Separated executable from ruleset file, other minor improvements. v1.0
This commit is contained in:
parent
2ae72cdfd5
commit
7fa9c36ffc
19
install.bash
19
install.bash
|
@ -1,4 +1,4 @@
|
||||||
#!/bin/bash
|
#!/bin/bash -e
|
||||||
|
|
||||||
# root check
|
# root check
|
||||||
if [[ "$UID" -ne 0 ]]; then
|
if [[ "$UID" -ne 0 ]]; then
|
||||||
|
@ -6,17 +6,19 @@ if [[ "$UID" -ne 0 ]]; then
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
RULES_FILE='/etc/jfw/jfw.rules'
|
||||||
|
|
||||||
# Make /etc/jfw directory with "rules" file
|
# Make /etc/jfw directory with "rules" file
|
||||||
# (which is really the iptables script)
|
# (which is really the iptables script)
|
||||||
if [[ -f /etc/jfw/jfw.rules ]]; then
|
if [[ -f $RULES_FILE ]]; then
|
||||||
echo "Found existing jfw configuration, do you wish to overwrite (y/n)?"
|
echo "Found existing jfw configuration, do you wish to overwrite (y/n)?"
|
||||||
read -n 1
|
read -n 1
|
||||||
if [[ "$REPLY" == "y" ]];then
|
if [[ "$REPLY" == "y" ]];then
|
||||||
echo "Overwriting '/etc/jfw/jfw.rules'"
|
echo "Overwriting '$RULES_FILE'"
|
||||||
cp jfw.rules /etc/jfw/
|
cp jfw.rules /etc/jfw/
|
||||||
chmod -R 700 /etc/jfw
|
chmod -R 700 /etc/jfw
|
||||||
else
|
else
|
||||||
echo "Not overwriting '/etc/jfw/jfw.rules' ."
|
echo "Not overwriting '$RULES_FILE' ."
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
mkdir -p /etc/jfw
|
mkdir -p /etc/jfw
|
||||||
|
@ -24,11 +26,12 @@ else
|
||||||
chmod -R 700 /etc/jfw
|
chmod -R 700 /etc/jfw
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Create symlink to jfw.rules:
|
# Copy executable in place:
|
||||||
ln -s /etc/jfw/jfw.rules /usr/sbin/jfw
|
cp jfw /usr/local/sbin/jfw
|
||||||
|
chown root:wheel /usr/local/sbin/jfw
|
||||||
|
chmod 750 /usr/local/sbin/jfw
|
||||||
|
|
||||||
# Install systemd service file,
|
# Install systemd service file,
|
||||||
# Still needs to be enabled automatically
|
|
||||||
cp jfw.service /etc/systemd/system
|
cp jfw.service /etc/systemd/system
|
||||||
systemctl daemon-reload
|
systemctl daemon-reload
|
||||||
|
|
||||||
|
@ -39,6 +42,6 @@ if [[ "$REPLY" == "yes" ]]; then
|
||||||
systemctl enable --now jfw
|
systemctl enable --now jfw
|
||||||
else
|
else
|
||||||
echo "You can edit the iptables rules to your liking by editing"
|
echo "You can edit the iptables rules to your liking by editing"
|
||||||
echo "'/etc/jfw/jfw.rules'. Afterwards you can use systemct to start"
|
echo "'$RULES_FILE'. Afterwards you can use systemct to start"
|
||||||
echo "and/or enable the firewall."
|
echo "and/or enable the firewall."
|
||||||
fi
|
fi
|
||||||
|
|
|
@ -0,0 +1,94 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
PATH="/usr/sbin:/sbin:/usr/bin:/bin"
|
||||||
|
RULES_FILE="/etc/jfw/jfw.rules"
|
||||||
|
VERSION=1.0
|
||||||
|
|
||||||
|
flush() {
|
||||||
|
iptables -P INPUT ACCEPT
|
||||||
|
iptables -P OUTPUT ACCEPT
|
||||||
|
iptables -P FORWARD ACCEPT
|
||||||
|
iptables -F INPUT
|
||||||
|
iptables -F OUTPUT
|
||||||
|
iptables -F FORWARD
|
||||||
|
iptables -F -t nat
|
||||||
|
iptables -F -t mangle
|
||||||
|
|
||||||
|
ip6tables -P INPUT ACCEPT
|
||||||
|
ip6tables -P OUTPUT ACCEPT
|
||||||
|
ip6tables -P FORWARD ACCEPT
|
||||||
|
ip6tables -F INPUT
|
||||||
|
ip6tables -F OUTPUT
|
||||||
|
ip6tables -F FORWARD
|
||||||
|
ip6tables -F -t nat
|
||||||
|
ip6tables -F -t mangle
|
||||||
|
}
|
||||||
|
|
||||||
|
load () {
|
||||||
|
if [[ -f "$RULES_FILE" ]]; then
|
||||||
|
flush
|
||||||
|
. $RULES_FILE
|
||||||
|
echo "Firewall rules applied"
|
||||||
|
else
|
||||||
|
echo "Could not find $RULES_FILE, flushing rules and exiting."
|
||||||
|
flush
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
usage () {
|
||||||
|
printf "Usage: $0 ACTION
|
||||||
|
Available ACTIONs:
|
||||||
|
flush restore default rules
|
||||||
|
edit edit and apply rules
|
||||||
|
logs view dmesg logs, add log rules via edit
|
||||||
|
list list current ruleset
|
||||||
|
reload (re)apply rules
|
||||||
|
|
||||||
|
JFW version $VERSION
|
||||||
|
"
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
if [[ "$#" -eq 0 ]]; then
|
||||||
|
usage
|
||||||
|
elif [[ "$1" == "flush" ]]; then
|
||||||
|
flush
|
||||||
|
echo "Firewall rules flushed."
|
||||||
|
elif [[ "$1" == "edit" ]]; then
|
||||||
|
if ! systemctl is-active jfw.service &> /dev/null; then
|
||||||
|
printf "JFW is not running, you can edit the rules but\nthe changes won't take effect until you enable the service\n"
|
||||||
|
OFFLINE=true
|
||||||
|
fi
|
||||||
|
sudoedit $RULES_FILE
|
||||||
|
[[ "$OFFLINE" != "true" ]] && systemctl reload jfw.service
|
||||||
|
echo "Firewall rules updated."
|
||||||
|
elif [[ "$1" == "logs" ]]; then
|
||||||
|
dmesg -T | grep JFW
|
||||||
|
elif [[ "$1" == "list" ]]; then
|
||||||
|
echo "********** IPv4 **********"
|
||||||
|
iptables -S -v
|
||||||
|
echo "********** IPv6 **********"
|
||||||
|
ip6tables -S -v
|
||||||
|
elif [[ "$1" == "load" ]]; then
|
||||||
|
load
|
||||||
|
elif [[ "$1" == "test" ]]; then
|
||||||
|
load
|
||||||
|
echo "Waiting 60 seconds before flushing rules.."
|
||||||
|
SPINNER=('[* ]' '[ * ]' '[ * ]' '[ *]')
|
||||||
|
j=0
|
||||||
|
SLEEP=0
|
||||||
|
while [[ "$SLEEP" -lt 60 ]]; do
|
||||||
|
printf "${SPINNER[${j}]}\r"
|
||||||
|
sleep 0.25
|
||||||
|
let j=$j+1
|
||||||
|
[[ "$j" -gt 3 ]] && j=0 && let SLEEP=$SLEEP+1
|
||||||
|
done
|
||||||
|
flush
|
||||||
|
echo "Firewall test finished, rules flushed."
|
||||||
|
elif [[ "$1" == "reload" ]]; then
|
||||||
|
load
|
||||||
|
elif [[ "$1" == "status" ]]; then
|
||||||
|
systemctl status jfw.service
|
||||||
|
fi
|
||||||
|
exit 0
|
144
jfw.rules
144
jfw.rules
|
@ -1,81 +1,45 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
PATH="/usr/sbin:/sbin:/usr/bin:/bin"
|
## These variables make setting up NAT easier, just uncomment the NAT sections
|
||||||
|
## below
|
||||||
|
PUBLIC_INTERFACE=
|
||||||
|
LAN_INTERFACE=
|
||||||
|
JFW_LOG_4='-j LOG --log-prefix "[ JFW IPv4 DROP ]"'
|
||||||
|
JFW_LOG_6='-j LOG --log-prefix "[ JFW IPv6 DROP ]"'
|
||||||
|
|
||||||
flush() {
|
|
||||||
iptables -P INPUT ACCEPT
|
|
||||||
iptables -P OUTPUT ACCEPT
|
|
||||||
iptables -P FORWARD ACCEPT
|
|
||||||
iptables -F INPUT
|
|
||||||
iptables -F OUTPUT
|
|
||||||
iptables -F FORWARD
|
|
||||||
iptables -F -t nat
|
|
||||||
iptables -F -t mangle
|
|
||||||
|
|
||||||
ip6tables -P INPUT ACCEPT
|
|
||||||
ip6tables -P OUTPUT ACCEPT
|
|
||||||
ip6tables -P FORWARD ACCEPT
|
|
||||||
ip6tables -F INPUT
|
|
||||||
ip6tables -F OUTPUT
|
|
||||||
ip6tables -F FORWARD
|
|
||||||
ip6tables -F -t nat
|
|
||||||
ip6tables -F -t mangle
|
|
||||||
}
|
|
||||||
|
|
||||||
if [[ "$1" == "flush" ]]; then
|
|
||||||
flush
|
|
||||||
echo "Firewall rules flushed."
|
|
||||||
exit 0
|
|
||||||
elif [[ "$1" == "edit" ]]; then
|
|
||||||
sudoedit /etc/jfw/jfw.rules && systemctl reload jfw.service
|
|
||||||
echo "Firewall rules updated."
|
|
||||||
exit 0
|
|
||||||
elif [[ "$1" == "logs" ]]; then
|
|
||||||
dmesg -T | grep JFW
|
|
||||||
exit 0
|
|
||||||
elif [[ "$1" == "list" ]]; then
|
|
||||||
echo "********** IPv4 **********"
|
|
||||||
iptables -S -v
|
|
||||||
echo "********** IPv6 **********"
|
|
||||||
ip6tables -S -v
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
flush
|
|
||||||
|
|
||||||
#########
|
#########
|
||||||
# IPv4 #
|
# IPv4 #
|
||||||
#########
|
#########
|
||||||
|
|
||||||
## Loop device
|
##======== General required =======##
|
||||||
iptables -A INPUT -i lo -j ACCEPT
|
iptables -A INPUT -i lo -m conntrack --ctstate NEW -j ACCEPT ## Loop device
|
||||||
|
iptables -A INPUT -p icmp -m conntrack --ctstate NEW -j ACCEPT ## ICMP, e.g. ping
|
||||||
|
iptables -A INPUT -p ALL -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ## Existing and related to outgoing
|
||||||
|
|
||||||
## Ping, router advertisements etc
|
##============== NAT ==============##
|
||||||
iptables -A INPUT -p icmp -j ACCEPT
|
# iptables -A FORWARD -i $LAN_INTERFACE -o $PUBLIC_INTERFACE -m conntrack --ctstate NEW -j ACCEPT
|
||||||
iptables -A INPUT -p ALL -d 224.0.0.1 -j ACCEPT
|
# iptables -A FORWARD -p ALL -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
# iptables -t nat -A POSTROUTING -i $LAN_INTERFACE -o $PUBLIC_INTERFACE -j MASQUERADE
|
||||||
|
|
||||||
## established inbound
|
##============ Public =============##
|
||||||
iptables -A INPUT -p ALL -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
# iptables -A INPUT -i $PUBLIC_INTERFACE -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
# iptables -A INPUT -i $PUBLIC_INTERFACE -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
iptables -A INPUT -i $PUBLIC_INTERFACE -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
|
||||||
## MDNS
|
##========== LAN enp4s0 ===========##
|
||||||
iptables -A INPUT -p udp --dport 5353 -j ACCEPT
|
iptables -A INPUT -i enp4s0 -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
# iptables -A INPUT -i enp4s0 -p ALL -d 224.0.0.1 -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
# iptables -A INPUT -i enp4s0 -p udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT ## MDNS
|
||||||
|
|
||||||
## Wireguard network
|
##=========== Logging =============##
|
||||||
## Replace <PORT> AND <INTERFACE>
|
# iptables -A INPUT -p ALL $JFW_LOG_4
|
||||||
#iptables -A INPUT -p udp --dport <PORT> -j ACCEPT
|
|
||||||
#iptables -A INPUT -i <WIREGUARD_INTERFACE> -j ACCEPT
|
|
||||||
|
|
||||||
## SSH access
|
|
||||||
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
|
|
||||||
|
|
||||||
## Logging and dropping other inbound packets
|
|
||||||
## "log lines" may generate too much log entries
|
|
||||||
## uncomment the following lines to enable logging
|
|
||||||
#iptables -A INPUT -p ALL -j LOG --log-prefix "JFW IPv4 DROP::"
|
|
||||||
# iptables -A INPUT -p ALL -j DROP
|
# iptables -A INPUT -p ALL -j DROP
|
||||||
|
|
||||||
|
## Default policies for IPv4 ##
|
||||||
## Default policies for IPv4
|
|
||||||
iptables -P INPUT DROP
|
iptables -P INPUT DROP
|
||||||
iptables -P OUTPUT ACCEPT
|
iptables -P OUTPUT ACCEPT
|
||||||
iptables -P FORWARD DROP
|
iptables -P FORWARD DROP
|
||||||
|
@ -89,46 +53,38 @@ iptables -P FORWARD DROP
|
||||||
# IPv6 #
|
# IPv6 #
|
||||||
########
|
########
|
||||||
|
|
||||||
## Loop device
|
##=========== General ===========##
|
||||||
ip6tables -A INPUT -i lo -j ACCEPT
|
ip6tables -A INPUT -i lo -m conntrack --ctstate NEW -j ACCEPT ## Loop device
|
||||||
|
ip6tables -A INPUT -p ipv6-icmp -m conntrack --ctstate NEW -j ACCEPT ## ICMP, e.g. ping
|
||||||
|
ip6tables -A INPUT -p icmpv6 -m conntrack --ctstate NEW -j ACCEPT ## These are required for IPv6
|
||||||
|
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ## Existing and related to outgoing
|
||||||
|
ip6tables -A INPUT -d fe80::/10 -p udp -m conntrack --ctstate NEW -m udp --dport 546 -j ACCEPT ## DHCPv6-client
|
||||||
|
# ip6tables -A INPUT -i enp4s0 -p udp --dport 547 -m conntrack --ctstate NEW -j ACCEPT ## DHCPv6 server
|
||||||
|
|
||||||
## Ping, router advertisements etc
|
##============= NAT ===============##
|
||||||
ip6tables -A INPUT -p icmpv6 -j ACCEPT
|
# ip6tables -A FORWARD -i $LAN_INTERFACE -o $PUBLIC_INTERFACE -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
# ip6tables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
#
|
||||||
|
# NAT may not be desired for IPv6, if the clients on your LAN get
|
||||||
|
# a public IPv6 address from the DHCP server, you may want to leave this
|
||||||
|
# commented
|
||||||
|
# ip6tables -t nat -A POSTROUTING -o $PUBLIC_INTERFACE -j MASQUERADE
|
||||||
|
|
||||||
## established inbound
|
##============ Public =============##
|
||||||
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
# ip6tables -A INPUT -i $PUBLIC_INTERFACE -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
# ip6tables -A INPUT -i $PUBLIC_INTERFACE -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
ip6tables -A INPUT -i $PUBLIC_INTERFACE -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
|
||||||
## MDNS
|
##============= LAN ===============##
|
||||||
ip6tables -A INPUT -p udp --dport 5353 -j ACCEPT
|
ip6tables -A INPUT -i $LAN_INTERFACE -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
# ip6tables -A INPUT -i enp4s0 -p udp --dport 5353 -j ACCEPT ## MDNS
|
||||||
|
|
||||||
## Wireguard network
|
##=========== Logging =============##
|
||||||
## Replace <PORT> and <WIREGUARD_INTERFACE> and uncomment the following lines
|
# ip6tables -A INPUT -p ALL $JFW_LOG_6
|
||||||
#ip6tables -A INPUT -p udp --dport <PORT> -j ACCEPT
|
|
||||||
#ip6tables -A INPUT -i <WIREGUARD_INTERFACE> -j ACCEPT
|
|
||||||
|
|
||||||
## Logging and dropping other inbound packets
|
|
||||||
## "log lines" may generate too much log entries
|
|
||||||
## uncomment the following lines to enable logging
|
|
||||||
# ip6tables -A INPUT -p ALL -j LOG --log-prefix "JFW IPv6 DROP::"
|
|
||||||
# ip6tables -A INPUT -p ALL -j DROP
|
# ip6tables -A INPUT -p ALL -j DROP
|
||||||
|
|
||||||
## Default policies for IPv6
|
##=== Default policies for IPv6 ===##
|
||||||
ip6tables -P INPUT DROP
|
ip6tables -P INPUT DROP
|
||||||
ip6tables -P OUTPUT ACCEPT
|
ip6tables -P OUTPUT ACCEPT
|
||||||
ip6tables -P FORWARD DROP
|
ip6tables -P FORWARD DROP
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## test-parameter for testing, flushes rules after 60 seconds
|
|
||||||
## reload for resetting temporary changes to those defined in this file
|
|
||||||
if [[ "$1" == "test" ]]; then
|
|
||||||
sleep 60
|
|
||||||
flush
|
|
||||||
echo "Firewall test finished, rules flushed."
|
|
||||||
exit 0
|
|
||||||
elif [[ "$1" == "reload" ]]; then
|
|
||||||
echo "Firewall rules reloaded."
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
|
|
|
@ -3,9 +3,9 @@ Description=iptables rules
|
||||||
After=network.target
|
After=network.target
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
ExecStart=/etc/jfw/jfw.rules
|
ExecStart=/usr/local/sbin/jfw load
|
||||||
ExecStop=/etc/jfw/jfw.rules flush
|
ExecStop=/usr/local/sbin/jfw flush
|
||||||
ExecReload=/etc/jfw/jfw.rules
|
ExecReload=/usr/local/sbin/jfw reload
|
||||||
RemainAfterExit=yes
|
RemainAfterExit=yes
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
#!/bin/bash
|
#!/bin/bash -e
|
||||||
|
|
||||||
if [[ "$UID" -ne 0 ]]; then
|
if [[ "$UID" -ne 0 ]]; then
|
||||||
echo "This script must be run as root."
|
echo "This script must be run as root."
|
||||||
|
|
Loading…
Reference in New Issue