Created
March 20, 2020 04:07
-
-
Save thomsh/827d7ed0c601122486121da34eb51f0b to your computer and use it in GitHub Desktop.
A simple iptables script works well with iptables-persistent (but don't validate rule)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # Simple script to handle iptables rule before swithing to nftable | |
| # This script should not be interrupted in case of error : this will break iptables | |
| # Add custom script in /etc/iptables.d | |
| set -x | |
| CUSTOM_RULES="/etc/iptables.d" | |
| DISABLE_SSH_RULE="/etc/firewall-disable-auto-ssh" # create this file to disable ssh auto rule | |
| if [ "$(id -u)" -ne 0 ];then | |
| echo "Re-run $0 as root" | |
| exit 1 | |
| fi | |
| IPT4="$(command -v iptables)" | |
| IPT6="$(command -v ip6tables)" | |
| # Add default rules for both ipv4 & ipv6 iptables | |
| IPT_BACKEND=(IPT4 IPT6) | |
| # common ipt4 ipt6 | |
| for ipt in "${IPT_BACKEND[@]}" | |
| do | |
| # RESET ipv4&6 rules & all tables | |
| ${!ipt} -F | |
| ${!ipt} -X | |
| ${!ipt} -t nat -F | |
| ${!ipt} -t nat -X | |
| ${!ipt} -t mangle -F | |
| ${!ipt} -t mangle -X | |
| ${!ipt} -P INPUT DROP | |
| ${!ipt} -P FORWARD DROP | |
| ${!ipt} -P OUTPUT ACCEPT | |
| # INPUT BASE | |
| ${!ipt} -A INPUT -i lo -j ACCEPT | |
| ${!ipt} -A INPUT -p tcp ! --syn -m state --state NEW,INVALID -j REJECT | |
| ${!ipt} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| # anti-lockout rule if not disabled | |
| if [ ! -f "${DISABLE_SSH_RULE}" ];then | |
| ${!ipt} -A INPUT -p tcp --dport 22 -j ACCEPT | |
| fi | |
| # OUTPUT BASE | |
| ${!ipt} -A OUTPUT -p icmp -j ACCEPT | |
| ${!ipt} -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| done | |
| # IPv4 specific stuff | |
| ${IPT4} -A INPUT -p icmp --icmp-type 8 -j ACCEPT | |
| # GENERATED config | |
| if [ -d "${CUSTOM_RULES}" ];then | |
| pushd ${CUSTOM_RULES} | |
| find "${CUSTOM_RULES}" -type f -iname '*.sh'|sort -n|while read -r f;do | |
| bash -x "${f}" | |
| done | |
| popd | |
| else | |
| mkdir -p "${CUSTOM_RULES}" | |
| fi | |
| # Add end chain logs | |
| for ipt in "${IPT_BACKEND[@]}" | |
| do | |
| for chain in INPUT FORWARD | |
| do | |
| ${!ipt} -A "${chain}" -m limit --limit 5/m --limit-burst 15 -j LOG --log-prefix "IPTABLES END ${chain}: " --log-level 4 | |
| done | |
| done | |
| # dynamicly enable ip_forward | |
| if [ "$(iptables -nL FORWARD|grep -v '^LOG' |wc -l)" -gt 2 ] || [ "$(ip6tables -nL FORWARD|grep -v '^LOG' |wc -l)" -gt 2 ];then | |
| if ! grep '^net.ipv4.ip_forward=1' /etc/sysctl.conf;then | |
| echo 'net.ipv4.ip_forward=1' |tee -a /etc/sysctl.conf | |
| sysctl -p /etc/sysctl.conf | |
| fi | |
| fi | |
| # save iptables rules | |
| if [ -d /etc/iptables ];then | |
| /sbin/ip6tables-save |tee /etc/iptables/rules.v6 | |
| /sbin/iptables-save |tee /etc/iptables/rules.v4 | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment