Last active
May 12, 2018 15:58
-
-
Save vvdaal/c98a08b47f8a0e6203b6e0fe8098fc59 to your computer and use it in GitHub Desktop.
Firewall script - Setups very restrictive firewall IPv4 and IPv6
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| IPT="/sbin/iptables" | |
| IPV6=true | |
| IPTV6="/sbin/ip6tables" | |
| # Your DNS servers you use: cat /etc/resolv.conf | |
| # IPv6 DNS not supported in this script | |
| DNS_SERVER="67.207.67.3 67.207.67.2" | |
| # Allow connections to this package servers | |
| # Modify these with yours | |
| PACKAGE_SERVER="prod.debian.map.fastly.net mirrors.digitalocean.com security.debian.org repos.sonar.digitalocean.com" | |
| echo "flush iptable rules" | |
| ${IPT} -F | |
| ${IPT} -X | |
| ${IPT} -t nat -F | |
| ${IPT} -t nat -X | |
| ${IPT} -t mangle -F | |
| ${IPT} -t mangle -X | |
| echo "Set default policy to 'DROP'" | |
| ${IPT} -P INPUT DROP | |
| ${IPT} -P FORWARD DROP | |
| ${IPT} -P OUTPUT DROP | |
| ## This should be one of the first rules. | |
| ## so dns lookups are already allowed for your other rules | |
| for ip in $DNS_SERVER | |
| do | |
| echo "Allowing DNS lookups (tcp, udp port 53) to server '${ip}'" | |
| ${IPT} -A OUTPUT -p udp -d ${ip} --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
| ${IPT} -A INPUT -p udp -s ${ip} --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
| ${IPT} -A OUTPUT -p tcp -d ${ip} --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
| ${IPT} -A INPUT -p tcp -s ${ip} --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
| done | |
| echo "allow all and everything on localhost" | |
| ${IPT} -A INPUT -i lo -j ACCEPT | |
| ${IPT} -A OUTPUT -o lo -j ACCEPT | |
| for ip in $PACKAGE_SERVER | |
| do | |
| echo "Allow connection to '${ip}' on port 21" | |
| ${IPT} -A OUTPUT -p tcp -d "${ip}" --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
| ${IPT} -A INPUT -p tcp -s "${ip}" --sport 21 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
| echo "Allow connection to '${ip}' on port 80" | |
| ${IPT} -A OUTPUT -p tcp -d "${ip}" --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
| ${IPT} -A INPUT -p tcp -s "${ip}" --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
| echo "Allow connection to '${ip}' on port 443" | |
| ${IPT} -A OUTPUT -p tcp -d "${ip}" --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
| ${IPT} -A INPUT -p tcp -s "${ip}" --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
| done | |
| ####################################################################################################### | |
| ## Global iptable rules. Not IP specific | |
| # Further example of allowing incoming connections | |
| #echo "Allowing new and established incoming connections to port 21,80,443" | |
| #${IPT} -A INPUT -p tcp -m multiport --dports 21,80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
| #${IPT} -A OUTPUT -p tcp -m multiport --sports 21,80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
| echo "Allow all incoming connections to port 22" | |
| ${IPT} -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
| ${IPT} -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
| echo "Allow all outgoing connections to port 22 on eth1 interface (LAN) matching CIDR" | |
| ${IPT} -A OUTPUT -o eth1 -p tcp --dport 22 -d 10.133.0.0/16 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
| ${IPT} -A INPUT -i eth1 -p tcp --sport 22 -s 10.133.0.0/16 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
| echo "Allow outgoing icmp connections (pings,...)" | |
| ${IPT} -A OUTPUT -p icmp -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT | |
| ${IPT} -A INPUT -p icmp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
| echo "Allow outgoing connections to port 123 (ntp syncs)" | |
| ${IPT} -A OUTPUT -p udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
| ${IPT} -A INPUT -p udp --sport 123 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
| echo "Allow outgoing connections to Digital Ocean agent" | |
| ${IPT} -A OUTPUT -p tcp -d 169.254.169.254 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
| ${IPT} -A INPUT -p tcp -s 169.254.169.254 --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
| ${IPT} -A OUTPUT -p tcp -d "sonar.digitalocean.com" --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
| ${IPT} -A INPUT -p tcp -s "sonar.digitalocean.com" --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
| # Log before dropping | |
| ${IPT} -A INPUT -j LOG -m limit --limit 12/min --log-level 4 --log-prefix 'IP INPUT drop: ' | |
| ${IPT} -A INPUT -j DROP | |
| ${IPT} -A OUTPUT -j LOG -m limit --limit 12/min --log-level 4 --log-prefix 'IP OUTPUT drop: ' | |
| ${IPT} -A OUTPUT -j DROP | |
| # | |
| # IPv6 section below | |
| # | |
| if [ ${IPV6} = true ] | |
| then | |
| echo "Applying IPV6 rules" | |
| echo "flush iptable rules" | |
| ${IPTV6} -F | |
| ${IPTV6} -X | |
| ${IPTV6} -t nat -F | |
| ${IPTV6} -t nat -X | |
| ${IPTV6} -t mangle -F | |
| ${IPTV6} -t mangle -X | |
| echo "Set default policy to 'DROP'" | |
| ${IPTV6} -P INPUT DROP | |
| ${IPTV6} -P FORWARD DROP | |
| ${IPTV6} -P OUTPUT DROP | |
| echo "allow all and everything on localhost" | |
| ${IPTV6} -A INPUT -i lo -j ACCEPT | |
| ${IPTV6} -A OUTPUT -o lo -j ACCEPT | |
| ####################################################################################################### | |
| ## Global iptable rules. Not IP specific | |
| # Further example of allowing incoming connections | |
| #echo "Allowing new and established incoming connections to port 21,80,443" | |
| #${IPTV6} -A INPUT -p tcp -m multiport --dports 21,80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
| #${IPTV6} -A OUTPUT -p tcp -m multiport --sports 21,80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
| echo "Allow all incoming connections to port 22" | |
| ${IPTV6} -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
| ${IPTV6} -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
| echo "Allow all outgoing connections to port 22" | |
| ${IPTV6} -A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
| ${IPTV6} -A INPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
| echo "Allow outgoing icmp connections (pings,...)" | |
| ${IPTV6} -A OUTPUT -p icmp -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT | |
| ${IPTV6} -A INPUT -p icmp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
| # Log before dropping | |
| ${IPTV6} -A INPUT -j LOG -m limit --limit 12/min --log-level 4 --log-prefix 'IPV6 INPUT drop: ' | |
| ${IPTV6} -A INPUT -j DROP | |
| ${IPTV6} -A OUTPUT -j LOG -m limit --limit 12/min --log-level 4 --log-prefix 'IPV6 OUTPUT drop: ' | |
| ${IPTV6} -A OUTPUT -j DROP | |
| fi | |
| exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment