initial commit
This commit is contained in:
commit
2ae72cdfd5
|
@ -0,0 +1,48 @@
|
||||||
|
# jfw
|
||||||
|
### iptables control system
|
||||||
|
|
||||||
|
##### What is it?
|
||||||
|
This is my take on replacing the rc.local -method of configuring `iptables` at
|
||||||
|
startup.
|
||||||
|
|
||||||
|
##### How to install?
|
||||||
|
Clone the repo and make `install.bash` and `jfw.rules` executable, then run
|
||||||
|
`install.bash` as root.
|
||||||
|
|
||||||
|
When you run `install.bash`, the script copies the file `jfw.rules` to
|
||||||
|
`/etc/jfw/`, makes a symlink to it in `/usr/sbin` and copies the included
|
||||||
|
`jfw.service` systemd service file to `/etc/systemd/system/`.
|
||||||
|
|
||||||
|
You have the option to enable & start the service right away or do it later
|
||||||
|
yourself using systemctl.
|
||||||
|
|
||||||
|
`jfw.rules` is basically just a list of iptables commands, with a couple of
|
||||||
|
predefined parameters. The systemd service runs the script at startup.
|
||||||
|
|
||||||
|
Outbound traffic, inbound MDNS and inbound SSH are allowed by default.
|
||||||
|
|
||||||
|
##### How to uninstall?
|
||||||
|
If you haven't already, clone the repo, make `uninstall.bash`executable`
|
||||||
|
and run `uninstall.bash`.
|
||||||
|
|
||||||
|
##### Why use this?
|
||||||
|
The traditional method of using `/etc/rc.local` to run your init scripts
|
||||||
|
is deprecated by many distros. This is just another way to configure iptables.
|
||||||
|
|
||||||
|
There are a couple of handy parameters to the `jfw` command:
|
||||||
|
- `jfw flush` flushes the rules and disables the firewall
|
||||||
|
- `jfw edit` is an alias to edit `/etc/jfw/jfw.rules` with your defined $EDITOR
|
||||||
|
- `jfw logs` greps `dmesg` to show the logs
|
||||||
|
- `jfw list` shows the currently active `iptables` rules for IPv4 and IPv6
|
||||||
|
- `jfw test` applies your ruleset and automatically flushes the rules after
|
||||||
|
60 seconds. Just remember to use `nohup`, `screen` or `tmux` so the script
|
||||||
|
will continue running even if your connection breaks.
|
||||||
|
- `jfw reload` resets the rules to those defined in `/etc/jfw/jfw.rules`
|
||||||
|
This is useful when modifying the rules remotely so you don't get locked out.
|
||||||
|
|
||||||
|
##### Why not use this?
|
||||||
|
If you are unsure about the methods I've used, don't use these scripts.
|
||||||
|
Ask someone if it is safe to use them.
|
||||||
|
If you have no idea how to use `iptables`, then this might not be the easiest
|
||||||
|
way to control the Linux firewall. My personal favourite of the more
|
||||||
|
comprehensive firewall programs is `firewalld`.
|
|
@ -0,0 +1,44 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# root check
|
||||||
|
if [[ "$UID" -ne 0 ]]; then
|
||||||
|
echo "This script needs root permissions."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Make /etc/jfw directory with "rules" file
|
||||||
|
# (which is really the iptables script)
|
||||||
|
if [[ -f /etc/jfw/jfw.rules ]]; then
|
||||||
|
echo "Found existing jfw configuration, do you wish to overwrite (y/n)?"
|
||||||
|
read -n 1
|
||||||
|
if [[ "$REPLY" == "y" ]];then
|
||||||
|
echo "Overwriting '/etc/jfw/jfw.rules'"
|
||||||
|
cp jfw.rules /etc/jfw/
|
||||||
|
chmod -R 700 /etc/jfw
|
||||||
|
else
|
||||||
|
echo "Not overwriting '/etc/jfw/jfw.rules' ."
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
mkdir -p /etc/jfw
|
||||||
|
cp jfw.rules /etc/jfw/
|
||||||
|
chmod -R 700 /etc/jfw
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Create symlink to jfw.rules:
|
||||||
|
ln -s /etc/jfw/jfw.rules /usr/sbin/jfw
|
||||||
|
|
||||||
|
# Install systemd service file,
|
||||||
|
# Still needs to be enabled automatically
|
||||||
|
cp jfw.service /etc/systemd/system
|
||||||
|
systemctl daemon-reload
|
||||||
|
|
||||||
|
echo "SSH port (22) is opened by default with JFW."
|
||||||
|
read -p "Enable & start JFW now (yes/no)? "
|
||||||
|
|
||||||
|
if [[ "$REPLY" == "yes" ]]; then
|
||||||
|
systemctl enable --now jfw
|
||||||
|
else
|
||||||
|
echo "You can edit the iptables rules to your liking by editing"
|
||||||
|
echo "'/etc/jfw/jfw.rules'. Afterwards you can use systemct to start"
|
||||||
|
echo "and/or enable the firewall."
|
||||||
|
fi
|
|
@ -0,0 +1,134 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
PATH="/usr/sbin:/sbin:/usr/bin:/bin"
|
||||||
|
|
||||||
|
flush() {
|
||||||
|
iptables -P INPUT ACCEPT
|
||||||
|
iptables -P OUTPUT ACCEPT
|
||||||
|
iptables -P FORWARD ACCEPT
|
||||||
|
iptables -F INPUT
|
||||||
|
iptables -F OUTPUT
|
||||||
|
iptables -F FORWARD
|
||||||
|
iptables -F -t nat
|
||||||
|
iptables -F -t mangle
|
||||||
|
|
||||||
|
ip6tables -P INPUT ACCEPT
|
||||||
|
ip6tables -P OUTPUT ACCEPT
|
||||||
|
ip6tables -P FORWARD ACCEPT
|
||||||
|
ip6tables -F INPUT
|
||||||
|
ip6tables -F OUTPUT
|
||||||
|
ip6tables -F FORWARD
|
||||||
|
ip6tables -F -t nat
|
||||||
|
ip6tables -F -t mangle
|
||||||
|
}
|
||||||
|
|
||||||
|
if [[ "$1" == "flush" ]]; then
|
||||||
|
flush
|
||||||
|
echo "Firewall rules flushed."
|
||||||
|
exit 0
|
||||||
|
elif [[ "$1" == "edit" ]]; then
|
||||||
|
sudoedit /etc/jfw/jfw.rules && systemctl reload jfw.service
|
||||||
|
echo "Firewall rules updated."
|
||||||
|
exit 0
|
||||||
|
elif [[ "$1" == "logs" ]]; then
|
||||||
|
dmesg -T | grep JFW
|
||||||
|
exit 0
|
||||||
|
elif [[ "$1" == "list" ]]; then
|
||||||
|
echo "********** IPv4 **********"
|
||||||
|
iptables -S -v
|
||||||
|
echo "********** IPv6 **********"
|
||||||
|
ip6tables -S -v
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
flush
|
||||||
|
|
||||||
|
#########
|
||||||
|
# IPv4 #
|
||||||
|
#########
|
||||||
|
|
||||||
|
## Loop device
|
||||||
|
iptables -A INPUT -i lo -j ACCEPT
|
||||||
|
|
||||||
|
## Ping, router advertisements etc
|
||||||
|
iptables -A INPUT -p icmp -j ACCEPT
|
||||||
|
iptables -A INPUT -p ALL -d 224.0.0.1 -j ACCEPT
|
||||||
|
|
||||||
|
## established inbound
|
||||||
|
iptables -A INPUT -p ALL -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
|
||||||
|
## MDNS
|
||||||
|
iptables -A INPUT -p udp --dport 5353 -j ACCEPT
|
||||||
|
|
||||||
|
## Wireguard network
|
||||||
|
## Replace <PORT> AND <INTERFACE>
|
||||||
|
#iptables -A INPUT -p udp --dport <PORT> -j ACCEPT
|
||||||
|
#iptables -A INPUT -i <WIREGUARD_INTERFACE> -j ACCEPT
|
||||||
|
|
||||||
|
## SSH access
|
||||||
|
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
|
||||||
|
|
||||||
|
## Logging and dropping other inbound packets
|
||||||
|
## "log lines" may generate too much log entries
|
||||||
|
## uncomment the following lines to enable logging
|
||||||
|
#iptables -A INPUT -p ALL -j LOG --log-prefix "JFW IPv4 DROP::"
|
||||||
|
#iptables -A INPUT -p ALL -j DROP
|
||||||
|
|
||||||
|
|
||||||
|
## Default policies for IPv4
|
||||||
|
iptables -P INPUT DROP
|
||||||
|
iptables -P OUTPUT ACCEPT
|
||||||
|
iptables -P FORWARD DROP
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
########
|
||||||
|
# IPv6 #
|
||||||
|
########
|
||||||
|
|
||||||
|
## Loop device
|
||||||
|
ip6tables -A INPUT -i lo -j ACCEPT
|
||||||
|
|
||||||
|
## Ping, router advertisements etc
|
||||||
|
ip6tables -A INPUT -p icmpv6 -j ACCEPT
|
||||||
|
|
||||||
|
## established inbound
|
||||||
|
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
|
||||||
|
## MDNS
|
||||||
|
ip6tables -A INPUT -p udp --dport 5353 -j ACCEPT
|
||||||
|
|
||||||
|
## Wireguard network
|
||||||
|
## Replace <PORT> and <WIREGUARD_INTERFACE> and uncomment the following lines
|
||||||
|
#ip6tables -A INPUT -p udp --dport <PORT> -j ACCEPT
|
||||||
|
#ip6tables -A INPUT -i <WIREGUARD_INTERFACE> -j ACCEPT
|
||||||
|
|
||||||
|
## Logging and dropping other inbound packets
|
||||||
|
## "log lines" may generate too much log entries
|
||||||
|
## uncomment the following lines to enable logging
|
||||||
|
# ip6tables -A INPUT -p ALL -j LOG --log-prefix "JFW IPv6 DROP::"
|
||||||
|
# ip6tables -A INPUT -p ALL -j DROP
|
||||||
|
|
||||||
|
## Default policies for IPv6
|
||||||
|
ip6tables -P INPUT DROP
|
||||||
|
ip6tables -P OUTPUT ACCEPT
|
||||||
|
ip6tables -P FORWARD DROP
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
## test-parameter for testing, flushes rules after 60 seconds
|
||||||
|
## reload for resetting temporary changes to those defined in this file
|
||||||
|
if [[ "$1" == "test" ]]; then
|
||||||
|
sleep 60
|
||||||
|
flush
|
||||||
|
echo "Firewall test finished, rules flushed."
|
||||||
|
exit 0
|
||||||
|
elif [[ "$1" == "reload" ]]; then
|
||||||
|
echo "Firewall rules reloaded."
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
|
@ -0,0 +1,12 @@
|
||||||
|
[Unit]
|
||||||
|
Description=iptables rules
|
||||||
|
After=network.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
ExecStart=/etc/jfw/jfw.rules
|
||||||
|
ExecStop=/etc/jfw/jfw.rules flush
|
||||||
|
ExecReload=/etc/jfw/jfw.rules
|
||||||
|
RemainAfterExit=yes
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
|
@ -0,0 +1,33 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
if [[ "$UID" -ne 0 ]]; then
|
||||||
|
echo "This script must be run as root."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "This will uninstall the jfw executable, systemd service and flush"
|
||||||
|
echo "your iptables & ip6tables rules."
|
||||||
|
read -n 1 -p "Proceed with uninstallation (y/n)? "
|
||||||
|
|
||||||
|
if [[ $REPLY == "y" ]]; then
|
||||||
|
unset $REPLY
|
||||||
|
printf "\n"
|
||||||
|
jfw flush
|
||||||
|
systemctl disable --now jfw.service
|
||||||
|
rm -f /etc/systemd/system/jfw.service
|
||||||
|
systemctl daemon-reload
|
||||||
|
rm -f /usr/sbin/jfw
|
||||||
|
|
||||||
|
read -n 1 -p "Remove '/etc/jfw/jfw.rules' (y/n)? "
|
||||||
|
printf "\n"
|
||||||
|
[[ "$REPLY" == "y" ]] && rm -rf /etc/jfw
|
||||||
|
[[ "$REPLY" != "y" ]] && echo "Keeping '/etc/jfw/jfw.rules'"
|
||||||
|
|
||||||
|
echo "JFW succesfully removed!"
|
||||||
|
exit 0
|
||||||
|
|
||||||
|
else
|
||||||
|
echo "Aborting uninstallation."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
Loading…
Reference in New Issue