Last active
September 8, 2025 11:52
-
-
Save fuzzbuster/a947a9780e08e9f2539548e5bb59877d to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Ensure the script is executed with root privileges | |
| if [ "$(id -u)" -ne 0 ]; then | |
| echo "Error: Please run with root privileges (sudo $0)" >&2 | |
| exit 1 | |
| fi | |
| # Configuration variables | |
| IP_FILE="ips.txt" | |
| BACKUP_FILE="ufw_backup.txt" | |
| # Function to detect firewall backend | |
| # Considers nftables, iptables, iptables-nft variants | |
| detect_backend() { | |
| # Check for nftables | |
| if command -v nft &> /dev/null && nft list tables &> /dev/null; then | |
| echo "nftables" | |
| return | |
| fi | |
| # Check for iptables-nft (common with ufw on modern systems) | |
| if command -v iptables-nft &> /dev/null && iptables-nft -L &> /dev/null; then | |
| echo "iptables-nft" | |
| return | |
| fi | |
| # Check for regular iptables | |
| if command -v iptables &> /dev/null && iptables -L &> /dev/null; then | |
| echo "iptables" | |
| return | |
| fi | |
| echo "unknown" | |
| } | |
| # Function to detect firewall frontend | |
| # Provides guidance if firewalld is found | |
| detect_frontend() { | |
| # Check active services first | |
| if systemctl is-active --quiet firewalld; then | |
| echo "firewalld (active)" | |
| return | |
| elif systemctl is-active --quiet ufw; then | |
| echo "ufw (active)" | |
| return | |
| fi | |
| # Check for inactive but installed frontends | |
| if command -v firewalld &> /dev/null; then | |
| echo "firewalld (inactive)" | |
| return | |
| elif command -v ufw &> /dev/null; then | |
| echo "ufw (inactive)" | |
| return | |
| fi | |
| echo "none" | |
| } | |
| # Function to display current firewall status | |
| display_firewall_info() { | |
| echo "=== Firewall Detection Results ===" | |
| local backend=$(detect_backend) | |
| local frontend=$(detect_frontend) | |
| echo "Backend: $backend" | |
| echo "Frontend: $frontend" | |
| # Special message if firewalld is present | |
| if [[ $frontend == *"firewalld"* ]]; then | |
| echo "Note: This script is designed to work with ufw, not firewalld." | |
| echo "It's recommended to use ufw instead for this configuration." | |
| fi | |
| echo "==================================" | |
| echo | |
| } | |
| # Function to backup current UFW rules | |
| backup_ufw_rules() { | |
| echo "Backing up current UFW rules to $BACKUP_FILE..." | |
| ufw status numbered > "$BACKUP_FILE" 2>/dev/null | |
| if [ $? -eq 0 ]; then | |
| echo "Backup completed successfully." | |
| else | |
| echo "Warning: Failed to create backup. Proceeding anyway..." | |
| fi | |
| } | |
| # Function to remove firewalld | |
| remove_firewalld() { | |
| echo "Starting firewalld removal process..." | |
| # Stop firewalld if it's running | |
| if systemctl is-active --quiet firewalld; then | |
| echo "Stopping firewalld service..." | |
| systemctl stop firewalld | |
| systemctl disable firewalld | |
| fi | |
| # Remove firewalld based on package manager | |
| if command -v apt-get &> /dev/null; then | |
| echo "Removing firewalld using apt-get..." | |
| apt-get purge -y firewalld | |
| apt-get autoremove -y | |
| elif command -v dnf &> /dev/null; then | |
| echo "Removing firewalld using dnf..." | |
| dnf remove -y firewalld | |
| elif command -v yum &> /dev/null; then | |
| echo "Removing firewalld using yum..." | |
| yum remove -y firewalld | |
| else | |
| echo "Error: Could not determine package manager to remove firewalld." >&2 | |
| exit 1 | |
| fi | |
| echo "firewalld has been removed successfully." | |
| } | |
| # Function to configure UFW rules | |
| configure_ufw() { | |
| # Check if UFW is available, install if not | |
| if ! command -v ufw &> /dev/null; then | |
| echo "ufw is not installed. Installing ufw..." | |
| if command -v apt-get &> /dev/null; then | |
| apt-get update | |
| apt-get install -y ufw | |
| elif command -v dnf &> /dev/null; then | |
| dnf install -y ufw | |
| elif command -v yum &> /dev/null; then | |
| yum install -y ufw | |
| else | |
| echo "Error: Could not determine package manager to install ufw." >&2 | |
| exit 1 | |
| fi | |
| fi | |
| # Check if IP file exists | |
| if [ ! -f "$IP_FILE" ]; then | |
| echo "Error: IP file $IP_FILE not found." >&2 | |
| exit 1 | |
| fi | |
| # Backup existing rules | |
| backup_ufw_rules | |
| # Confirmation prompt | |
| read -p "This will reset UFW and reconfigure rules. May cause lockouts. Proceed? (y/n): " confirm | |
| if [ "$confirm" != "y" ] && [ "$confirm" != "Y" ]; then | |
| echo "Configuration aborted by user." | |
| exit 0 | |
| fi | |
| # Reset and configure UFW | |
| echo "Configuring UFW..." | |
| ufw --force reset | |
| ufw default deny incoming | |
| ufw default allow outgoing | |
| # Allow SSH access | |
| echo "Allowing SSH (port 22)..." | |
| # ufw allow from any to any port 22 proto tcp comment "Allow SSH access" | |
| ufw allow ssh comment "Allow SSH access" | |
| # Add rules for each IP range in file | |
| echo "Adding rules for IP ranges in $IP_FILE..." | |
| while IFS= read -r cidr; do | |
| if [ -n "$cidr" ]; then # Skip empty lines | |
| ufw allow from "$cidr" to any port 80 proto tcp comment "Allow $cidr to HTTP" | |
| ufw allow from "$cidr" to any port 443 proto tcp comment "Allow $cidr to HTTPS" | |
| echo "Added rules for: $cidr" | |
| fi | |
| done < "$IP_FILE" | |
| # Deny all other HTTP/HTTPS traffic | |
| # ufw deny from any to any port 80 proto tcp comment "Deny all other HTTP traffic" | |
| # ufw deny from any to any port 443 proto tcp comment "Deny all other HTTPS traffic" | |
| ufw deny http comment "Deny all other HTTP traffic" | |
| ufw deny https comment "Deny all other HTTPS traffic" | |
| # Deny ICMP income | |
| # sed -i -E 's/^\s*-A\ ufw-before-input\ -p\ icmp\ --icmp-type.*ACCEPT\s*/#\ \0/g' /etc/ufw/before.rules | |
| # sed -i -E 's/^\s*-A\ ufw-before-forward\ -p\ icmp\ --icmp-type.*ACCEPT\s*/#\ \0/g' /etc/ufw/before.rules | |
| sed -i '/ufw-before-input.*icmp/s/ACCEPT/DROP/g' /etc/ufw/before.rules | |
| # Enable UFW | |
| ufw --force enable | |
| # Reload to apply changes | |
| ufw reload | |
| echo "UFW configuration completed successfully." | |
| echo "Verify rules with: sudo ufw status verbose" | |
| echo "Backup saved to: $BACKUP_FILE" | |
| } | |
| # Main execution flow | |
| main() { | |
| echo "Starting firewall configuration script..." | |
| display_firewall_info | |
| # Check if firewalld exists and handle accordingly | |
| local frontend=$(detect_frontend) | |
| if [[ $frontend == *"firewalld"* ]]; then | |
| read -p "Firewalld is detected. This script configures ufw. Remove firewalld and continue? (y/n): " confirm | |
| if [ "$confirm" != "y" ] && [ "$confirm" != "Y" ]; then | |
| echo "Script aborted." | |
| exit 0 | |
| else | |
| # Remove firewalld before proceeding | |
| remove_firewalld | |
| fi | |
| fi | |
| # Proceed with UFW configuration | |
| configure_ufw | |
| } | |
| # Start main execution | |
| main |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 173.245.48.0/20 | |
| 103.21.244.0/22 | |
| 103.22.200.0/22 | |
| 103.31.4.0/22 | |
| 141.101.64.0/18 | |
| 108.162.192.0/18 | |
| 190.93.240.0/20 | |
| 188.114.96.0/20 | |
| 197.234.240.0/22 | |
| 198.41.128.0/17 | |
| 162.158.0.0/15 | |
| 104.16.0.0/13 | |
| 104.24.0.0/14 | |
| 172.64.0.0/13 | |
| 131.0.72.0/22 | |
| 2400:cb00::/32 | |
| 2606:4700::/32 | |
| 2803:f800::/32 | |
| 2405:b500::/32 | |
| 2405:8100::/32 | |
| 2a06:98c0::/29 | |
| 2c0f:f248::/32 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment