Added rc.firewall-float.
This commit is contained in:
parent
a76db920e0
commit
819608fe97
1 changed files with 143 additions and 0 deletions
143
sample-rc.d/rc.firewall-float
Executable file
143
sample-rc.d/rc.firewall-float
Executable file
|
|
@ -0,0 +1,143 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# The name of the main external interface.
|
||||||
|
EX_IF="eth0"
|
||||||
|
# The name of the VM-Private network interface.
|
||||||
|
PRI_IF="eth1"
|
||||||
|
|
||||||
|
# IP addresses
|
||||||
|
PRIMARYIP="91.109.244.FIXME"
|
||||||
|
PRIMARYIP6="2a02:2498:1:227::FIXME"
|
||||||
|
FLOATINGIP="91.109.244.FIXME"
|
||||||
|
FLOATINGIP6="2a02:2498:1:227::FIXME"
|
||||||
|
|
||||||
|
# Disable ICMP redirects.
|
||||||
|
# Note: Redirects are used when a router believes a packet is being routed sub optimally and it would like to inform
|
||||||
|
# the sending host that it should forward subsequent packets to that same destination through a different gateway.
|
||||||
|
echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/accept_redirects"
|
||||||
|
echo 0 >"/proc/sys/net/ipv6/conf/$EX_IF/accept_redirects"
|
||||||
|
echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/send_redirects"
|
||||||
|
|
||||||
|
# Flush old rules.
|
||||||
|
iptables -F
|
||||||
|
ip6tables -F
|
||||||
|
iptables -t nat -F
|
||||||
|
ip6tables -t nat -F
|
||||||
|
iptables -t mangle -F
|
||||||
|
ip6tables -t mangle -F
|
||||||
|
|
||||||
|
# Delete any custom chains.
|
||||||
|
iptables -X
|
||||||
|
ip6tables -X
|
||||||
|
iptables -t nat -X
|
||||||
|
ip6tables -t nat -X
|
||||||
|
iptables -t mangle -X
|
||||||
|
ip6tables -t mangle -X
|
||||||
|
|
||||||
|
# Drop invalid packets on all interfaces.
|
||||||
|
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||||
|
ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||||
|
|
||||||
|
# Drop unroutable IPs on the external interface.
|
||||||
|
iptables -A INPUT -i "$EX_IF" -s 127.0.0.0/8 -j DROP
|
||||||
|
ip6tables -A INPUT -i "$EX_IF" -s ::1/128 -j DROP
|
||||||
|
iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j DROP
|
||||||
|
iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP
|
||||||
|
iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP
|
||||||
|
|
||||||
|
# Allow all loopback traffic.
|
||||||
|
iptables -A INPUT -i lo -j ACCEPT
|
||||||
|
ip6tables -A INPUT -i lo -j ACCEPT
|
||||||
|
|
||||||
|
# Allow all VM-Private network traffic.
|
||||||
|
iptables -A INPUT -i "$PRI_IF" -j ACCEPT
|
||||||
|
ip6tables -A INPUT -i "$PRI_IF" -j ACCEPT
|
||||||
|
|
||||||
|
# Allow unrestricted access from our IPs.
|
||||||
|
iptables -A INPUT -i "$EX_IF" -m iprange --src-range 91.109.244.7-91.109.244.11 -j ACCEPT
|
||||||
|
iptables -A INPUT -i "$EX_IF" -m iprange --src-range 91.109.244.78-91.109.244.79 -j ACCEPT
|
||||||
|
iptables -A INPUT -i "$EX_IF" -m iprange --src-range 91.109.244.239-91.109.244.243 -j ACCEPT
|
||||||
|
ip6tables -A INPUT -i "$EX_IF" -s 2a02:2498:1:227::/64 -j ACCEPT
|
||||||
|
iptables -A INPUT -i "$EX_IF" -s 185.176.90.169 -j ACCEPT
|
||||||
|
ip6tables -A INPUT -i "$EX_IF" -s 2a07:4580:b0d:57f::/64 -j ACCEPT
|
||||||
|
|
||||||
|
# Allow packets of established connections and those related to them.
|
||||||
|
iptables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
ip6tables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
|
||||||
|
# Allow pings, but ratelimited.
|
||||||
|
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type echo-request -m limit --limit 1/sec --limit-burst 5 -j ACCEPT
|
||||||
|
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-request -m limit --limit 1/sec --limit-burst 5 -j ACCEPT
|
||||||
|
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type echo-reply -m limit --limit 1/sec --limit-burst 5 -j ACCEPT
|
||||||
|
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-reply -m limit --limit 1/sec --limit-burst 5 -j ACCEPT
|
||||||
|
|
||||||
|
# Allow certain types of ICMP informational packets.
|
||||||
|
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type destination-unreachable -j ACCEPT
|
||||||
|
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
|
||||||
|
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type time-exceeded -j ACCEPT
|
||||||
|
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
|
||||||
|
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type parameter-problem -j ACCEPT
|
||||||
|
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
|
||||||
|
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
|
||||||
|
|
||||||
|
# Always allow SSH.
|
||||||
|
# Note: We never want to be locked out of the system, so also accept on the standard ssh port, just in case things accidently get
|
||||||
|
# set back to defaults. Any connections to the standard port will just get a 'connection refused' message, unless this happens.
|
||||||
|
iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
|
||||||
|
# Service: DNS.
|
||||||
|
iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn --dport 53 -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn --dport 53 -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
iptables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP" --dport 53 -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
ip6tables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP6" --dport 53 -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
|
||||||
|
# Service: HTTP{,S}.
|
||||||
|
iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
|
||||||
|
# Service: FTP{,S}.
|
||||||
|
# Note: This is a very permissive configuration - it leaves the high ports completely open. To close it down,
|
||||||
|
# change the last two rules to "ESTABLISHED,RELATED" state; but this will prevent ftps passive from working.
|
||||||
|
# modprobe nf_conntrack_ftp
|
||||||
|
echo 1 >/proc/sys/net/netfilter/nf_conntrack_helper # Required to allow nf_conntrack_ftp to actually work.
|
||||||
|
iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" --syn -m multiport --dports 21,990 -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" --syn -m multiport --dports 21,990 -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" --syn -m multiport --dports 20,989 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" --syn -m multiport --dports 20,989 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
|
||||||
|
# Service: rsync.
|
||||||
|
iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" --syn --dport 873 -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" --syn --dport 873 -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
|
||||||
|
# Service: SMTP and submission.
|
||||||
|
iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 25,587 -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 25,587 -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
|
||||||
|
# Service: IMAP{,S}.
|
||||||
|
iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 143,993 -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 143,993 -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
|
||||||
|
# Service: POP3{,S}.
|
||||||
|
iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 110,995 -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 110,995 -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
|
||||||
|
# Service: Bittorrent.
|
||||||
|
iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
iptables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP" -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
ip6tables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP6" -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
iptables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP" -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
ip6tables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP6" -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
|
||||||
|
# Set default policies.
|
||||||
|
iptables -P INPUT DROP
|
||||||
|
ip6tables -P INPUT DROP
|
||||||
|
iptables -P OUTPUT ACCEPT # We don't firewall outgoing connections.
|
||||||
|
ip6tables -P OUTPUT ACCEPT # We don't firewall outgoing connections.
|
||||||
|
iptables -P FORWARD DROP
|
||||||
|
ip6tables -P FORWARD DROP
|
||||||
Loading…
Add table
Add a link
Reference in a new issue