Skip to content

Instantly share code, notes, and snippets.

@williamdes

williamdes/firewall.sh

Last active February 15, 2018 09:51
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save williamdes/eb2fc6f597e6a1c8dcea4f1f3f6af259 to your computer and use it in GitHub Desktop.
Save williamdes/eb2fc6f597e6a1c8dcea4f1f3f6af259 to your computer and use it in GitHub Desktop.
Download ZIP
Parefeu
Raw
firewall.sh
#!/bin/sh
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin":$PATH
#echo $PATH
INPUT_PORTS="22,21,20,80,443,3306,8006"
FORWARD_PORTS="3306,80,443,8080"
cd /sbin/
echo "[IpTables] Reset..."
sleep 1
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
ip6tables -F
ip6tables -X
ip6tables -t nat -F
ip6tables -t nat -X
ip6tables -t mangle -F
ip6tables -t mangle -X
iptables -P INPUT DROP
ip6tables -P INPUT DROP
iptables -P FORWARD DROP
ip6tables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
ip6tables -P OUTPUT ACCEPT
echo "[IpTables] Règles i/o et forwarding mise en place !"
#China ?
#iptables -A INPUT -s 91.224.160.203 -j REJECT
#China ?
#iptables -A INPUT -s 58.218.211.48 -j REJECT
#Jamelot
#iptables -A INPUT -s 78.221.148.52 -j REJECT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Autoriser les connections INPUT ESTABLISHED,RELATED"
# Codeanywhere
iptables -A INPUT -s 54.69.152.243 -j ACCEPT -m comment --comment "Codeanywhere"
iptables -A INPUT -s 54.186.244.104 -j ACCEPT -m comment --comment "Codeanywhere"
iptables -A INPUT -s 54.187.136.143 -j ACCEPT -m comment --comment "Codeanywhere"
iptables -A INPUT -s 54.187.142.118 -j ACCEPT -m comment --comment "Codeanywhere"
iptables -A INPUT -s 54.187.182.165 -j ACCEPT -m comment --comment "Codeanywhere"
iptables -A INPUT -s 54.187.44.75 -j ACCEPT -m comment --comment "Codeanywhere"
iptables -A INPUT -s 54.191.40.18 -j ACCEPT -m comment --comment "Codeanywhere"
iptables -A INPUT -s 51.141.5.180 -j ACCEPT -m comment --comment "Codeanywhere"
iptables -A INPUT -s 52.161.27.120 -j ACCEPT -m comment --comment "Codeanywhere"
iptables -A INPUT -s 65.52.184.164 -j ACCEPT -m comment --comment "Codeanywhere"
iptables -A INPUT -s 52.174.152.0/24 -j ACCEPT -m comment --comment "Codeanywhere"
# CloudFlare
iptables -A INPUT -s 103.21.244.0/22 -j ACCEPT -m comment --comment "CloudFlare"
iptables -A INPUT -s 103.22.200.0/22 -j ACCEPT -m comment --comment "CloudFlare"
iptables -A INPUT -s 103.31.4.0/22 -j ACCEPT -m comment --comment "CloudFlare"
iptables -A INPUT -s 104.16.0.0/12 -j ACCEPT -m comment --comment "CloudFlare"
iptables -A INPUT -s 108.162.192.0/18 -j ACCEPT -m comment --comment "CloudFlare"
iptables -A INPUT -s 131.0.72.0/22 -j ACCEPT -m comment --comment "CloudFlare"
iptables -A INPUT -s 141.101.64.0/18 -j ACCEPT -m comment --comment "CloudFlare"
iptables -A INPUT -s 162.158.0.0/15 -j ACCEPT -m comment --comment "CloudFlare"
iptables -A INPUT -s 172.64.0.0/13 -j ACCEPT -m comment --comment "CloudFlare"
iptables -A INPUT -s 173.245.48.0/20 -j ACCEPT -m comment --comment "CloudFlare"
iptables -A INPUT -s 188.114.96.0/20 -j ACCEPT -m comment --comment "CloudFlare"
iptables -A INPUT -s 190.93.240.0/20 -j ACCEPT -m comment --comment "CloudFlare"
iptables -A INPUT -s 197.234.240.0/22 -j ACCEPT -m comment --comment "CloudFlare"
iptables -A INPUT -s 198.41.128.0/17 -j ACCEPT -m comment --comment "CloudFlare"
iptables -A INPUT -p tcp --dport 22 -j ACCEPT -m comment --comment "Autoriser les connections SSH"
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT -m comment --comment "Autoriser les connections SSH"
iptables -A INPUT -p tcp --dport 3389 -j ACCEPT -m comment --comment "Autoriser les connections OpenVpn"
iptables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Autoriser les connections INPUT ESTABLISHED,RELATED"
#iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Autoriser les connections FORWARD ESTABLISHED,RELATED"
#ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Autoriser les connections FORWARD ESTABLISHED,RELATED"
echo "[IpTables] Règles de base appliquées !"
iptables -A INPUT -p tcp -m multiport --dports $INPUT_PORTS -j ACCEPT -m comment --comment "TCP INPUT_PORTS"
iptables -A INPUT -p udp -m multiport --dports $INPUT_PORTS -j ACCEPT -m comment --comment "UDP INPUT_PORTS"
ip6tables -A INPUT -p tcp -m multiport --dports $INPUT_PORTS -j ACCEPT
ip6tables -A INPUT -p udp -m multiport --dports $INPUT_PORTS -j ACCEPT
echo "[IpTables] Règles i/o des ports des services appliquée !!"
iptables -A INPUT -s 192.168.2.0/24 -p icmp -j ACCEPT -m comment --comment "[ICMP] 192.168.2.0/24"
iptables -A INPUT -s 172.17.0.0/16 -p icmp -j ACCEPT -m comment --comment "[ICMP] 172.17.0.0/16"
iptables -A INPUT -s 62.210.204.211 -p icmp -j ACCEPT -m comment --comment "[ICMP] Free-Reseau"
iptables -A INPUT -p icmp -j DROP -m comment --comment "[ICMP] DROP"
ip6tables -A INPUT -s fe80::/64 -p icmpv6 -j ACCEPT -m comment --comment "[ICMP] fe80::/64"
ip6tables -A INPUT -j DROP -m comment --comment "[ICMP] DROP"
echo "[IpTables] Autoriser IMCP [OK]";
iptables -A INPUT -s 172.17.0.0/24 -j ACCEPT -m comment --comment "Autoriser les connections INPUT 172.17.0.0/24"
iptables -A INPUT -s 192.168.2.0/24 -j ACCEPT -m comment --comment "Autoriser les connections INPUT 192.168.2.0/24"
ip6tables -A INPUT -s fe80::/64 -j ACCEPT -m comment --comment "Autoriser les connections INPUT fe80::/64"
create_block() {
ii=$1
oo=$2
ipr=$3
cn=$4
#Create chain
iptables -N $cn
#Allow internal interaction within $ii
iptables -I FORWARD -i $ii -o $ii -s $ipr -d $ipr -j $cn -m comment --comment "Accept FORWARD $ii > $ii"
#Allow forward OUT
iptables -I FORWARD -i $ii -o $oo -s $ipr -j $cn -m comment --comment "Accept FORWARD $ii > $oo"
#Allow forward back IN
iptables -I FORWARD -i $oo -o $ii -d $ipr -j $cn -m comment --comment "Accept FORWARD $oo > $ii"
#Allow trafic IN
iptables -A $cn -d $ipr -j ACCEPT -m comment --comment "IN : ALL $cn"
#Allow trafic OUT
iptables -A $cn -s $ipr -j ACCEPT -m comment --comment "OUT : ALL $cn"
#Can maybe add -o $oo
iptables -t nat -A POSTROUTING -s $ipr ! -d $ipr -j MASQUERADE -m comment --comment "POSTROUTING nat $cn"
#Default reject (useless ?)
iptables -A $cn -j REJECT
echo "[IpTables] $cn [OK]"
}
#
# OPENVPN & DOCKER rules
#
ii="docker0"
ooe="`netstat -ie | grep -B1 '192.168.2.20' | head -n1 | cut -d':' -f1`"
ipr="172.17.0.0/16"
cn="DOCKER"
create_block $ii $ooe $ipr $cn
ii="`netstat -ie | grep -B1 '10.0.0.1' | head -n1 | cut -d':' -f1`"
ipr="10.0.0.0/8"
cn="OPENVPN"
create_block $ii $ooe $ipr $cn
#
# Logging FORWARD DROP packets
#
#iptables -N LOGGING
#iptables -A FORWARD -j LOGGING
#iptables -A LOGGING -j LOG --log-prefix "[IpTables] Dropped : " --log-level 4
#iptables -A LOGGING -j DROP
if [ -f /etc/network/iptables.up.rules ]; then
mv /etc/network/iptables.up.rules /etc/network/iptables.up.rules.old
fi
if [ -f /etc/network/ip6tables.up.rules ]; then
mv /etc/network/ip6tables.up.rules /etc/network/ip6tables.up.rules.old
fi
iptables-save > /etc/network/iptables.up.rules
echo "[IpTables] Save [OK]";
iptables-restore < /etc/network/iptables.up.rules
echo "[IpTables] Restore [OK]";
ip6tables-save > /etc/network/ip6tables.up.rules
echo "[Ip6Tables] Save [OK]";
ip6tables-restore < /etc/network/ip6tables.up.rules
echo "[Ip6Tables] Restore [OK]";
if [ -f /etc/network/iptables.up.rules ]; then
rm /etc/network/iptables.up.rules.old
fi
if [ -f /etc/network/ip6tables.up.rules ]; then
rm /etc/network/ip6tables.up.rules.old
fi
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "[IpTables] Activation du routage: [OK]"
exit 0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment