firewall/iptables-setup.sh

#!/bin/bash
# INPUT Chain (incoming ports)

# All packet verification
iptables -I INPUT -m conntrack --ctstate INVALID -j DROP			# Drop invalid packets
ip6tables -I INPUT -m conntrack --ctstate INVALID -j DROP			# Drop invalid packets
iptables -I INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT	# No constant icmp packets
iptables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP				# Block null packets
ip6tables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP				# Block null packets
iptables -I INPUT -p tcp ! --syn -m state --state NEW -j DROP			# Block syn floods
ip6tables -I INPUT -p tcp ! --syn -m state --state NEW -j DROP			# Block syn floods

# Cross-server free networking
iptables -A INPUT -m multiport -p tcp --dports 7946,2377 -i ens10 -j ACCEPT
ip6tables -A INPUT -m multiport -p tcp --dports 7946,2377 -i ens10 -j ACCEPT
iptables -A INPUT -m multiport -p udp --dports 7946,4789 -i ens10 -j ACCEPT
ip6tables -A INPUT -m multiport -p udp --dports 7946,4789 -i ens10 -j ACCEPT

# Allow forwarding of existing connections
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Services
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p udp --dport 51820 -j ACCEPT
ip6tables -A INPUT -p udp --dport 51820 -j ACCEPT

# Private services on docker
iptables -A DOCKER-USER -i eth0 -p tcp -m multiport --dports 5000,7050,9050,2112,4242,10113,15244,43110 -j DROP
#ip6tables -A DOCKER-USER -i eth0 -p tcp -m multiport --dports 5000,9050,2112,4242,10113,43110 -j DROP # No IPv6 docker rules are available

# Special Rules
iptables -I INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT		# Keep existing connections open
ip6tables -I INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT		# Keep existing connections open
iptables -I INPUT 1 -i lo -j ACCEPT						# Loopback connections
ip6tables -I INPUT 1 -i lo -j ACCEPT						# Loopback connections

# DEFAULT RULES # Apply at end, first set whitelisted connections
iptables -P INPUT DROP
ip6tables -P INPUT DROP
iptables -P FORWARD ACCEPT							# TODO: Should be drop but it needs configuration
ip6tables -P FORWARD ACCEPT							# TODO: Should be drop but it needs configuration
iptables -P OUTPUT ACCEPT							# Allow all outbound connections
ip6tables -P OUTPUT ACCEPT							# Allow all outbound connections
Add old ufw configuration and current IPTABLES configuration 2019-12-08 12:21:55 +00:00			`#!/bin/bash`
			`# INPUT Chain (incoming ports)`

			`# All packet verification`
			`iptables -I INPUT -m conntrack --ctstate INVALID -j DROP # Drop invalid packets`
IPv6 Rules 2020-02-01 11:13:02 +00:00			`ip6tables -I INPUT -m conntrack --ctstate INVALID -j DROP # Drop invalid packets`
Add old ufw configuration and current IPTABLES configuration 2019-12-08 12:21:55 +00:00			`iptables -I INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT # No constant icmp packets`
			`iptables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP # Block null packets`
IPv6 Rules 2020-02-01 11:13:02 +00:00			`ip6tables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP # Block null packets`
Add old ufw configuration and current IPTABLES configuration 2019-12-08 12:21:55 +00:00			`iptables -I INPUT -p tcp ! --syn -m state --state NEW -j DROP # Block syn floods`
IPv6 Rules 2020-02-01 11:13:02 +00:00			`ip6tables -I INPUT -p tcp ! --syn -m state --state NEW -j DROP # Block syn floods`
Add old ufw configuration and current IPTABLES configuration 2019-12-08 12:21:55 +00:00
			`# Cross-server free networking`
Stricter inter-server communications and no more docker rules 2020-01-25 22:51:32 +00:00			`iptables -A INPUT -m multiport -p tcp --dports 7946,2377 -i ens10 -j ACCEPT`
IPv6 Rules 2020-02-01 11:13:02 +00:00			`ip6tables -A INPUT -m multiport -p tcp --dports 7946,2377 -i ens10 -j ACCEPT`
Stricter inter-server communications and no more docker rules 2020-01-25 22:51:32 +00:00			`iptables -A INPUT -m multiport -p udp --dports 7946,4789 -i ens10 -j ACCEPT`
IPv6 Rules 2020-02-01 11:13:02 +00:00			`ip6tables -A INPUT -m multiport -p udp --dports 7946,4789 -i ens10 -j ACCEPT`
Remove firewall ratelimiting and per-ip limiting, use provided interface 2020-01-23 16:30:02 +00:00
			`# Allow forwarding of existing connections`
			`iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT`
IPv6 Rules 2020-02-01 11:13:02 +00:00			`ip6tables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT`
Add old ufw configuration and current IPTABLES configuration 2019-12-08 12:21:55 +00:00
			`# Services`
Remove invalid ipv6 docker rules, remove docker services from whitelist, docker handles ports automatically 2020-02-02 16:05:19 +00:00			`iptables -A INPUT -p tcp --dport 22 -j ACCEPT`
			`ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT`
			`iptables -A INPUT -p udp --dport 51820 -j ACCEPT`
			`ip6tables -A INPUT -p udp --dport 51820 -j ACCEPT`
Block private services 2020-01-25 23:12:55 +00:00
			`# Private services on docker`
Block Tor http connections 2020-03-04 18:27:53 +00:00			`iptables -A DOCKER-USER -i eth0 -p tcp -m multiport --dports 5000,7050,9050,2112,4242,10113,15244,43110 -j DROP`
Remove invalid ipv6 docker rules, remove docker services from whitelist, docker handles ports automatically 2020-02-02 16:05:19 +00:00			`#ip6tables -A DOCKER-USER -i eth0 -p tcp -m multiport --dports 5000,9050,2112,4242,10113,43110 -j DROP # No IPv6 docker rules are available`
Add old ufw configuration and current IPTABLES configuration 2019-12-08 12:21:55 +00:00
			`# Special Rules`
			`iptables -I INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Keep existing connections open`
IPv6 Rules 2020-02-01 11:13:02 +00:00			`ip6tables -I INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Keep existing connections open`
Add old ufw configuration and current IPTABLES configuration 2019-12-08 12:21:55 +00:00			`iptables -I INPUT 1 -i lo -j ACCEPT # Loopback connections`
IPv6 Rules 2020-02-01 11:13:02 +00:00			`ip6tables -I INPUT 1 -i lo -j ACCEPT # Loopback connections`
Add old ufw configuration and current IPTABLES configuration 2019-12-08 12:21:55 +00:00
			`# DEFAULT RULES # Apply at end, first set whitelisted connections`
Remove firewall ratelimiting and per-ip limiting, use provided interface 2020-01-23 16:30:02 +00:00			`iptables -P INPUT DROP`
IPv6 Rules 2020-02-01 11:13:02 +00:00			`ip6tables -P INPUT DROP`
Remove firewall ratelimiting and per-ip limiting, use provided interface 2020-01-23 16:30:02 +00:00			`iptables -P FORWARD ACCEPT # TODO: Should be drop but it needs configuration`
IPv6 Rules 2020-02-01 11:13:02 +00:00			`ip6tables -P FORWARD ACCEPT # TODO: Should be drop but it needs configuration`
Add old ufw configuration and current IPTABLES configuration 2019-12-08 12:21:55 +00:00			`iptables -P OUTPUT ACCEPT # Allow all outbound connections`
IPv6 Rules 2020-02-01 11:13:02 +00:00			`ip6tables -P OUTPUT ACCEPT # Allow all outbound connections`