-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsetup-firewall.sh
59 lines (49 loc) · 2.37 KB
/
setup-firewall.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
#!/usr/bin/env sh
# Clean up
sudo iptables -P INPUT ACCEPT
sudo iptables -P OUTPUT ACCEPT
sudo ip6tables -P INPUT ACCEPT
sudo ip6tables -P OUTPUT ACCEPT
sudo iptables -F INPUT
sudo iptables -F OUTPUT
sudo ip6tables -F INPUT
sudo ip6tables -F OUTPUT
# Reiterate default rules
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT
sudo ip6tables -A INPUT -i lo -j ACCEPT
sudo ip6tables -A OUTPUT -o lo -j ACCEPT
sudo iptables -A INPUT -p icmp -j ACCEPT
sudo iptables -A OUTPUT -p icmp -j ACCEPT
sudo ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
sudo ip6tables -A OUTPUT -p ipv6-icmp -j ACCEPT
sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo ip6tables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
sudo ip6tables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# Add firewall rules and set policy
sudo iptables -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
sudo iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 853 -j ACCEPT
sudo iptables -A INPUT -p udp -m udp --dport 853 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 9001 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 51820 -j ACCEPT
sudo ip6tables -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
sudo ip6tables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
sudo ip6tables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
sudo ip6tables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
sudo ip6tables -A INPUT -p tcp -m tcp --dport 853 -j ACCEPT
sudo ip6tables -A INPUT -p udp -m udp --dport 853 -j ACCEPT
sudo ip6tables -A INPUT -p tcp -m tcp --dport 9001 -j ACCEPT
sudo ip6tables -A INPUT -p tcp -m tcp --dport 51820 -j ACCEPT
sudo ip6tables -P INPUT DROP
sudo ip6tables -P INPUT DROP
sudo iptables-save | sudo tee /etc/iptables/rules.v4
sudo ip6tables-save | sudo tee /etc/iptables/rules.v6
# Crowdsec (see https://www.smarthomebeginner.com/crowdsec-docker-compose-1-fw-bouncer/)
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
sudo apt-get install syslog-ng crowdsec-firewall-bouncer-iptables