Last active
May 10, 2021 21:53
-
-
Save dsprenkels/11ddf000902643fe73ec to your computer and use it in GitHub Desktop.
firewall configuration of my personal VPS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # CHANGELOG | |
| # | |
| # [2015-12-21 Daan] Basic /etc/firewall.sh configuration | |
| # This configuration is based on the whitelist principle, in contrast to the | |
| # previous configuration, which only dropped packets based on specific rules. | |
| # make iptables wait for exclusive lock always | |
| IPTABLES="/sbin/iptables -w" | |
| # use syslog | |
| LOGGER="/usr/bin/logger" | |
| # define abort() routine | |
| abort() | |
| { | |
| echo 'configuration of netfilter (/etc/firewall.sh) FAILED' | $LOGGER | |
| exit 1 | |
| } | |
| # abort on error | |
| trap 'abort' 0 | |
| set -e | |
| # log the execution of this file | |
| echo 'configuration of netfilter (/etc/firewall.sh) started' | $LOGGER | |
| # stop fail2ban | |
| systemctl stop fail2ban.service | |
| # flush current config | |
| $IPTABLES -F | |
| $IPTABLES -t nat -F | |
| # set permittive policies | |
| $IPTABLES -P INPUT ACCEPT | |
| $IPTABLES -P FORWARD DROP | |
| $IPTABLES -P OUTPUT ACCEPT | |
| # blacklist ip-addresses that misbehaved in the past | |
| $IPTABLES -A INPUT --source 208.109.106.228 -j DROP | |
| # accept icmp traffic | |
| $IPTABLES -A INPUT -p icmp -j ACCEPT | |
| # allow existing connections | |
| $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| # accept local connections | |
| $IPTABLES -A INPUT -i lo -j ACCEPT | |
| # [2016-03-09 Daan] allow mysql connections from docker interface | |
| $IPTABLES -A INPUT -i docker0 -p tcp --dport mysql -m state --state NEW -j ACCEPT | |
| # allow new connections on running services | |
| $IPTABLES -A INPUT -p tcp --dport ssh -m state --state NEW -j ACCEPT | |
| $IPTABLES -A INPUT -p tcp --dport smtp -m state --state NEW -j ACCEPT | |
| $IPTABLES -A INPUT -p tcp --dport http -m state --state NEW -j ACCEPT | |
| $IPTABLES -A INPUT -p tcp --dport http-alt -m state --state NEW -j ACCEPT | |
| $IPTABLES -A INPUT -p tcp --dport https -m state --state NEW -j ACCEPT | |
| $IPTABLES -A INPUT -p tcp --dport afpovertcp -m state --state NEW -j ACCEPT | |
| $IPTABLES -A INPUT -p udp --dport openvpn -m state --state NEW -j ACCEPT | |
| $IPTABLES -A INPUT -p tcp --dport munin -m state --state NEW -j ACCEPT | |
| $IPTABLES -A INPUT -p tcp --dport 4242 -m state --state NEW -j ACCEPT # quasselcore | |
| # [2016-02-11 Daan] gitlab worker | |
| $IPTABLES -A INPUT -p tcp --dport 5000 -m state --state NEW -j ACCEPT | |
| # [2016-04-08 Daan] rules for mosh | |
| $IPTABLES -A INPUT -p udp --match multiport --dports 60000:61000 -m state --state NEW -j ACCEPT | |
| # [2017-01-21 Daan] allow trusted servers to monitor this machine | |
| $IPTABLES -A INPUT --source 136.243.176.118 -p tcp --dport 9100 -m state --state NEW -j ACCEPT | |
| $IPTABLES -A INPUT --source 192.168.99.0/24 -p tcp --dport 9100 -m state --state NEW -j ACCEPT | |
| # [2018-06-31 Daan] wireguard | |
| $IPTABLES -A INPUT -p udp --dport 51820 -j ACCEPT | |
| # do not allow other traffic | |
| $IPTABLES -A INPUT -j DROP | |
| # do not allow random traffic to the Hetzner network | |
| $IPTABLES -A OUTPUT -o eth0 -d 10.0.0.0/24 -j ACCEPT # but allow KN-related traffic | |
| $IPTABLES -A OUTPUT -o eth0 -d 10.8.0.0/24 -j ACCEPT # and also allow VPN traffic | |
| $IPTABLES -A OUTPUT -o eth0 -d 10.0.0.0/8 -j DROP | |
| # restart fail2ban | |
| systemctl start fail2ban.service | |
| # reload docker | |
| systemctl reload-or-restart docker.service | |
| # log the finished state | |
| echo 'configuration of netfilter (/etc/firewall.sh) finished' | $LOGGER | |
| # exit | |
| trap : 0 | |
| exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment