Parefeu

firewall.sh

#!/bin/sh
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin":$PATH
#echo $PATH
INPUT_PORTS="22,21,20,80,443,3306,8006"
FORWARD_PORTS="3306,80,443,8080"
cd /sbin/
echo "[IpTables] Reset..."
sleep 1
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
ip6tables -F
ip6tables -X
ip6tables -t nat -F
ip6tables -t nat -X
ip6tables -t mangle -F
ip6tables -t mangle -X
iptables  -P INPUT DROP
ip6tables -P INPUT DROP
iptables  -P FORWARD DROP
ip6tables -P FORWARD DROP
iptables  -P OUTPUT ACCEPT
ip6tables -P OUTPUT ACCEPT
echo "[IpTables] Règles i/o et forwarding mise en place !"
#China ?
#iptables -A INPUT -s 91.224.160.203 -j REJECT
#China ?
#iptables -A INPUT -s 58.218.211.48 -j REJECT
#Jamelot
#iptables -A INPUT -s 78.221.148.52 -j REJECT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT  -m comment --comment "Autoriser les connections INPUT  ESTABLISHED,RELATED"
#				Codeanywhere
iptables -A INPUT -s 54.69.152.243 -j ACCEPT -m comment --comment "Codeanywhere"
iptables -A INPUT -s 54.186.244.104 -j ACCEPT -m comment --comment "Codeanywhere"
iptables -A INPUT -s 54.187.136.143 -j ACCEPT -m comment --comment "Codeanywhere"
iptables -A INPUT -s 54.187.142.118 -j ACCEPT -m comment --comment "Codeanywhere"
iptables -A INPUT -s 54.187.182.165 -j ACCEPT -m comment --comment "Codeanywhere"
iptables -A INPUT -s 54.187.44.75 -j ACCEPT -m comment --comment "Codeanywhere"
iptables -A INPUT -s 54.191.40.18 -j ACCEPT -m comment --comment "Codeanywhere"
iptables -A INPUT -s 51.141.5.180 -j ACCEPT -m comment --comment "Codeanywhere"
iptables -A INPUT -s 52.161.27.120 -j ACCEPT -m comment --comment "Codeanywhere"
iptables -A INPUT -s 65.52.184.164 -j ACCEPT -m comment --comment "Codeanywhere"
iptables -A INPUT -s 52.174.152.0/24 -j ACCEPT -m comment --comment "Codeanywhere"
#				CloudFlare
iptables -A INPUT -s 103.21.244.0/22 -j ACCEPT -m comment --comment "CloudFlare"
iptables -A INPUT -s 103.22.200.0/22 -j ACCEPT -m comment --comment "CloudFlare"
iptables -A INPUT -s 103.31.4.0/22 -j ACCEPT -m comment --comment "CloudFlare"
iptables -A INPUT -s 104.16.0.0/12 -j ACCEPT -m comment --comment "CloudFlare"
iptables -A INPUT -s 108.162.192.0/18 -j ACCEPT -m comment --comment "CloudFlare"
iptables -A INPUT -s 131.0.72.0/22 -j ACCEPT -m comment --comment "CloudFlare"
iptables -A INPUT -s 141.101.64.0/18 -j ACCEPT -m comment --comment "CloudFlare"
iptables -A INPUT -s 162.158.0.0/15 -j ACCEPT -m comment --comment "CloudFlare"
iptables -A INPUT -s 172.64.0.0/13 -j ACCEPT -m comment --comment "CloudFlare"
iptables -A INPUT -s 173.245.48.0/20 -j ACCEPT -m comment --comment "CloudFlare"
iptables -A INPUT -s 188.114.96.0/20 -j ACCEPT -m comment --comment "CloudFlare"
iptables -A INPUT -s 190.93.240.0/20 -j ACCEPT -m comment --comment "CloudFlare"
iptables -A INPUT -s 197.234.240.0/22 -j ACCEPT -m comment --comment "CloudFlare"
iptables -A INPUT -s 198.41.128.0/17 -j ACCEPT -m comment --comment "CloudFlare"


iptables  -A INPUT -p tcp --dport 22 -j ACCEPT -m comment --comment "Autoriser les connections SSH"
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT -m comment --comment "Autoriser les connections SSH"
iptables  -A INPUT -p tcp --dport 3389 -j ACCEPT -m comment --comment "Autoriser les connections OpenVpn"
iptables  -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT  -m comment --comment "Autoriser les connections INPUT  ESTABLISHED,RELATED"
#iptables  -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT  -m comment --comment "Autoriser les connections FORWARD  ESTABLISHED,RELATED"
#ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT  -m comment --comment "Autoriser les connections FORWARD  ESTABLISHED,RELATED"
echo "[IpTables] Règles de base appliquées !"
iptables  -A INPUT -p tcp -m multiport --dports $INPUT_PORTS -j ACCEPT -m comment --comment "TCP INPUT_PORTS"
iptables  -A INPUT -p udp -m multiport --dports $INPUT_PORTS -j ACCEPT -m comment --comment "UDP INPUT_PORTS"
ip6tables -A INPUT -p tcp -m multiport --dports $INPUT_PORTS -j ACCEPT
ip6tables -A INPUT -p udp -m multiport --dports $INPUT_PORTS -j ACCEPT
echo "[IpTables] Règles i/o des ports des services appliquée !!"

