jfw/jfw.rules

#!/bin/bash

## These variables make setting up NAT easier, just uncomment the NAT sections
## below
PUBLIC_INTERFACE=
LAN_INTERFACE=
JFW_LOG_4='-j LOG --log-prefix "[ JFW IPv4 DROP ]"'
JFW_LOG_6='-j LOG --log-prefix "[ JFW IPv6 DROP ]"'


		#########
		# IPv4  #
		#########

##======== General required =======## 			
iptables -A INPUT -i lo -m conntrack --ctstate NEW -j ACCEPT                    ## Loop device
iptables -A INPUT -p icmp -m conntrack --ctstate NEW -j ACCEPT                  ## ICMP, e.g. ping
iptables -A INPUT -p ALL -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT   ## Existing and related to outgoing

##============= NAT ===============##
# iptables -A FORWARD -i $LAN_INTERFACE -o $PUBLIC_INTERFACE -m conntrack --ctstate NEW -j ACCEPT
# iptables -A FORWARD -p ALL -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# iptables -t nat -A POSTROUTING -i $LAN_INTERFACE -o $PUBLIC_INTERFACE -j MASQUERADE

##============ Public =============##
# iptables -A INPUT -i $PUBLIC_INTERFACE -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
# iptables -A INPUT -i $PUBLIC_INTERFACE -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i $PUBLIC_INTERFACE -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT

##============= LAN ===============##
iptables -A INPUT -i enp4s0 -m conntrack --ctstate NEW -j ACCEPT
# iptables -A INPUT -i enp4s0 -p ALL -d 224.0.0.1 -m conntrack --ctstate NEW -j ACCEPT
# iptables -A INPUT -i enp4s0 -p udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT	## MDNS

##============ Logging ============##
# iptables -A INPUT -p ALL $JFW_LOG_4
# iptables -A INPUT -p ALL -j DROP

## Default policies for IPv4 ##
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP


		########
		# IPv6 #
		########

##=========== General ===========##
ip6tables -A INPUT -i lo -m conntrack --ctstate NEW -j ACCEPT                                   ## Loop device
ip6tables -A INPUT -p ipv6-icmp -m conntrack --ctstate NEW -j ACCEPT                            ## ICMP, e.g. ping
ip6tables -A INPUT -p icmpv6 -m conntrack --ctstate NEW -j ACCEPT                               ## These are required for IPv6
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT                         ## Existing and related to outgoing
ip6tables -A INPUT -d fe80::/10 -p udp -m conntrack --ctstate NEW -m udp --dport 546 -j ACCEPT  ## DHCPv6-client
# ip6tables -A INPUT -i $LAN_INTERFACE -p udp --dport 547 -m conntrack --ctstate NEW -j ACCEPT    ## DHCPv6 server

##============= NAT ===============##
# ip6tables -A FORWARD -i $LAN_INTERFACE -o $PUBLIC_INTERFACE -m conntrack --ctstate NEW -j ACCEPT
# ip6tables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
#
### NAT may not be desired for IPv6, if the clients on your LAN get
### a public IPv6 address from the DHCP server, you may want to leave this
### commented
# ip6tables -t nat -A POSTROUTING -o $PUBLIC_INTERFACE -j MASQUERADE

##============ Public =============##
# ip6tables -A INPUT -i $PUBLIC_INTERFACE -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
# ip6tables -A INPUT -i $PUBLIC_INTERFACE -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i $PUBLIC_INTERFACE -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT

##============= LAN ===============##
ip6tables -A INPUT -i $LAN_INTERFACE -m conntrack --ctstate NEW -j ACCEPT
# ip6tables -A INPUT -i $LAN_INTERFACE -p udp --dport 5353 -j ACCEPT	## MDNS

##=========== Logging =============##
# ip6tables -A INPUT -p ALL $JFW_LOG_6
# ip6tables -A INPUT -p ALL -j DROP

##=== Default policies for IPv6 ===##
ip6tables -P INPUT DROP
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD DROP
initial commit 2021-02-07 13:45:36 +02:00			`#!/bin/bash`

Separated executable from ruleset file, other minor improvements. v1.0 2021-09-09 23:52:46 +03:00			`## These variables make setting up NAT easier, just uncomment the NAT sections`
			`## below`
			`PUBLIC_INTERFACE=`
			`LAN_INTERFACE=`
			`JFW_LOG_4='-j LOG --log-prefix "[ JFW IPv4 DROP ]"'`
			`JFW_LOG_6='-j LOG --log-prefix "[ JFW IPv6 DROP ]"'`





			`#########`
			`# IPv4 #`
			`#########`

			`##======== General required =======##`
			`iptables -A INPUT -i lo -m conntrack --ctstate NEW -j ACCEPT ## Loop device`
			`iptables -A INPUT -p icmp -m conntrack --ctstate NEW -j ACCEPT ## ICMP, e.g. ping`
			`iptables -A INPUT -p ALL -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ## Existing and related to outgoing`

Removed leftover interface names 2021-09-10 10:21:03 +03:00			`##============= NAT ===============##`
Separated executable from ruleset file, other minor improvements. v1.0 2021-09-09 23:52:46 +03:00			`# iptables -A FORWARD -i $LAN_INTERFACE -o $PUBLIC_INTERFACE -m conntrack --ctstate NEW -j ACCEPT`
			`# iptables -A FORWARD -p ALL -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT`
			`# iptables -t nat -A POSTROUTING -i $LAN_INTERFACE -o $PUBLIC_INTERFACE -j MASQUERADE`

			`##============ Public =============##`
			`# iptables -A INPUT -i $PUBLIC_INTERFACE -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT`
			`# iptables -A INPUT -i $PUBLIC_INTERFACE -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT`
			`iptables -A INPUT -i $PUBLIC_INTERFACE -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT`

Removed leftover interface names 2021-09-10 10:21:03 +03:00			`##============= LAN ===============##`
Separated executable from ruleset file, other minor improvements. v1.0 2021-09-09 23:52:46 +03:00			`iptables -A INPUT -i enp4s0 -m conntrack --ctstate NEW -j ACCEPT`
			`# iptables -A INPUT -i enp4s0 -p ALL -d 224.0.0.1 -m conntrack --ctstate NEW -j ACCEPT`
			`# iptables -A INPUT -i enp4s0 -p udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT ## MDNS`

Removed leftover interface names 2021-09-10 10:21:03 +03:00			`##============ Logging ============##`
Separated executable from ruleset file, other minor improvements. v1.0 2021-09-09 23:52:46 +03:00			`# iptables -A INPUT -p ALL $JFW_LOG_4`
			`# iptables -A INPUT -p ALL -j DROP`

			`## Default policies for IPv4 ##`
initial commit 2021-02-07 13:45:36 +02:00			`iptables -P INPUT DROP`
			`iptables -P OUTPUT ACCEPT`
			`iptables -P FORWARD DROP`






Separated executable from ruleset file, other minor improvements. v1.0 2021-09-09 23:52:46 +03:00			`########`
			`# IPv6 #`
			`########`
initial commit 2021-02-07 13:45:36 +02:00
Separated executable from ruleset file, other minor improvements. v1.0 2021-09-09 23:52:46 +03:00			`##=========== General ===========##`
			`ip6tables -A INPUT -i lo -m conntrack --ctstate NEW -j ACCEPT ## Loop device`
			`ip6tables -A INPUT -p ipv6-icmp -m conntrack --ctstate NEW -j ACCEPT ## ICMP, e.g. ping`
			`ip6tables -A INPUT -p icmpv6 -m conntrack --ctstate NEW -j ACCEPT ## These are required for IPv6`
			`ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ## Existing and related to outgoing`
			`ip6tables -A INPUT -d fe80::/10 -p udp -m conntrack --ctstate NEW -m udp --dport 546 -j ACCEPT ## DHCPv6-client`
Removed leftover interface names 2021-09-10 10:21:03 +03:00			`# ip6tables -A INPUT -i $LAN_INTERFACE -p udp --dport 547 -m conntrack --ctstate NEW -j ACCEPT ## DHCPv6 server`
initial commit 2021-02-07 13:45:36 +02:00
Separated executable from ruleset file, other minor improvements. v1.0 2021-09-09 23:52:46 +03:00			`##============= NAT ===============##`
			`# ip6tables -A FORWARD -i $LAN_INTERFACE -o $PUBLIC_INTERFACE -m conntrack --ctstate NEW -j ACCEPT`
			`# ip6tables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT`
			`#`
Removed leftover interface names 2021-09-10 10:21:03 +03:00			`### NAT may not be desired for IPv6, if the clients on your LAN get`
			`### a public IPv6 address from the DHCP server, you may want to leave this`
			`### commented`
Separated executable from ruleset file, other minor improvements. v1.0 2021-09-09 23:52:46 +03:00			`# ip6tables -t nat -A POSTROUTING -o $PUBLIC_INTERFACE -j MASQUERADE`
initial commit 2021-02-07 13:45:36 +02:00
Separated executable from ruleset file, other minor improvements. v1.0 2021-09-09 23:52:46 +03:00			`##============ Public =============##`
			`# ip6tables -A INPUT -i $PUBLIC_INTERFACE -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT`
			`# ip6tables -A INPUT -i $PUBLIC_INTERFACE -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT`
			`ip6tables -A INPUT -i $PUBLIC_INTERFACE -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT`
initial commit 2021-02-07 13:45:36 +02:00
Separated executable from ruleset file, other minor improvements. v1.0 2021-09-09 23:52:46 +03:00			`##============= LAN ===============##`
			`ip6tables -A INPUT -i $LAN_INTERFACE -m conntrack --ctstate NEW -j ACCEPT`
Removed leftover interface names 2021-09-10 10:21:03 +03:00			`# ip6tables -A INPUT -i $LAN_INTERFACE -p udp --dport 5353 -j ACCEPT ## MDNS`
initial commit 2021-02-07 13:45:36 +02:00
Separated executable from ruleset file, other minor improvements. v1.0 2021-09-09 23:52:46 +03:00			`##=========== Logging =============##`
			`# ip6tables -A INPUT -p ALL $JFW_LOG_6`
initial commit 2021-02-07 13:45:36 +02:00			`# ip6tables -A INPUT -p ALL -j DROP`

Separated executable from ruleset file, other minor improvements. v1.0 2021-09-09 23:52:46 +03:00			`##=== Default policies for IPv6 ===##`
initial commit 2021-02-07 13:45:36 +02:00			`ip6tables -P INPUT DROP`
			`ip6tables -P OUTPUT ACCEPT`
			`ip6tables -P FORWARD DROP`