-
Notifications
You must be signed in to change notification settings - Fork 18
/
firewall_ipv4.sh
executable file
·151 lines (112 loc) · 5.98 KB
/
firewall_ipv4.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
#!/bin/bash
# pi-ap: These scripts configure a Raspberry Pi into a wireless Access Point
# Source: https://github.com/f1linux/pi-ap
# Version: 01.10.02
# License: GPL 3.0
# Script Author: Terrence Houlahan Linux & Network Engineer
# Contact: [email protected]
# Linkedin: www.linkedin.com/in/terrencehoulahan
# Do not edit below sources
source "${BASH_SOURCE%/*}/variables.sh"
source "${BASH_SOURCE%/*}/functions.sh"
# Below variables can be used to specify the subnetting of the eth0 interface in UFW rules or elsewhere
IPV4IPETH0="$(ip addr list|grep 'eth0'|awk 'FNR==2'|awk '{print $2}'|cut -d '/' -f1)"
IPV4SUBNETMASKETH0="$(ip addr list|grep 'eth0'|awk 'FNR==2'|awk '{print $2}'|cut -d '/' -f2)"
IPV4SUBNETETH0="$(sipcalc $IPV4IPETH0/$IPV4SUBNETMASKETH0|awk 'FNR==7'|awk '{print $4}')/$IPV4SUBNETMASKETH0"
# ie: the following would give you the subnet and mask of eth0 if you source this variables.sh file
# $IPV4SUBNETETH0/$IPV4SUBNETMASKETH0
# Enable Forwarding between the eth0 and wlan0 Interfaces
sed -i "s|#net/ipv4/ip_forward=1|net/ipv4/ip_forward=1|" /etc/ufw/sysctl.conf
#
# Port-forwarding DNS queries to systemd-resolved. Apparently designed to not be exposed to external hosts:
# https://unix.stackexchange.com/questions/445782/how-to-allow-systemd-resolved-to-listen-to-an-interface-other-than-loopback
# Append NAT table to bottom of /etc/ufw/before.rules
# Masquerading happens here:
echo "*nat" >> /etc/ufw/before.rules
#echo ":PREROUTING ACCEPT [0:0]" >> /etc/ufw/before.rules
echo ":POSTROUTING ACCEPT [0:0]" >> /etc/ufw/before.rules
echo "-F" >> /etc/ufw/before.rules
#echo "-A PREROUTING -p udp -i wlan0 -d $(echo $IPV4IPWLAN0|cut -d '/' -f1) --dport 53 -j DNAT --to-destination 127.0.0.1:5353" >> /etc/ufw/before.rules
#echo "-A PREROUTING -p udp -i wlan0 -d $IPV4IPETH0 --dport 53 -j DNAT --to-destination 127.0.0.1:5353" >> /etc/ufw/before.rules
echo "-A POSTROUTING -s 0.0.0.0/0 -o $INTERFACEMASQUERADED -j MASQUERADE" >> /etc/ufw/before.rules
echo "COMMIT" >> /etc/ufw/before.rules
rm /etc/ufw/user.rules
cat <<EOF> /etc/ufw/user.rules
#
# PLEASE NOTE: These FW rules are restored by script on every reboot
#
*filter
:ufw-user-input - [0:0]
:ufw-user-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-logging-deny - [0:0]
:ufw-logging-allow - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
### RULES ###
### tuple ### allow any 22 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 22 -j ACCEPT
-A ufw-user-input -p udp --dport 22 -j ACCEPT
### tuple ### allow any 53 0.0.0.0/0 any 0.0.0.0/0 DNS - out
-A ufw-user-output -p tcp --dport 53 -j ACCEPT -m comment --comment 'dapp_DNS'
-A ufw-user-output -p udp --dport 53 -j ACCEPT -m comment --comment 'dapp_DNS'
### tuple ### allow udp 123 0.0.0.0/0 any 0.0.0.0/0 out
-A ufw-user-output -p udp --dport 123 -j ACCEPT
### tuple ### allow tcp 443 0.0.0.0/0 any 0.0.0.0/0 out
-A ufw-user-output -p tcp --dport 443 -j ACCEPT
### tuple ### allow tcp 67:68 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp -m multiport --dports 67:68 -j ACCEPT
### tuple ### allow udp 67 0.0.0.0/0 68 0.0.0.0/0 in
-A ufw-user-input -p udp --dport 67 --sport 68 -j ACCEPT
### tuple ### allow udp 68 0.0.0.0/0 any 0.0.0.0/0 out
-A ufw-user-output -p udp --dport 68 -j ACCEPT
### tuple ### allow udp 53 0.0.0.0/0 any 192.168.0.0/28 in
-A ufw-user-input -p udp --dport 53 -s 192.168.0.0/28 -j ACCEPT
### tuple ### allow tcp 53 0.0.0.0/0 any 192.168.0.0/28 in
-A ufw-user-input -p tcp --dport 53 -s 192.168.0.0/28 -j ACCEPT
### tuple ### allow tcp 80 0.0.0.0/0 any 192.168.0.0/28 in
-A ufw-user-input -p tcp --dport 80 -s 192.168.0.0/28 -j ACCEPT
### tuple ### allow tcp 443 0.0.0.0/0 any 192.168.0.0/28 in
-A ufw-user-input -p tcp --dport 443 -s 192.168.0.0/28 -j ACCEPT
### tuple ### allow udp 5353 0.0.0.0/0 any 192.168.0.0/28 in
-A ufw-user-input -p udp --dport 5353 -s 192.168.0.0/28 -j ACCEPT
### tuple ### route:allow tcp 80 0.0.0.0/0 any 0.0.0.0/0 in_eth0!out_wlan0
-A ufw-user-forward -i eth0 -o wlan0 -p tcp --dport 80 -j ACCEPT
### tuple ### route:allow tcp 80 0.0.0.0/0 any 0.0.0.0/0 in_wlan0!out_eth0
-A ufw-user-forward -i wlan0 -o eth0 -p tcp --dport 80 -j ACCEPT
### tuple ### route:allow tcp 443 0.0.0.0/0 any 0.0.0.0/0 in_eth0!out_wlan0
-A ufw-user-forward -i eth0 -o wlan0 -p tcp --dport 443 -j ACCEPT
### tuple ### route:allow tcp 443 0.0.0.0/0 any 0.0.0.0/0 in_wlan0!out_eth0
-A ufw-user-forward -i wlan0 -o eth0 -p tcp --dport 443 -j ACCEPT
### tuple ### route:allow tcp 53 0.0.0.0/0 any 0.0.0.0/0 in_eth0!out_wlan0
-A ufw-user-forward -i eth0 -o wlan0 -p tcp --dport 53 -j ACCEPT
### tuple ### route:allow tcp 53 0.0.0.0/0 any 0.0.0.0/0 in_wlan0!out_eth0
-A ufw-user-forward -i wlan0 -o eth0 -p tcp --dport 53 -j ACCEPT
### tuple ### route:allow udp 53 0.0.0.0/0 any 0.0.0.0/0 in_eth0!out_wlan0
-A ufw-user-forward -i eth0 -o wlan0 -p udp --dport 53 -j ACCEPT
### tuple ### route:allow udp 53 0.0.0.0/0 any 0.0.0.0/0 in_wlan0!out_eth0
-A ufw-user-forward -i wlan0 -o eth0 -p udp --dport 53 -j ACCEPT
### END RULES ###
### LOGGING ###
-A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10
-A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10
### END LOGGING ###
### RATE LIMITING ###
-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT
-A ufw-user-limit-accept -j ACCEPT
### END RATE LIMITING ###
COMMIT
EOF