Skip to content

Instantly share code, notes, and snippets.

@nexus166

nexus166/fwbase.sh

Last active October 24, 2019 14:01
Show Gist options
  • Save nexus166/95bfb90e03e62e09293ca0736028c202 to your computer and use it in GitHub Desktop.
Save nexus166/95bfb90e03e62e09293ca0736028c202 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
fwbase.sh
#!/usr/bin/env bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
V4=$(which iptables)
V6=$(which ip6tables)
[[ $(id -u) -eq 0 ]] || exit 1
_install() {
if [[ ! -e /usr/local/sbin/fwbase.sh ]]; then cat ${0} | tee /usr/local/sbin/fwbase.sh; fi
if [[ ! -e /lib/systemd/system/fwbase.service ]]; then
cat ${0} | tee /usr/local/sbin/fwbase.sh
printf '[Unit]\nDescription=BASE FIREWALL RULES ON BOOT\n' | tee /lib/systemd/system/fwbase.service
if [[ ! -z "$(command -v dockerd)" ]]; then
printf 'Wants=network-pre.target\nAfter=docker.service\n' | tee -a /lib/systemd/system/fwbase.service
else
printf 'Before=network-pre.target\nWants=network-pre.target\nAfter=sysinit.target\n' | tee -a /lib/systemd/system/fwbase.service
fi
printf '[Service]\nType=oneshot\nExecStart=/usr/local/sbin/fwbase.sh\n[Install]\nWantedBy=basic.target\n' | tee -a /lib/systemd/system/fwbase.service
fi
systemctl enable fwbase
}
_reset_all() { ${1} -F; ${1} -Z; ${1} -t nat -F; ${1} -t nat -Z; }
_del_blacklist() { ipset del set blacklist-tmp; ipset del set blacklist; ipset destroy; }
_restore_blacklist() { [[ -f ${1:-"/etc/ipset-blacklist/ip-blacklist.restore"} ]] && ipset restore < ${1:-"/etc/ipset-blacklist/ip-blacklist.restore"}; }
set -x;
#command -v ipset && (_restore_blacklist || (_reset_all iptables; _del_blacklist; _restore_blacklist))
set +x;
#NIC1=$(ip link | sed -e '/state DOWN / { N; d; }' | sed -e '/veth[0-9].*:/ { N; d; }' | sed -e '/vmbr[$
NIC1='eth0'
NIC2='wlan0'
set +x
echo -e '\n\nSETTING IPV4 RULES\n'
for params in \
"-F" "-Z" \
"-t nat -F" "-t nat -Z" \
"-P INPUT DROP" "-P FORWARD DROP" "-P OUTPUT ACCEPT" \
\
"-A INPUT -i lo -j ACCEPT" \
"-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" \
"-A INPUT -m conntrack --ctstate INVALID -j DROP" \
"-A INPUT -s 127.0.0.0/8 ! -i lo -j DROP" \
"-A INPUT -m addrtype --dst-type BROADCAST -j DROP" \
"-A INPUT -m addrtype --dst-type MULTICAST -j DROP" \
"-A INPUT -m addrtype --dst-type ANYCAST -j DROP" \
"-A INPUT -d 224.0.0.0/4 -j DROP" \
\
"-N ICMPFLOOD" \
"-A ICMPFLOOD -m recent --set --name ICMP --rsource" \
"-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix 'iptables[ICMP-flood]: '" \
"-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP" \
"-A ICMPFLOOD -j ACCEPT" \
"-A INPUT -p icmp --icmp-type 0 -m conntrack --ctstate NEW -j ACCEPT" \
"-A INPUT -p icmp --icmp-type 3 -m conntrack --ctstate NEW -j ACCEPT" \
"-A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ICMPFLOOD" \
"-A INPUT -p icmp --icmp-type 11 -m conntrack --ctstate NEW -j ACCEPT";
do
echo -en "\n\tAPPLY\t|\t$V4 $params\n" && sh -c "$V4 $params" 2>/dev/null
done
echo -e '\n\nCURRENT IPv4 RULES'
iptables -S
echo
iptables -S -t nat
echo -e '\n\nSETTING IPV6 RULES\n'
for params in \
"-F" "-Z" \
"-t nat -F" "-t nat -Z" \
"-P INPUT DROP" "-P FORWARD DROP" "-P OUTPUT ACCEPT" \
\
"-A INPUT -i lo -j ACCEPT" \
"-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" \
"-A INPUT -m conntrack --ctstate INVALID -j DROP" \
"-A INPUT -s ::1/128 ! -i lo -j DROP" \
\
"-N ICMPFLOOD" \
"-A ICMPFLOOD -m recent --set --name ICMP --rsource" \
"-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix 'ip6tables[ICMP-flood]: '" \
"-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP" \
"-A ICMPFLOOD -j ACCEPT" \
"-A INPUT -p ipv6-icmp --icmpv6-type 1 -j ACCEPT" \
"-A INPUT -p ipv6-icmp --icmpv6-type 2 -j ACCEPT" \
"-A INPUT -p ipv6-icmp --icmpv6-type 3 -j ACCEPT" \
"-A INPUT -p ipv6-icmp --icmpv6-type 4 -j ACCEPT" \
"-A INPUT -p ipv6-icmp --icmpv6-type 133 -j ACCEPT" \
"-A INPUT -p ipv6-icmp --icmpv6-type 134 -j ACCEPT" \
"-A INPUT -p ipv6-icmp --icmpv6-type 135 -j ACCEPT" \
"-A INPUT -p ipv6-icmp --icmpv6-type 136 -j ACCEPT" \
"-A INPUT -p ipv6-icmp --icmpv6-type 137 -j ACCEPT" \
"-A INPUT -p ipv6-icmp --icmpv6-type 141 -j ACCEPT" \
"-A INPUT -p ipv6-icmp --icmpv6-type 142 -j ACCEPT" \
"-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 130 -j ACCEPT" \
"-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 131 -j ACCEPT" \
"-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 132 -j ACCEPT" \
"-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 143 -j ACCEPT" \
"-A INPUT -p ipv6-icmp --icmpv6-type 148 -j ACCEPT" \
"-A INPUT -p ipv6-icmp --icmpv6-type 149 -j ACCEPT" \
"-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 151 -j ACCEPT" \
"-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 152 -j ACCEPT" \
"-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 153 -j ACCEPT" \
"-A INPUT -p ipv6-icmp --icmpv6-type 128 -j ICMPFLOOD" \
"-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix 'ip6tables[DOS]: '" \
"-A INPUT -d fe80::/64 -p udp -m conntrack --ctstate NEW -m udp --dport 546 -j ACCEPT";
do
echo -en "\n\tAPPLY\t|\t$V6 $params\n" && sh -c "$V6 $params"
done
echo -e '\n\nCURRENT IPv6 RULES'
ip6tables -S
echo
ip6tables -S -t nat
#command -v dockerd && systemctl restart docker
systemctl status fwbase
[[ $? -gt 3 ]] && _install
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment