108 lines
3.2 KiB
Bash
Executable file
108 lines
3.2 KiB
Bash
Executable file
#!/bin/bash
|
|
|
|
# The name of the main external interface.
|
|
EX_IF="enp11s0"
|
|
|
|
|
|
start_firewall() {
|
|
# Flush old rules.
|
|
iptables -F
|
|
ip6tables -F
|
|
iptables -t nat -F
|
|
ip6tables -t nat -F
|
|
iptables -t mangle -F
|
|
ip6tables -t mangle -F
|
|
|
|
# Delete any custom chains.
|
|
iptables -X
|
|
ip6tables -X
|
|
iptables -t nat -X
|
|
ip6tables -t nat -X
|
|
iptables -t mangle -X
|
|
ip6tables -t mangle -X
|
|
|
|
# Allow all loopback traffic.
|
|
iptables -A INPUT -i lo -j ACCEPT
|
|
ip6tables -A INPUT -i lo -j ACCEPT
|
|
|
|
# Drop invalid packets on all interfaces.
|
|
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
|
|
ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
|
|
|
|
# Allow packets of established connections and those related to them.
|
|
iptables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
|
ip6tables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
|
|
|
# Allow pings.
|
|
iptables -A INPUT -i "$EX_IF" -p icmp -m icmp --icmp-type echo-request -j ACCEPT
|
|
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-request -j ACCEPT
|
|
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type echo-reply -j ACCEPT
|
|
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
|
|
|
|
# Allow certain types of ICMP informational packets.
|
|
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type destination-unreachable -j ACCEPT
|
|
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
|
|
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type time-exceeded -j ACCEPT
|
|
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
|
|
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type parameter-problem -j ACCEPT
|
|
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
|
|
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
|
|
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
|
|
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
|
|
|
|
# Allow SSH.
|
|
iptables -A INPUT -i "$EX_IF" -p tcp --syn --dport 22 -m conntrack --ctstate NEW -j ACCEPT
|
|
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn --dport 22 -m conntrack --ctstate NEW -j ACCEPT
|
|
|
|
# Set default policies.
|
|
iptables -P INPUT DROP
|
|
ip6tables -P INPUT DROP
|
|
iptables -P OUTPUT ACCEPT # We don't firewall outgoing connections.
|
|
ip6tables -P OUTPUT ACCEPT # We don't firewall outgoing connections.
|
|
iptables -P FORWARD DROP
|
|
ip6tables -P FORWARD DROP
|
|
}
|
|
|
|
stop_firewall() {
|
|
# Set default policies to ACCEPT.
|
|
iptables -P INPUT ACCEPT
|
|
ip6tables -P INPUT ACCEPT
|
|
iptables -P OUTPUT ACCEPT
|
|
ip6tables -P OUTPUT ACCEPT
|
|
iptables -P FORWARD ACCEPT
|
|
ip6tables -P FORWARD ACCEPT
|
|
|
|
# Flush rules.
|
|
iptables -F
|
|
ip6tables -F
|
|
iptables -t nat -F
|
|
ip6tables -t nat -F
|
|
iptables -t mangle -F
|
|
ip6tables -t mangle -F
|
|
|
|
# Delete any custom chains.
|
|
iptables -X
|
|
ip6tables -X
|
|
iptables -t nat -X
|
|
ip6tables -t nat -X
|
|
iptables -t mangle -X
|
|
ip6tables -t mangle -X
|
|
}
|
|
|
|
|
|
case "$1" in
|
|
'start')
|
|
start_firewall
|
|
;;
|
|
'stop')
|
|
stop_firewall
|
|
;;
|
|
'restart')
|
|
stop_firewall
|
|
start_firewall
|
|
;;
|
|
*)
|
|
echo "Usage: $BASH_SOURCE <start|stop|restart>" >&2
|
|
ERR=1
|
|
;;
|
|
esac
|