Last active
December 16, 2015 23:58
-
-
Save tzengerink/5517072 to your computer and use it in GitHub Desktop.
Bash script for setting up your firewall. It supports whitelisting and blacklisting.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash -e | |
| # | |
| # IPTABLES FIREWALL | |
| # ----------------- | |
| # Script for setting your iptables firewall. Configure the variables to your | |
| # liking and start the firewall. Copy the file to `/usr/local/sbin` or the | |
| # directory of your choice. | |
| # | |
| # Usage: `./firewall.sh [restart|start|stop|status]` | |
| # | |
| # Copyright (c) 2013 T. Zengerink | |
| # Licensed under MIT License. | |
| # See: https://gist.github.com/raw/3151357/6806e68cb9cc0042b265f25be9bc25dd39f75267/LICENSE.md | |
| ## IP/SUBNET CONFIGURATION | |
| # | |
| BROADCAST=( 255.255.255.255 ) | |
| ## WHITE-/BLACKLISTING | |
| # | |
| WHITELIST=( 192.168.1.0/24 ) | |
| BLACKLIST=() | |
| ## PORT CONFIGURATION | |
| # | |
| WHITELIST_OPEN_TCP=() | |
| WHITELIST_OPEN_UDP=() | |
| OPEN_TCP=() | |
| OPEN_UDP=() | |
| ## IP TABLES CONFIGURATION | |
| # | |
| IPT="$(which iptables)" | |
| RULES="/etc/iptables/iptables.rules" | |
| ## FLUSH FIREWALL SETTINGS | |
| # | |
| flush_firewall(){ | |
| $IPT -F | |
| $IPT -X | |
| } | |
| ## SAVE FIREWALL SETTINGS | |
| # Your Linux distribution might handle these commands differently. | |
| # | |
| save_firewall(){ | |
| iptables-save > $RULES | |
| systemctl reload iptables | |
| } | |
| ## SHOW FIREWALL STATUS | |
| # | |
| status_firewall(){ | |
| $IPT -vnL | |
| } | |
| ## STOP FIREWALL | |
| # | |
| stop_firewall(){ | |
| $IPT -P INPUT ACCEPT | |
| $IPT -P FORWARD ACCEPT | |
| $IPT -P OUTPUT ACCEPT | |
| } | |
| ## START FIREWALL | |
| # | |
| start_firewall(){ | |
| $IPT -N LOGDROP | |
| $IPT -N TCP | |
| $IPT -N UDP | |
| $IPT -P FORWARD DROP | |
| $IPT -P OUTPUT ACCEPT | |
| $IPT -P INPUT DROP | |
| # Logdrop | |
| $IPT -A LOGDROP -m limit --limit 5/m --limit-burst 10 -j LOG | |
| $IPT -A LOGDROP -j DROP | |
| # Initial setup | |
| $IPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| $IPT -A INPUT -i lo -j ACCEPT | |
| $IPT -A INPUT -m conntrack --ctstate INVALID -j LOGDROP | |
| $IPT -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT | |
| # Block all broadcast packets | |
| for SRC in "${BROADCAST[@]}"; do | |
| $IPT -A INPUT -s $SRC -j DROP | |
| $IPT -A INPUT -d $SRC -j DROP | |
| done | |
| # Log and drop all traffic from blacklisted sources | |
| for SRC in "${BLACKLIST[@]}"; do | |
| $IPT -A INPUT -s $SRC -j LOGDROP | |
| $IPT -A INPUT -d $SRC -j LOGDROP | |
| done | |
| # Send new TCP / UDP connections through their own chain | |
| $IPT -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP | |
| $IPT -A INPUT -p udp -m conntrack --ctstate NEW -j UDP | |
| # Accept all traffic from whitelisted sources | |
| for SRC in "${WHITELIST[@]}"; do | |
| for PORT in "${WHITELIST_OPEN_TCP[@]}"; do | |
| $IPT -A TCP -p tcp -s $SRC --dport $PORT -j ACCEPT | |
| done | |
| for PORT in $WHITELIST_OPEN_UDP; do | |
| $IPT -A UDP -p udp -s $SRC --dport $PORT -j ACCEPT | |
| done | |
| done | |
| # Accept all traffic on open ports | |
| for PORT in "${OPEN_TCP[@]}"; do | |
| $IPT -A TCP -p tcp --dport $PORT -j ACCEPT | |
| done | |
| for PORT in "${OPEN_UDP[@]}"; do | |
| $IPT -A UDP -p udp --dport $PORT -j ACCEPT | |
| done | |
| } | |
| ## EXECUTE SCRIPT | |
| # | |
| case "$1" in | |
| start|restart) | |
| flush_firewall | |
| start_firewall | |
| save_firewall | |
| ;; | |
| status) | |
| status_firewall | |
| ;; | |
| stop) | |
| flush_firewall | |
| stop_firewall | |
| save_firewall | |
| ;; | |
| *) | |
| echo -e "Usage $0 [restart|start|stop|status]" | |
| exit 1 | |
| esac | |
| exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment