blob: fad15e8ed182e1a719f54402ddc87f33a153d80b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
|
#!/bin/bash
#%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%#
# IPTables port whitelisting-/blacklisting [Thomas Lange <tl@nerdmind.de>] #
#%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%#
# #
# This script configures your firewall with whitelisting or blacklisting rules #
# and is compatible with IPv4 and IPv6. If you do not have IPv6 just uncomment #
# all lines which containing a "${IPTABLES_V6}". If you want to add additional #
# rules then you can do that at the end of the script. This makes sense if you #
# want allow or disallow internal network traffic from gateway or something. #
# #
#%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%#
#===============================================================================
# Set whitelisting or blacklisting mode
#===============================================================================
MODE='WHITELISTING' # This can only be "WHITELISTING" or "BLACKLISTING"
#===============================================================================
# Whitelisting matching rules: <protocol>:<port>
#===============================================================================
WHITELISTING=(
# SSH
'tcp:22'
# DNS
'tcp:53'
'udp:53'
# HTTP
'tcp:80'
'tcp:443'
)
#===============================================================================
# Blacklisting matching rules: <protocol>:<port>
#===============================================================================
BLACKLISTING=()
#===============================================================================
# Define IPTables commands for IPv4 and IPv6
#===============================================================================
IPTABLES_V4=`which iptables`
IPTABLES_V6=`which ip6tables`
#===============================================================================
# Define IPTables-save commands for IPv4 and IPv6
#===============================================================================
IPTABLES_SAVE_V4=`which iptables-save`
IPTABLES_SAVE_V6=`which ip6tables-save`
#===============================================================================
# Wrapper function for IPTables with IPv4 and IPv6
#===============================================================================
IPTABLES() {
${IPTABLES_V4} $@ # Appends the given argument string to IPTables for IPv4
${IPTABLES_V6} $@ # Appends the given argument string to IPTables for IPv6
}
#===============================================================================
# Set whitelisting and blacklisting chain names
#===============================================================================
WHITELIST_CHAIN='WHITELIST'
BLACKLIST_CHAIN='BLACKLIST'
#===============================================================================
# INPUT policy reset and flush
#===============================================================================
IPTABLES --policy INPUT ACCEPT
IPTABLES --flush INPUT
#===============================================================================
# Ping requests over ICMP and ICMPv6 protocol are always accepted
#===============================================================================
${IPTABLES_V4} --append INPUT --protocol icmp --jump ACCEPT
${IPTABLES_V6} --append INPUT --protocol icmpv6 --jump ACCEPT
#===============================================================================
# Local loopback connections are also always accepted
#===============================================================================
IPTABLES --append INPUT -i lo --jump ACCEPT
#===============================================================================
# Accept all (already) related and established connections
#===============================================================================
IPTABLES --append INPUT --match state --state RELATED,ESTABLISHED --jump ACCEPT
#===============================================================================
# Flush whitelisting and blacklisting chains if exists
#===============================================================================
IPTABLES --flush "${WHITELIST_CHAIN}" &> /dev/null
IPTABLES --flush "${BLACKLIST_CHAIN}" &> /dev/null
#===============================================================================
# Delete references to whitelisting and blacklisting chains if exists
#===============================================================================
IPTABLES --delete INPUT --jump "${WHITELIST_CHAIN}" &> /dev/null
IPTABLES --delete INPUT --jump "${BLACKLIST_CHAIN}" &> /dev/null
#===============================================================================
# Delete whitelisting and blacklisting chains if exists
#===============================================================================
IPTABLES --delete-chain "${WHITELIST_CHAIN}" &> /dev/null
IPTABLES --delete-chain "${BLACKLIST_CHAIN}" &> /dev/null
#===============================================================================
# Create new whitelisting-/blacklisting chain
#===============================================================================
if [ ${MODE} == 'WHITELISTING' ]; then IPTABLES --new-chain "${WHITELIST_CHAIN}"; fi
if [ ${MODE} == 'BLACKLISTING' ]; then IPTABLES --new-chain "${BLACKLIST_CHAIN}"; fi
#===============================================================================
# Create reference to the whitelisting-/blacklisting chain
#===============================================================================
if [ ${MODE} == 'WHITELISTING' ]; then IPTABLES --table filter --append INPUT --jump "${WHITELIST_CHAIN}"; fi
if [ ${MODE} == 'BLACKLISTING' ]; then IPTABLES --table filter --append INPUT --jump "${BLACKLIST_CHAIN}"; fi
#===============================================================================
# Create IPTables matching rules for whitelisting
#===============================================================================
if [ ${MODE} == 'WHITELISTING' ]; then
for rule in "${WHITELISTING[@]}"; do
IPTABLES --append "${WHITELIST_CHAIN}" --protocol "${rule%%:*}" --destination-port "${rule##*:}" --jump ACCEPT
done
IPTABLES --policy INPUT DROP
fi
#===============================================================================
# Create IPTables matching rules for blacklisting
#===============================================================================
if [ ${MODE} == 'BLACKLISTING' ]; then
for rule in "${BLACKLISTING[@]}"; do
IPTABLES --append "${BLACKLIST_CHAIN}" --protocol "${rule%%:*}" --destination-port "${rule##*:}" --jump REJECT
done
IPTABLES --policy INPUT ACCEPT
fi
#===============================================================================
# ADDITIONAL RULES
#===============================================================================
${IPTABLES_V4} --append INPUT --source 192.168.1.0/24 --jump ACCEPT
${IPTABLES_V6} --append INPUT --source fe80::/64 --jump ACCEPT
#===============================================================================
# Save IPTables configuration permanent
#===============================================================================
if [ ${IPTABLES_SAVE_V4} ]; then ${IPTABLES_SAVE_V4} > /etc/iptables/rules.v4; fi
if [ ${IPTABLES_SAVE_V6} ]; then ${IPTABLES_SAVE_V6} > /etc/iptables/rules.v6; fi
|
