept all traffic from whitelisted sources
	for SRC in "${WHITELIST[@]}"; do
		for PORT in "${WHITELIST_OPEN_TCP[@]}"; do
			$IPT -A TCP -p tcp -s $SRC --dport $PORT -j ACCEPT
		done
		for PORT in $WHITELIST_OPEN_UDP; do
			$IPT -A UDP -p udp -s $SRC --dport $PORT -j ACCEPT
		done
	done

	# Accept all traffic on open ports
	for PORT in "${OPEN_TCP[@]}"; do
		$IPT -A TCP -p tcp --dport $PORT -j ACCEPT
	done

	for PORT in "${OPEN_UDP[@]}"; do
		$IPT -A UDP -p udp --dport $PORT -j ACCEPT
	done
}

## EXECUTE SCRIPT
#
case "$1" in
	start|restart)
		flush_firewall
		start_firewall
		save_firewall
		;;
	status)
		status_firewall
		;;
	stop)
		flush_firewall
		stop_firewall
		save_firewall
		;;
	*)
		echo -e "Usage $0 [restart|start|stop|status]"
		exit 1
esac
exit 0
	#!/bin/bash -e
	#
	# IPTABLES FIREWALL
	# -----------------
	# Script for setting your iptables firewall. Configure the variables to your
	# liking and start the firewall. Copy the file to `/usr/local/sbin` or the
	# directory of your choice.
	#
	# Usage: `./firewall.sh [restart\|start\|stop\|status]`
	#
	# Copyright (c) 2013 T. Zengerink
	# Licensed under MIT License.
	# See: https://gist.github.com/raw/3151357/6806e68cb9cc0042b265f25be9bc25dd39f75267/LICENSE.md

	## IP/SUBNET CONFIGURATION
	#
	BROADCAST=( 255.255.255.255 )

	## WHITE-/BLACKLISTING
	#
	WHITELIST=( 192.168.1.0/24 )
	BLACKLIST=()

	## PORT CONFIGURATION
	#
	WHITELIST_OPEN_TCP=()
	WHITELIST_OPEN_UDP=()
	OPEN_TCP=()
	OPEN_UDP=()

	## IP TABLES CONFIGURATION
	#
	IPT="$(which iptables)"
	RULES="/etc/iptables/iptables.rules"

	## FLUSH FIREWALL SETTINGS
	#
	flush_firewall(){
	$IPT -F
	$IPT -X
	}

	## SAVE FIREWALL SETTINGS
	# Your Linux distribution might handle these commands differently.
	#
	save_firewall(){
	iptables-save > $RULES
	systemctl reload iptables
	}

	## SHOW FIREWALL STATUS
	#
	status_firewall(){
	$IPT -vnL
	}

	## STOP FIREWALL
	#
	stop_firewall(){
	$IPT -P INPUT ACCEPT
	$IPT -P FORWARD ACCEPT
	$IPT -P OUTPUT ACCEPT
	}

	## START FIREWALL
	#
	start_firewall(){
	$IPT -N LOGDROP
	$IPT -N TCP
	$IPT -N UDP
	$IPT -P FORWARD DROP
	$IPT -P OUTPUT ACCEPT
	$IPT -P INPUT DROP

	# Logdrop
	$IPT -A LOGDROP -m limit --limit 5/m --limit-burst 10 -j LOG
	$IPT -A LOGDROP -j DROP

	# Initial setup
	$IPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	$IPT -A INPUT -i lo -j ACCEPT
	$IPT -A INPUT -m conntrack --ctstate INVALID -j LOGDROP
	$IPT -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT

	# Block all broadcast packets
	for SRC in "${BROADCAST[@]}"; do
	$IPT -A INPUT -s $SRC -j DROP
	$IPT -A INPUT -d $SRC -j DROP
	done

	# Log and drop all traffic from blacklisted sources
	for SRC in "${BLACKLIST[@]}"; do
	$IPT -A INPUT -s $SRC -j LOGDROP
	$IPT -A INPUT -d $SRC -j LOGDROP
	done

	# Send new TCP / UDP connections through their own chain
	$IPT -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
	$IPT -A INPUT -p udp -m conntrack --ctstate NEW -j UDP

	# Accept all traffic from whitelisted sources
	for SRC in "${WHITELIST[@]}"; do
	for PORT in "${WHITELIST_OPEN_TCP[@]}"; do
	$IPT -A TCP -p tcp -s $SRC --dport $PORT -j ACCEPT
	done
	for PORT in $WHITELIST_OPEN_UDP; do
	$IPT -A UDP -p udp -s $SRC --dport $PORT -j ACCEPT
	done
	done

	# Accept all traffic on open ports
	for PORT in "${OPEN_TCP[@]}"; do
	$IPT -A TCP -p tcp --dport $PORT -j ACCEPT
	done

	for PORT in "${OPEN_UDP[@]}"; do
	$IPT -A UDP -p udp --dport $PORT -j ACCEPT
	done
	}

	## EXECUTE SCRIPT
	#
	case "$1" in
	start\|restart)
	flush_firewall
	start_firewall
	save_firewall
	;;
	status)
	status_firewall
	;;
	stop)
	flush_firewall
	stop_firewall
	save_firewall
	;;
	*)
	echo -e "Usage $0 [restart\|start\|stop\|status]"
	exit 1
	esac
	exit 0