iptables  -A INPUT -s 192.168.2.0/24 -p icmp -j ACCEPT -m comment --comment "[ICMP] 192.168.2.0/24"
iptables  -A INPUT -s 172.17.0.0/16 -p icmp -j ACCEPT -m comment --comment "[ICMP] 172.17.0.0/16"
iptables  -A INPUT -s 62.210.204.211 -p icmp -j ACCEPT -m comment --comment "[ICMP] Free-Reseau"
iptables  -A INPUT -p icmp -j DROP -m comment --comment "[ICMP] DROP"

ip6tables -A INPUT -s fe80::/64 -p icmpv6 -j ACCEPT -m comment --comment "[ICMP] fe80::/64"
ip6tables -A INPUT -j DROP -m comment --comment "[ICMP] DROP"
echo "[IpTables] Autoriser IMCP [OK]";
iptables  -A INPUT   -s 172.17.0.0/24       -j ACCEPT  -m comment --comment "Autoriser les connections INPUT  172.17.0.0/24"
iptables  -A INPUT   -s 192.168.2.0/24      -j ACCEPT  -m comment --comment "Autoriser les connections INPUT  192.168.2.0/24"
ip6tables -A INPUT   -s fe80::/64           -j ACCEPT  -m comment --comment "Autoriser les connections INPUT  fe80::/64"

create_block() {
ii=$1
oo=$2
ipr=$3
cn=$4
#Create chain
iptables -N $cn
#Allow internal interaction within $ii
iptables -I FORWARD -i $ii -o $ii -s $ipr -d $ipr -j $cn -m comment --comment "Accept FORWARD $ii > $ii"
#Allow forward OUT
iptables -I FORWARD -i $ii -o $oo -s $ipr -j $cn -m comment --comment "Accept FORWARD $ii > $oo"
#Allow forward back IN
iptables -I FORWARD -i $oo -o $ii -d $ipr -j $cn -m comment --comment "Accept FORWARD $oo > $ii"
#Allow trafic IN
iptables -A $cn -d $ipr -j ACCEPT  -m comment --comment "IN : ALL $cn"
#Allow trafic OUT
iptables -A $cn -s $ipr -j ACCEPT  -m comment --comment "OUT : ALL $cn"
#Can maybe add -o $oo
iptables  -t nat -A POSTROUTING -s $ipr ! -d $ipr -j MASQUERADE -m comment --comment "POSTROUTING nat $cn"
#Default reject (useless ?)
iptables -A $cn -j REJECT


echo "[IpTables] $cn [OK]"
}



#
# OPENVPN & DOCKER rules
#


ii="docker0"
ooe="`netstat -ie | grep -B1 '192.168.2.20' | head -n1 | cut -d':' -f1`"
ipr="172.17.0.0/16"
cn="DOCKER"

create_block $ii $ooe $ipr $cn

ii="`netstat -ie | grep -B1 '10.0.0.1' | head -n1 | cut -d':' -f1`"
ipr="10.0.0.0/8"
cn="OPENVPN"

create_block $ii $ooe $ipr $cn

#
# Logging FORWARD DROP packets
#

#iptables -N LOGGING
#iptables -A FORWARD -j LOGGING
#iptables -A LOGGING -j LOG --log-prefix "[IpTables] Dropped : " --log-level 4
#iptables -A LOGGING -j DROP

if [ -f /etc/network/iptables.up.rules ]; then
mv /etc/network/iptables.up.rules /etc/network/iptables.up.rules.old
fi
if [ -f /etc/network/ip6tables.up.rules ]; then
mv /etc/network/ip6tables.up.rules /etc/network/ip6tables.up.rules.old
fi
iptables-save > /etc/network/iptables.up.rules
echo "[IpTables] Save [OK]";
iptables-restore < /etc/network/iptables.up.rules
echo "[IpTables] Restore [OK]";
ip6tables-save > /etc/network/ip6tables.up.rules
echo "[Ip6Tables] Save [OK]";
ip6tables-restore < /etc/network/ip6tables.up.rules
echo "[Ip6Tables] Restore [OK]";
if [ -f /etc/network/iptables.up.rules ]; then
rm /etc/network/iptables.up.rules.old
fi
if [ -f /etc/network/ip6tables.up.rules ]; then
rm /etc/network/ip6tables.up.rules.old
fi
echo 1 > /proc/sys/net/ipv4/ip_forward

echo "[IpTables] Activation du routage: [OK]"
exit 0