Updated rc.firewall* scripts.
This commit is contained in:
parent
cce10e6f5c
commit
421d14a4c2
5 changed files with 109 additions and 403 deletions
|
|
@ -4,14 +4,16 @@
|
|||
EX_IF="eth0"
|
||||
|
||||
# IP addresses.
|
||||
PRIMARYIP="216.119.155.FIXME"
|
||||
PRIMARYIP6="2a02:2498:e004:2a::FIXME"
|
||||
FLOATINGIP="216.119.155.FIXME"
|
||||
FLOATINGIP6="2a02:2498:e004:2a::FIXME"
|
||||
PRIMARYIP=""
|
||||
PRIMARYIP6=""
|
||||
FLOATINGIP=""
|
||||
FLOATINGIP6=""
|
||||
|
||||
# The IP ranges from where to accept unfiltered connections.
|
||||
UNFILTERED_RANGES_V4=('212.78.94.73' '216.119.155.58-216.119.155.62' '91.109.244.7-91.109.244.11' '185.176.90.169')
|
||||
UNFILTERED_RANGES_V6=('2a02:2498:e004:2a::/64' '2a02:2498:1:227::/64' '2a07:4580:b0d:57f::/64')
|
||||
# The IP ranges from where to accept unfiltered connections
|
||||
# |-- UK Servers --| |---------------------------------- UK2 -----------------------------------| |-- Linode ---| |- L'Servers --| |----- Home -----|
|
||||
UNFILTERED_RANGES_V4=('5.101.171.210/28' '91.109.244.7' '91.109.244.8' '91.109.244.9' '91.109.244.10' '91.109.244.11' '88.80.191.137' '185.176.90.169' 'afterdark.org.uk')
|
||||
# |---- UK Servers -----| |------- UK2 --------| |----------- Linode -----------| |---- LoveServers -----|
|
||||
UNFILTERED_RANGES_V6=('2a01:a500:2981:1::/64' '2a02:2498:1:227::/64' '2a01:7e00::f03c:93ff:fe86:afae' '2a07:4580:b0d:57f::169')
|
||||
|
||||
|
||||
start_firewall() {
|
||||
|
|
@ -45,20 +47,34 @@ start_firewall() {
|
|||
# Drop unroutable IPs on the external interface.
|
||||
iptables -A INPUT -i "$EX_IF" -s 127.0.0.0/8 -j DROP
|
||||
ip6tables -A INPUT -i "$EX_IF" -s ::1/128 -j DROP
|
||||
iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j DROP
|
||||
iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP
|
||||
iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP
|
||||
|
||||
# Allow local nets if our IP is in the same range.
|
||||
if [[ "$(ip -br a s "$EX_IF" | awk -e '{printf $3}' | cut -d. -f1)" == "10" ]]; then
|
||||
iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j ACCEPT
|
||||
else
|
||||
iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j DROP
|
||||
fi
|
||||
if [[ "$(ip -br a s "$EX_IF" | awk -e '{printf $3}' | cut -d. -f1,2)" == "172.16" ]]; then
|
||||
iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j ACCEPT
|
||||
else
|
||||
iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP
|
||||
fi
|
||||
if [[ "$(ip -br a s "$EX_IF" | awk -e '{printf $3}' | cut -d. -f1,2)" == "192.168" ]]; then
|
||||
iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j ACCEPT
|
||||
else
|
||||
iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP
|
||||
fi
|
||||
|
||||
# Allow all loopback traffic.
|
||||
iptables -A INPUT -i lo -j ACCEPT
|
||||
ip6tables -A INPUT -i lo -j ACCEPT
|
||||
|
||||
# Allow unrestricted access from our IPs.
|
||||
for IPRANGE in "${UNFILTERED_RANGES_V4[@]}"; do
|
||||
iptables -A INPUT -i "$EX_IF" -m iprange --src-range "$IPRANGE" -j ACCEPT
|
||||
for ENTRY in "${UNFILTERED_RANGES_V4[@]}"; do
|
||||
iptables -A INPUT -i "$EX_IF" -s "$ENTRY" -j ACCEPT
|
||||
done
|
||||
for IPRANGE in "${UNFILTERED_RANGES_V6[@]}"; do
|
||||
ip6tables -A INPUT -i "$EX_IF" -s "$IPRANGE" -j ACCEPT
|
||||
for ENTRY in "${UNFILTERED_RANGES_V6[@]}"; do
|
||||
ip6tables -A INPUT -i "$EX_IF" -s "$ENTRY" -j ACCEPT
|
||||
done
|
||||
|
||||
# Allow packets of established connections and those related to them.
|
||||
|
|
@ -86,12 +102,6 @@ start_firewall() {
|
|||
iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
|
||||
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
# Service: DNS.
|
||||
iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn --dport 53 -m conntrack --ctstate NEW -j ACCEPT
|
||||
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn --dport 53 -m conntrack --ctstate NEW -j ACCEPT
|
||||
iptables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP" --dport 53 -m conntrack --ctstate NEW -j ACCEPT
|
||||
ip6tables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP6" --dport 53 -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
# Service: HTTP{,S}.
|
||||
iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT
|
||||
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
|
@ -112,10 +122,6 @@ start_firewall() {
|
|||
iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" --syn --dport 873 -m conntrack --ctstate NEW -j ACCEPT
|
||||
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" --syn --dport 873 -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
# Service: SMTP and submission.
|
||||
iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 25,587 -m conntrack --ctstate NEW -j ACCEPT
|
||||
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 25,587 -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
# Service: IMAP{,S}.
|
||||
iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 143,993 -m conntrack --ctstate NEW -j ACCEPT
|
||||
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 143,993 -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
|
@ -124,16 +130,6 @@ start_firewall() {
|
|||
iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 110,995 -m conntrack --ctstate NEW -j ACCEPT
|
||||
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 110,995 -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
# Service: Bittorrent.
|
||||
iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
|
||||
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
|
||||
iptables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP" -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
|
||||
ip6tables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP6" -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
|
||||
iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
|
||||
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
|
||||
iptables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP" -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
|
||||
ip6tables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP6" -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
# Set default policies.
|
||||
iptables -P INPUT DROP
|
||||
ip6tables -P INPUT DROP
|
||||
|
|
@ -184,10 +180,16 @@ case "$1" in
|
|||
;;
|
||||
'restart')
|
||||
stop_firewall
|
||||
sleep 0.5
|
||||
start_firewall
|
||||
;;
|
||||
*)
|
||||
echo "Usage: $BASH_SOURCE <start|stop|restart>" >&2
|
||||
ERR=1
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
# Restart fail2ban to re-create the ban chains.
|
||||
[[ -x /etc/rc.d/rc.fail2ban ]] && /etc/rc.d/rc.fail2ban restart >/dev/null
|
||||
|
||||
exit 0
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue