jarno
/
jfw
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
jfw/jfw.rules

135 lines
3.0 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
PATH="/usr/sbin:/sbin:/usr/bin:/bin"
flush() {
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t nat
iptables -F -t mangle
ip6tables -P INPUT ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -F INPUT
ip6tables -F OUTPUT
ip6tables -F FORWARD
ip6tables -F -t nat
ip6tables -F -t mangle
}
if [[ "$1" == "flush" ]]; then
flush
echo "Firewall rules flushed."
exit 0
elif [[ "$1" == "edit" ]]; then
sudoedit /etc/jfw/jfw.rules && systemctl reload jfw.service
echo "Firewall rules updated."
exit 0
elif [[ "$1" == "logs" ]]; then
dmesg -T | grep JFW
exit 0
elif [[ "$1" == "list" ]]; then
echo "********** IPv4 **********"
iptables -S -v
echo "********** IPv6 **********"
ip6tables -S -v
exit 0
fi
flush
#########
# IPv4 #
#########
## Loop device
iptables -A INPUT -i lo -j ACCEPT
## Ping, router advertisements etc
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -p ALL -d 224.0.0.1 -j ACCEPT
## established inbound
iptables -A INPUT -p ALL -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
## MDNS
iptables -A INPUT -p udp --dport 5353 -j ACCEPT
## Wireguard network
## Replace <PORT> AND <INTERFACE>
#iptables -A INPUT -p udp --dport <PORT> -j ACCEPT
#iptables -A INPUT -i <WIREGUARD_INTERFACE> -j ACCEPT
## SSH access
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
## Logging and dropping other inbound packets
## "log lines" may generate too much log entries
## uncomment the following lines to enable logging
#iptables -A INPUT -p ALL -j LOG --log-prefix "JFW IPv4 DROP::"
#iptables -A INPUT -p ALL -j DROP
## Default policies for IPv4
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
########
# IPv6 #
########
## Loop device
ip6tables -A INPUT -i lo -j ACCEPT
## Ping, router advertisements etc
ip6tables -A INPUT -p icmpv6 -j ACCEPT
## established inbound
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
## MDNS
ip6tables -A INPUT -p udp --dport 5353 -j ACCEPT
## Wireguard network
## Replace <PORT> and <WIREGUARD_INTERFACE> and uncomment the following lines
#ip6tables -A INPUT -p udp --dport <PORT> -j ACCEPT
#ip6tables -A INPUT -i <WIREGUARD_INTERFACE> -j ACCEPT
## Logging and dropping other inbound packets
## "log lines" may generate too much log entries
## uncomment the following lines to enable logging
# ip6tables -A INPUT -p ALL -j LOG --log-prefix "JFW IPv6 DROP::"
# ip6tables -A INPUT -p ALL -j DROP
## Default policies for IPv6
ip6tables -P INPUT DROP
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD DROP
## test-parameter for testing, flushes rules after 60 seconds
## reload for resetting temporary changes to those defined in this file
if [[ "$1" == "test" ]]; then
sleep 60
flush
echo "Firewall test finished, rules flushed."
exit 0
elif [[ "$1" == "reload" ]]; then
echo "Firewall rules reloaded."
exit 0
fi
Reference in New Issue View Git Blame Copy Permalink